Password security, while not the most glamorous topic in the world, is a massive issue for everybody. Companies with a distributed team sharing accounts (Twitter, Instagram, etc) face extra issues, some of which we’ve come up against here at Newspaper Club.
Our team is spread all over the world – London, Glasgow, Birmingham, Leipzig, and Boston – and until recently there’s always been a question over how best to centralise and share passwords for group accounts.
We recently did an audit (and produced a very pretty map) of all of our systems and services. This quickly established that we have lots of them – each requiring secure passwords, multiple accounts for different staff members, and the ability to be easily updated. Personally, I have more than 70 Newspaper Club logins and there’s no way to remember them all, let alone make sure they’re all secure.
So what do we do? The most sensible option: use a password manager.
The principle is pretty simple. Every account you use has login details stored in a heavily encrypted file (often called a Vault) which you unlock with a master password. Using a browser plugin, your details are entered automatically each time you log in to a different system. Amazing, right?
Even better, password managers automatically generate complex, secure passwords and store them in the Vault for the next time you need them. You can identify weak passwords from your dark past and easily replace them with new, shiny, secure ones. Still amazing, right?
There are many password manager options (LastPass, Keeper, Mitro, 1Password, etc) but at Newspaper Club we settled on 1Password. I’ve been using it for years and would argue it still has the strongest feature set for our purposes, plus it’s also friendly to use for non-technical users . It uses a a local file-based vault (meaning the encrypted file is stored on a device we own) rather than a cloud-based vault at the mercy of a big service outage or overnight bankruptcy.
With a password manager, your master password will become the most important password in your life and, if you use your password manager properly, it’s the only password you need ever remember. It needs to be secure and memorable.
It may be surprising to learn that a password doesn’t need to be complex to be secure. The trick is to think of your password as a phrase rather than a word. To borrow an example from the always brilliant XKCD, the password ‘correcthorsebatterystaple’ (four random but common words) has 44 bits of entropy. The password ‘Tr0ub4dor&3’ looks better right? You’d expect it to be more difficult to guess? But that’s not the case – from a computer’s perspective it’s actually far easier to guess, with only 22 bits of entropy.
Basically, you’re best off picking a phrase from a book, jumbling up the words, and using that as your One Password To Rule Them All. Change it regularly, check it’s strong, generate all your other passwords, and your local friendly CTO will be a happy man.