Thoughts and ideas on people and technology.
September 30, 2024
There aren’t many things in the technology realm that evoke the same level of disgust as having to deal with passwords. For I.T. staff printers are a close second, but for everyone else, passwords are something most would gladly vote off the island. Unfortunately they play a key role (pun fully intended) in verifying your access to your accounts, the same way a physical key verifies your access to your home. But why are they the way they are? And are there any ways we can make them easier to deal with?
When it comes to access security, there are different ways a system can confirm you have access. These are called “factors”, and there are three of them:
Possession Factor: Something you have. This could be a traditional key, a keycard, a fob, or security key.
Inherence Factor: Something you are. Biometrics such as fingerprints and Apple’s FaceID are examples of this.
Knowledge Factor: Something you know. Passwords and PINs are the most common examples.
For knowledge factor methods we have three general options for managing them:
Memorize: This is fine if you only have a few passwords to memorize, but most of us have more than few things to log into, and even more if we include PINs (which are another form of passwords).
Write them down: Much easier than memorizing, especially if you’re making sure each password is unique. A password book is good for up to a few dozen entries but after that will get cumbersome to search through.
Password manager: This is currently the ultimate in password management solutions (hence the name). A password manager can take care of generating, saving, and typing your passwords, as well as your usernames and other form data!
There is one major con to using a password manager; it’s not quite as humanly intuitive as a password book. It’s another system you’ll have to learn and maintain. But the amount of work that it saves and the improved security make it worth the effort. The ultimate goal of password managers is to maximize security and minimize cognitive load.
Okay, you’ve decided to use a password manager. You’ll need to choose from two categories, depending on your level of trust and how much work you’re willing to do. The first are hosted or cloud systems. With these, someone else (the password manager company) is taking care of most of the technical details for you. Bitwarden, 1Password, Proton Pass, Apple Passwords, and built-in browser systems are popular. Sign up for an account, install the browser extension or app on all your devices, and away you go! The downside: you’re trusting these companies to keep your passwords safe, and they’re less than perfect. Do a search for “LastPass leak” for an example. Also, if you’re like me, you may harbor a general distrust of companies (and governments…and banks…and squirrels…and seed oils...wait, what were we talking about?).
Fear not, for the second option requires far less trust in faceless organizations (or rodents). You can self-host your own password manager! The obvious downside is the extra work to set up and maintain it. But hey, no shadowy supervillains up in your passwords! Woohoo! Vaultwarden and KeePass are popular here. And it’s even easier if you have a server like I mentioned in A Subscription-Free, Cloud-Free Office.
A few extra notes and further reading on the subject of passwords and security. Regardless of your choice, it’s a good idea to have a plan for granting someone else access to your passwords in case of emergencies, or if something happens to you. If you have a family lawyer, ask them about “digital legacy planning”. Or at the very least leave access instructions with a trusted family member or friend.
If you decide to use a password manager, MFA is still necessary, especially for high-risk accounts like banking and email. MFA will probably get its own article from me in the future.
Finally, you may see hear about “passwordless” and “passkey” systems. These are relatively new, and despite the name, are not complete replacements for passwords. For now, think of them as fancy passwords. Passwords in formalwear. Passwords on the way to the opera. Passwords on the way to a $10,000/plate fundraiser that definitely isn’t a political money laundering operation held at an art gallery that definitely isn’t also a money laundering operation. Squirrel!
If you or your organization want help with your password management, you can find us at scalebright.ca.
©2024 ScaleBright Solutions Copyright All Right Reserved.