I was recently asked how a user should manage their passwords. This is a tricky topic and I have avoided biting the bullet until now but here goes,

Considerations

• It is very important that user do not lose access to important passwords by forgetting them or losing access.
• Users are often the weakest link in the chain of security
• It is difficult to remember more than a few passwords
• Different users have different requirements

I will consider different personas,

Bill the Techie

Bill is  techie. He will happy discuss the merits of SSH and RDP for hours.

• Bill should use a password manager

These pay-for products follow good cryptographic practice. You will create pass-phrase and this is used to secure a strong key that is used to encrypt your passwords. The software will allow you to auto-generate a unique strong password for every site you visit. A copy of your encrypted files are stored locally and in the cloud so you can never lose them. Bill should write down his Master Password on a bit a paper and put it in safe location. Bruce Schneider recommends that you keep it in your wallet in suitably obscure form. Once, after 3 months off work I forgot my master password so I advise you not to miss out this step.

Sally the Student

Sally is a student. She watches cat videos and click-bait on her laptop. She never updates the operating system, antivirus is not working, she has no malware protection and never does a backup.

We must assume that Sally’s system is either compromised or will be at some point and that when the hard disk fails she will lose everything.

• Sally should write her passwords in a small book and keep it somewhere safe.

She should choose three different strong passwords for

• Her bank
• Her email account
• Her social media accounts

This way she only has to remember (and write down) three passwords. Banks and email accounts will often now provide two factor authentication for additional security and she should not keep her paper record near these devices.

Grandpa Jim

Grandpa Jim is a vulnerable man and a target for crooks and scammers.

He should manage is passwords the same way as Sally the Student but should also be told.

• If you receive an email from someone you don’t know – delete it without reading it
• Never talk to strangers on the phone about your accounts.

Normal Norman

Normal Norman knows that although thinking about IT security is boring it is better than spending time explaining to your credit card company that you have never been to Hong Kong and certainly did not buy $3000 of camera equipment there yesterday.

Norman uses a PC (the advice for Mac users is similar) and he keeps it up to date

• Windows 10 has automatic updates turned on
• Window’s built in anti-virus is running
• He has a Microsoft Account and uses it to login
  • He has written down the password and put it in a safe place
• He uses Outlook.com for email on his PC and has the Outlook App on his Android phone and iPad.
• All his files are stored in OneDrive
• He users Edge as his browser

Norman can be very confident that his PC is a hard target for hackers. He  knows that he must never reuse a password and his strategy is to generate a strong password for each using an online password generator. He knows that the best password is 8 characters long (so you can type it if necessary) and have numbers, letters and punctuation.

Whenever he logs into a website with his strong password Edge will ask if he wants Edge to remember it for him. He says “yes”.

Norman’s passwords are stored safely in his Microsoft Account. Providing he keeps that secure he will be safe.

Other options

Norman has decided to go the Microsoft route. This offers the greatest security because Microsoft is an operating system company and this is their core business.

Although Google is an advertising company they have made significant contributions to internet security and  Norman can reasonably chose to use Chrome as his browser and have a Gmail as his email supplier.

Apple has solid security and a good applications and a pure Apple route is good too.

I often advise PC users to install MalwareBytes to provide additional security beyond that which is offered by Windows Defender. I recommend this product because unlike most of the rubbish on the market it will not actually break your PC and works well.

Technical Notes

Many factors affect operational security including,

• Is the device secure?
• Is the location secure?
• Is the network secure?
• Is the user the right person?
• Is the person properly trained?
• Is the person’s day-to-day behaviour consistent with best practice?

My recommendations above reflect my thoughts on the importance of these factors and others.

Microsoft, Google and Apple are making huge advances in identity management and device security. My strategy is to adopt their innovations as they become available. It is prudent for normal users to try to stick with one vendor – for example, be pure Apple or pure Microsoft and keep up to date. This cuts down on the number of accounts they have to manage and makes it more likely that everything will work nicely.