Whenever you enter a new password on a website, it is likely that your browser prompts you to “save this password” for next time. There are of course some great advantages to this. You don’t have to remember them, it speeds up the process of your next login, and depending on which browser you are using, your passwords can potentially travel with you from device to device, with just one simple login. Many also highlight the advantages of being able to use “strong” or “complex” passwords that they wouldn’t otherwise use – the ones that might look something like this: P‘xu^c$jA{~\}X@4&8TB-^j*&ABc;j – as well as having a unique password for every single login, not to mention it will only autofill a password into a specific website, reducing the risk of phishing attacks. The solution sounds perfect, right? Well, sort of. The problem is, it might be an unexpected weakness in your security chain.
Here’s how to do it better…
1. Get your password basics right
When considering whether to use a password manager, you should first consider how it can help you to improve your password hygiene. As this table from security.org highlights, how you choose your password really does matter. There is no point whatsoever in using a password manager, if you cycle through only one or two passwords, or if the passwords that you use contain personal information such as pet names or important dates. It is highly likely that at some point one of your passwords will be leaked through a data breach, and can then be used in brute force attacks on other platforms, gaining access to services that contain personal information such as identity info or financial records; all because you reuse the same, insecure password.
According to data released from the National Cyber Security Centre last April:
☠️ 6% of us still use some form of the word ‘password’ in our password
☠️ 15% of us use a pet’s name
☠️ 14% use a family member’s name
☠️ 13% use a notable date
☠️ 6% use a string of letters or numbers e.g. 123456
☠️ 5% use a favourite TV show.
To make matters worse, many businesses still have a user permissions issue, where they let individuals set their own passwords for major business systems, potentially putting your business infrastructure at increased risk, should they use a common password or if one of their personal passwords be compromised.
Good password hygiene starts with the password itself, so make sure yours are up to scratch if you’re planning to use a password manager. In fact, a password manager can even be the reason that you improve your hygiene.
2. Pick the right browser
In an ideal world, you won’t be using a browser to remember your passwords at all (see point 5 below), but if you are, make sure you are using a good one. Thinking commercially, many of the preferred browsers such as Chrome (Google) or Safari (Apple) are owned by giant marketing companies who seek to gain financially from your data. Identifying trends and behaviour patterns, and making these behaviours available to advertisers, are how these businesses make a good chunk of their money. Both Apple and Google have made moves recently to change their privacy settings and afford their users more external privacy – i.e. Facebook ad tracking – but have not limited their own tracking and analysis quite so significantly. It’s also worth noting that browsers like Chrome give you the option to be logged in or not. If you are logged in, you get the benefit of things like device syncing etc., but if you aren’t, passwords are saved locally on the device, making them more at risk (and potentially unrecoverable) if the device is compromised or stolen.
Our Senior IT Technician Ryland recommends Microsoft Edge as the browser of choice for password saving. Not only is it a free tool with the browser, and a great entry-level option, it also offers the device-to-device benefits of other browser managers. What’s more, when you have logged in using your Microsoft account, it attaches your passwords to the account rather than the device, meaning that they are automatically synced between devices.
3. Maximise the associated security features; not just the password manager
While the password manager itself provides the benefit of recording and automatically inputting your passwords, it is essential that you utilise other security measures if they are available. Considering Microsoft Edge for example, businesses should ensure that they have implemented user permissions onto devices, so that a Microsoft login can only be used for those approved devices. That way the attached passwords can only be used on approved devices too. Microsoft also offers the use of Multi-Factor Authentication, either via the App, or via SMS to an approved mobile device, which means that even if a device is stolen, or hacked, and the password manager obtained, the passwords cannot be autofilled without the necessary authentication. These combined tools help to ensure that even if a device is stolen, the passwords remain largely secure and unobtainable.
Similarly, combining the password manager with good device security is a must. For example, industry reports show that 80% of online incidents are related to phishing, and more than 37% of untrained users fail phishing tests. Adding good endpoint protection (like ESET, and Microsoft Defender), helps make it extremely unlikely the device will be compromised in the first place, and also reduces the risk of keyloggers which can be used to obtain your master password to these managers.
4. Stick to one system
Users have a habit of switching between browsers, according to the device they are using at the time. Safari on their iPhone and Chrome on their laptop for example. This often results in passwords being logged in multiple databases, or different passwords in different places, making some of it less secure, and more difficult to trace. It’s best to decide on a single system (like Microsoft Edge), or outsource it away from the browser to one of the dedicated password management softwares that exist like Keepass or LastPass for example. You do of course have to pay for the latter though, so bear that in mind.
5. Step it up a gear
Although Microsoft Edge offers most of the features that users would need, especially combined with the additional security settings offered by the wider Microsoft suite, you can opt for a paid password manager. The advantages of these systems is that they offer customisation tools when setting up a new password, they require a master password and multi-factor authentication (meaning your passwords are never on show, even if you walk away from an unlocked computer), they are free of data tracking such as how often you use sites and what other sites you visit, and you can even upgrade it to force you to re-enter passwords at set periods for highly sensitive systems like financial websites.
6. Clean things up
If you’ve decided to make the move (and we hope you have!), then go through the process of doing it properly and cleaning things up. Access all known databases of your passwords and export/import them into your new password manager of choice. Then systematically delete all the old records from the browsers, using the individual settings appropriate to that browser. Finally, use this as an opportunity to review and upgrade your passwords and improve them. Get rid of those personal details, and make sure they’re all safe and secure. As an added bonus, consider identity and password monitoring software which will look out for your data and passwords being compromised in a breach, even if you aren’t notified about the breach.
In summary
Browsers password managers are better than nothing IF you use them to beef up your password hygiene basics. The gist is a return to the first principles: use strong passwords for website logins, use different passwords for different accounts, and leverage the extra security features available to enhance the overall security of your passwords and your managers.
We can help! We can help you provide the robust and secure settings you need to keep you and your business safe. Speak to our team on 01453 700 800 today.