Update 17 March 2020: The great team at Login Lock Down reached out and shared a great comparison they did of various password managers. We added a link below!
Do you have your asset list (from Step 1) with all your accounts, technology, and systems ready?
Excellent! Let’s dive into the next step - passwords!
Step 2. Use unique passwords and a password manager
For this fortnight’s security quest: the passwords for each of your accounts and systems need to be reset to something unique and then stored in a password manager.
Your passwords should be butterflies, not clones.
They need to be unique for each account and then stored somewhere safe like a password manager.
Let’s dispel the fallacy: You can never be “too small” to be attacked.
The internet is a big place and the accounts you use are accessible by anyone else around the world.
When you create an account and a password, it needs to be unique to only that account. This is because sometimes those passwords get lost. It is not always your fault - sometimes the websites you gave them to lose them. It happens (a lot)!
We will let you in on a secret: most attacks are automated.
Yep, attackers can be quite efficient with their time. This means when passwords get leaked, they collect them all up and create programs that will try and reuse those credentials against other websites to try and get in. Attackers rely on the fact that most people will reuse passwords because keeping track of them can be hard.
Joke’s on them - keeping track of unique passwords can be easy.
You can sign up to a free password storage service, like 1Password or Bitwarden, and store all your unique passwords there. You can even get these services to generate and store unique passwords for you. If your small company shares passwords (necessary for certain things, like Twitter), some password managers offer the ability to share secrets with others.
If you wanted to take more time to find the right online password manager for yourself, take a look at the write up and comparison table by Login Lock Down.
Now I can hear what you are thinking:
Putting all my passwords in one place isn’t safe! What if someone gets access to my password manager?
Well, there is one password you need to memorise: The one to your password manager! So long as that one has a long, unique password (or maybe a phrase) you will be OK. That is the key to your safe that is buried under multiple layers of encryption.
Password managers often have different features - some are stored in the cloud and some are stored on your machine. Some offer browser plugins. Some offer phone apps. Some offer the ability to share passwords with your team. The best password manager is the one that you will use. Look for ones with features you need so that you can seamlessly build it into your workflows.
Step 2 complete! Your password manager should be brimming with fresh, new, unique passwords.
Next, we are going to get into taking the security of those accounts one step further and configuring two-factor authentication.
Before we say farewell, we did want to ask a wee favor: If you are using these blogs to help level-up your small group’s security, let us know at firstname.lastname@example.org. We love feedback and stories. We want to hear how your security adventure is going and try and make the journey a bit better for everyone!
See ya soon for Part 3!