Password managers with 2FA: If you’re not using one, you’re crazy
17 February, 2017
category: Corporate, Digital ID
The industry is working hard to replace the username and password as the primary authentication method online, but it will take time. It occurred to me this week that the world needs to better embrace password managers with 2FA or two-factor authentication. I haven’t found reliable statistics that shows exactly what percentage of the population is already on board, but from anecdotal personal experience, it’s not that high.
Certainly it’s not high enough.
Given the topic area we cover for our publications, people ask me all the time if the online world is really as dangerous as it seems. My simple answer? “Yes.” But next I assure them that there are many smart people and great companies working on solutions to these dangers, and finally I suggest they immediately start using a password manager.
I’m always surprised how few are leveraging a password manager.
Opt for one of the password managers with 2FA and at that point, I don’t care if your password is your dog’s name; you’re still protected.
I’m also surprised by the almost universal apprehension people have to the solution. Excuses run the gamut. “I don’t want all my passwords in one place.” “If they are in the cloud, anyone can steal them.” “Crack my master password and my whole life is compromised.”
Wrong, wrong and wrong.
First off, the current alternatives to a password manager simply don’t pass muster. Post-it notes, written lists and reused passwords haven’t been viable for a decade or longer. Nor is my personal favorite, those crafty naming tricks that many think make their passwords unique. Friends brag of their use of static, memorable items, such as their birthdate, but then append the initials of the service they are logging into to make each password “unique.” Face, meet palm.
Any reputable password manager encrypts passwords so they are not “sitting in the cloud waiting for a hacker to grab them,” as one of my family members suggested to me recently.
And this is the only practical security argument against password managers – someone gaining access to your list at the password manager’s site. They make your passwords unique, they enable you to update them easily and they can transform a weak password like “jan15fb” to a long, meaningless, un-guessable string of letters, numbers and special characters – all at little to no effort on the part of the user.
But what if someone cracks my master password that I use to access the password manager? Opt for one of the password managers with 2FA and you effectively guard your master password with multi-factor security. At that point, I don’t care if your password is your dog’s name; you’re still protected.
Even with multi-factor authentication, password managers are not perfect, but the realistic alternatives for most people are simply unacceptable. In the future we will not need password managers because we will not need passwords. But until a more secure online alternative arrives, password managers with 2FA are a solid solution to a very real problem.
