Blog

Password Management

by
Categorized in: Product development | Comments not allowed
   

Password ManagementUsing a password to verify an identity is very often the first line of defense in securing access to an online account. Given this important role, it is critical that a password be strong and for that reason, when creating a new account at Skypunch Technology, or resetting the password for an existing account, the password associated with it is auto-generated by the system rather than specified by you, the end user. As it should be, these Skypunch-generated passwords are both lengthy and made up entirely of random characters. By taking this approach, your password is absolutely guaranteed to satisfy the following criteria. It is:

  • not used anywhere else.
  • not vulnerable to password reuse.
  • not vulnerable to dictionary attacks.
  • not vulnerable to brute-force attacks in any practical way since cracking a Skypnch-generated password is estimated to take over a billion years. (For fun, you can use a tool like the Password Strength Meter at Password Monster to see an estimate of how long it could take to crack your account’s password.)

As strong as these passwords are, they are not easily remembered. In fact they’re not intended to be remembered–at least not by a human. The best practice is to use an online password manager to remember and manage all your passwords but web browsers are getting better at password management and could be an option for you. This article does not intend to act as a review of the pros and cons of various password management tools, but to impress upon the reader that any password is only as secure as the manner in which it is stored. What you need to know is this:

  • Passwords must be stored securely.
  • Password managers are the best option for storing passwords securely.
  • It is possible that passwords stored in a web browser could be visible to anyone with access to the computer where that browser is installed, but this depends on the browser and operating system in use. This article is written in early 2022 and reading passwords stored in some browsers does require providing a master password in order to view any other password. That is acceptable and what we want. But not all browsers behave that way just yet. You will need to do some googling to know if the browser and operating system you’re using at any given time leaves passwords readable through the browser with or without requiring a master password.
  • Regardless of password strength and the manner in which it is stored, account access is always considerably strengthened by the use of multifactor authentication. This is mandatory for Public Sector accounts and optional, but strongly encouraged, for Private Sector accounts.

QR Code management

That last bullet point above leads into the related matter of multifactor authentication (MFA) and managing the QR code used to enable it. When you enable MFA, you scan a QR code using a third-party authenticator app. Examples of these apps are things like Google Authenticator or Authy, both of which are freely available from the respective app stores for Android and iPhone devices. Suppose now that after enabling MFA, you lose the phone. You will now be unable to login to your account and even after replacing the phone you’ll still be in the same predicament. The solution is to securely store a printout of the QR code as you are enabling MFA. Securely in this context means ideally storing it in a physical safe accessible only to authorized personnel but the most important thing is that should the printout fall into the wrong hands, it will be of no value without the individual being able to identify what website and account it’s associated with. Another option is to keep a screen shot of the QR code in an encrypted storage location like for example an encrypted bucket in the Amazon Web Services Simple Storage Service.

By keeping the QR code in a safe, secure location, regaining access to an account after losing a phone is as simple as installing a third-party authentication app on a replacement phone and scanning the QR code. The one-time passwords it begins generating will work as always with your account.

The other scenario in which this QR code will prove invaluable is when a new individual takes over as the point of contact on an account. That new point of contact should scan the QR code in order to log in to the account initially, but then regenerate a totally new QR code along with resetting the password to something new to ensure the old point of contact has no current login data for an account.

Conclusion

For casual users, researching the various password management tools and the features they offer can seem overwhelming. Don’t panic. Skypunch has already taken care of the matter of ensuring password strength for you and if you’re using a browser that stores your passwords without allowing them to be viewed before providing a master password, then you’re in adequately good shape–particularly when coupled with MFA. For Public Sector accounts, where security matters are generally of greater concern, consult with your IT staff to ensure the password and QR code storage and recovery procedures comply with whatever requirements may be applicable.