{"id":51871,"date":"2017-04-01t14:23:57","date_gmt":"2017-04-01t18:23:57","guid":{"rendered":"https:\/\/48e130086c.nxcli.net\/?p=51871"},"modified":"2018-07-10t13:42:18","modified_gmt":"2018-07-10t17:42:18","slug":"password-managers-yes-no","status":"publish","type":"post","link":"\/\/www.g005e.com\/2017\/04\/01\/password-managers-yes-no\/","title":{"rendered":"password managers: yes or no?"},"content":{"rendered":"
but you don’t need to ask why.<\/strong><\/p>\n by greg lafollette<\/em><\/p>\n password managers have been in the news as of late. unfortunately, the news has not been good. multiple security breaches may (or may not) have exposed millions of user ids and passwords. while many of my technology consultant-type friends are proponents of password manager apps, the idea of having a single point of (imo catastrophic) failure terrifies me. so i resist. which leads me to a conundrum. i usually try to expose practitioners to genres of apps and web tools they might not otherwise see. with that in mind i\u2019ll point out that the leading password managers are actually very good. if you can get over the single point of failure issue.<\/p>\n commercial offerings<\/strong><\/p>\n if you\u2019re in the camp that can stomach the risk, i suggest you consider lastpass, dashlane, <\/em>or roboform<\/em>. all generate strong passwords, store them securely (or not, depending on who you believe), synchronize them across all your devices, and serve them up to you as needed. lastpass<\/em> and dashlane<\/em> have a free offering as well as a premium level product and although roboform<\/em> does not have a free product it does offer a discounted 3-year subscription. all platforms include very similar features and all support multi-level authentication.<\/p>\n now, back to my conundrum. how to deal with a genre in which i honestly do not believe it wise to use? i elected to simply highlight the three market leaders and then explain my \u201cwork-around\u201d personal do-it-yourself (diy) solution. these three all work on\u00a0ios, android, and the web.<\/p>\n a dyi solution<\/strong><\/p>\n the basic tenant of security is to always use hardened ids and passwords. hardened is a term many consultants use to describe an id or password that is (usually) at least eight characters long, contains alpha, numeric, upper and lower case, and a symbol. it is not your name, your pet\u2019s name nor the street where you live. in fact, it is never a word at all. hardened passwords are extremely hard to break, and the hope is that an intruder would lose interest rather than spend the inordinate time required to break your security and access your information. but you knew that, right?<\/p>\n what i\u2019ll bet you don\u2019t know is how to manage those hundreds (oops, there goes that exaggeration again!) dozens of user id \/ password combinations. here\u2019s the method that seems to work well for me.<\/p>\n i have a \u201cstandard\u201d user id and password that consists of letters (some upper case), numbers, a symbol, and two letters chosen from the web site to which i am authenticating, or program or machine i\u2019m accessing. by way of example, my user id might be wjy6%xex, where the x\u2019s are the second and fourth letter of the web site i\u2019m visiting or program i\u2019m using. so, if i were visiting www.etrade.com, my user id would be wjy6%tea. notice the \u201ct\u201d and \u201ca\u201d are picked from the web site address. if i were visiting www.aicpa.org, my user id would be wjy6%iep.<\/p>\n the secret is that i actually have only one user id to remember. in this case, it\u2019s wjy6%xex, but it\u2019s different at every site.<\/p>\n i do the same thing with my password; it\u2019s another (not the same as the user id described above) random, single, hardened string incorporating something from the site i\u2019m visiting. the result is a simple system that provides great security. often i\u2019ll hit what looks to be a new site, and when it asks me to login, i\u2019ll just \u201ctry\u201d my user id and password. sometimes i discover that i\u2019ve already been there as my \u201cspecial\u201d user id and password take me right in.<\/p>\n are there problems? sure. there are some sites that like to \u201cassign\u201d user ids and don\u2019t give you the right to change them.<\/p>\n a few have policies that preclude the use of special characters, such !, @, #, $, %, ^, &, *, ( or ). one i use (a bank) actually had the gall to tell me their disallowance of special characters was a \u201csecurity feature designed to protect you.\u201d amazing! some sites use your social security number as an id (and they think that\u2019s secure?). and there are some sites that limit your password to only five or six characters. my answer to them more and more is, \u201cgoodbye.\u201d<\/p>\n thankfully, many sites are now enabling two-factor authentication. there\u2019s a very simple rule for those sites: always enable two factor authentication. always.<\/p>\n i hope you\u2019ll join me in demanding high-level security policies from the vendors with whom you work. and remember that if you\u2019re not already providing individualized web services to your clients, you will be someday. and soon. and they will be asking you for the right to use \u201chardened passwords.\u201d smart practitioners think ahead.<\/p>\n i hope you find my diy password technique to be helpful. it works for me and i\u2019ve heard from hundreds of practitioners that it works for the, too.<\/p>\n ps: the user id detailed above (wjy6%xex) is not the one i use!!!<\/em><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" but you don’t need to ask why. by greg lafollette password managers have been in the news as of late. unfortunately, the news has not been good. multiple security breaches may (or may not) have exposed millions of user ids … continued<\/a><\/p>\n","protected":false},"author":2225,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","footnotes":""},"categories":[2306],"tags":[],"class_list":["post-51871","post","type-post","status-publish","format-standard","hentry","category-tech-and-fintech"],"acf":[],"yoast_head":"\n\n