Should you use a password manager in 2024, and if so, which one?

To answer this question, it is important to understand a little about the current threat landscape.

Most people currently need to manage multiple usernames and passwords. The use of weak passwords (passwords which can be determined by an attacker), password reuse (where a password for one application is used for another one), or partial password reuse (where a password which is similar to one which has been previously used), presents a serious risk to users of account compromise. Account compromise and account hijacking are rife. Usernames and passwords are extracted from web browsers by malware, extracted from online applications via software vulnerabilities, extracted from users (via malicious phishing emails and instant messages) and then exchanged on dark web forums (underground online marketplaces) and shared widely in huge compilations of breached credentials.

Multi-factor authentication (MFA) provides some protection by reducing reliance on just usernames and passwords and should always be configured where supported, however, MFA is not bulletproof – many implementations are routinely bypassed by attackers.

To protect themselves in 2024, most people should be using a password manager – they have become indispensable tools for managing complex online identities. They offer convenience, security, and the ability to create and store strong, unique passwords for various accounts. However, centralising passwords within a single location presents its own set of risks. Password managers, while valuable tools, can be vulnerable to security threats. If your master password is compromised, or if the password manager software itself is compromised, all your stored passwords could be compromised. As such, password managers need to be used carefully to avoid increasing, rather than decreasing, your risks.

“Password managers don’t have to be perfect; they just have to be better than not having one”.  -Troy Hunt.

Here’s a list of things to consider when choosing a password manager:

✔️ Do: Configure your password manager to create strong, unique, random passwords. Current standards recommend longer passwords—if possible, use passphrases that combine upper and lower case letters, special characters, and numbers with a minimum of 15 characters.

❌ Don’t: Rely on browser-based password management. Browsers often expose you to risks such as weak encryption, phishing attacks, and limited security features. They are not specifically designed to protect passwords as standalone software does.

⚠️ Beware: Be cautious of cloud-only software that is not enterprise-grade. For example, LastPass suffered two breaches in 2022, highlighting the importance of robust security measures.

✔️ Do: Create a complex, unique master password that is difficult to guess. We recommend using a passphrase consisting of 4 or 5 random words.

✔️ Do: Keep your password manager software updated with the latest security patches. Many programs offer an auto-update feature to ensure you’re always protected.

✔️ Do: Stay informed about data breaches and take action immediately if your password manager is compromised.  Make sure you regularly check havibeenpwned to see if your credentials have been breached (see links).

✔️ Do: Consider using offline storage solutions to reduce dependence on cloud-based services.

• Small Business Cyber Guidance
• Australian Cyber Security Centre (ACSC)
• Office of the Australian Information Commissioner (OAIC)
• Scam Watch
• Home Affairs
• E-safety Commissioner
• Haveibeenpwned

If within your business, you have a specific professional cybersecurity role to play then this month offers a great opportunity to be more visible and get some wins on the board. We help businesses of all sizes solve their cybersecurity challenges to become cyber-safer, pre, during, and post incident. Email us at [email protected] or call us at 1300 PCC 999 for a no obligation initial chat.