If you’ve heard any of the members of CRT Labs talk about online security, you’re likely to have heard us urge you to use a password manager. And if you spend a normal amount of time online, you’ve also read about password manager breaches. The most recent high-profile attack hit LastPass earlier this year, and the attack helped spawn a lot of “are password managers really a good idea?” think pieces.
Let me be direct: yes, it’s a good idea to use a password manager. It’s a really, really, good idea, and using them is something I will continue to recommend to the REALTORS® with whom I speak.
The reason we recommend using them so strongly is because password managers solve the two most common reasons why accounts get compromised: weak and reused passwords.
WHAT’S A PASSWORD MANAGER?
A password manager is a piece of software that helps a user create, store, and use complex passwords. (There are hardware-based password managers, as well as some browser based ones, but we’ll just be talking about dedicated software managers in this post.) By “complex passwords” I mean a combination of letters, numbers, and special characters; length and unpredictability can also increase the complexity of a password.
Password managers help you create these complex passwords; the software I use allows me to create passwords up to 64 characters in length, with up to 10 numbers and 10 special characters. For example:
Do I use complex passwords like this for online banking and shopping? I do. Not all are this crazy, but there’s actually no reason why they shouldn’t be. They can be as complex as the above, because password managers don’t require you to remember the passwords of individual sites and services you access online; they only ask you to remember one master password that gives you access to the rest.
HERE’S WHERE FOLKS GET NERVOUS:
It’s at this point that most people start to get nervous, and they usually have both of the following concerns:
- Are you crazy? You’re putting all of your password eggs into one basket!
- I can’t remember a password that’s complicated enough to be my master password.
Let’s start with the all-your-eggs issue. I currently have one master password that protects 55 very complex passwords that are stored in my password manager. My master password is complex but memorable. Am I worried about someone cracking my master password and getting to my banking, investment, and shopping passwords? Not really, and here’s why:
- My master password and password vault are shared with no one. Not even the company that provides my password management software has access to it. When you combine the strong encryption on your vault, a strong master password, as well as controlling where your information is stored – provides you multiple layers of security against any threats.
- The encryption used by most password managers exists not only during transmission of data but also at rest.
- My password manager encourages me to create very complex passwords because it can be done for me automatically when signing up for accounts at new websites.
- I don’t even have to use the Internet to use my password manager. I can run it on a local network, storing all my information on my computer and other devices. None of my password information need ever go near the cloud.
This last issue — cloud vs. local storage — could be the key for you to start using a password manager if you’re afraid of hackers but see the benefit of randomly generated strong passwords. Make sure any password manager you think of using has the ability to store information away from the cloud and away from the provider’s servers.
CREATING A MASTER PASSWORD
It may seem a little daunting to come up with a complex but memorable password, but I’d like to suggest it’s not as difficult as it seems. Let’s take a look at a made-up complex password: !M2j3B*s*T*. How did I come up with this, and how would I remember it?
Let’s assume you think Michael Jordan is the best basketball player ever. You’re sure to know he wore the number 23. Introduce some special characters, start to think about the words as single letters or abbreviations, and you’ve got a memorable and very strong password.
STILL DON’T WANT TO USE A PASSWORD MANAGER? AT THE VERY LEAST, DO THIS:
Whether or not you wind up using a password manager, at the very least remember that variation (not using the same password on more than one site) and complexity (passwords with letters, numbers, and characters) are essential to protecting yourself online. It’s easier for me to use a password manager to handle that variation and complexity. If it’s not for you, devise your own system, but stick to those two password virtues. Somewhere down the line you’ll be happy you did.
LEARN MORE FROM THESE GREAT RESOURCES FROM NAR:
Check out Cybersecurity Checklist: Best Practices for Real Estate Professionals, part of nar.realtors’s coverage of data privacy and security.