Skip to main content
SANS Security Awareness

Utility nav

  • GDPR
  • Support
  • SANS.org
  • Contact
  • Request Demo

Main navigation

  • Products
    • Products Overview Column
      • Products

        Build and mature your security awareness program with comprehensive training for everyone in your organization.

        View Products
    • Security Training Solutions
      • EndUser Training

        Security Awareness training designed by experts.

      • Phishing Tools

        Tiered-template phishing simulation tool designed for all learners.

    • Products - Training Span
      • Engineer Training

        Train all learners involved with Industrial Control Systems. 

      • NERC CIP Training

        Relevant Critical Infrastructure Protection training meeting compliance. 

      • Developer Training

        Protect web applications with secure coding practices. 

      • Healthcare Training

        Train learners following HITECH and HIPAA standards. 

    • Events
      • Courses & Summits

        Gain key insights and practical information in security awareness program building from experts in the field with our Summits and training courses. 

  • Why SANS
  • About
    • About Overview Column
      • About

        SANS has been around as long as the Internet. Learn about our history, experts and events around the world.

        Read About SANS Awareness
    • About Column 1
      • Our Experts

        World-class experts covering every aspect of security awareness and defense.

    • About Column 2
      • History

        Read about the SANS Security Awareness legacy.  

    • About Column 3
      • News

        Check out what’s going on with SANS Security Awareness in the news.

  • Reports
  • Case Studies
  • Blog
  • Resources
    • Resources Overview Column
      • Resources

        Looking to build and mature your security awareness program? These resources will enable you with the topics and techniques to improve your learner’s awareness in security.

    • Resources Column 1
      • Blog

        Read from subject matter experts and guest authors about the latest going on in security awareness.

      • Security Awareness Planning Toolkit

        Resources to help you plan, develop and deploy an effective program.

    • Resources Column 2
      • Posters

        Developed by the community for the community. Download and share these awareness posters with your organization.

      • Video of the Month

        Our popular VOTM program allows you to get an inside look of security awareness training on relevant topics affecting our society today.

    • Resources Column 3
      • OUCH! Newsletter

        The world leading security awareness newsletter. Offered in multiple languages, created by a community of experts.

      • Webcasts

        Gain deep insights from subject matter experts on security awareness, program building, behavior change and more.

Mobile Menu

October 2015 • The Monthly Security Awareness Newsletter for Everyone

Password Managers

One of the most important steps you can take to protect yourself online is to use a unique, strong password for each of your accounts. Unfortunately, most of us have so many accounts that it’s almost impossible to remember all of our passwords. A simple solution is to use a password manager, sometimes called a password vault. These applications are designed to securely store your login credentials. Moreover, they can make it much easier for you to log into websites, mobile apps and other applications.

How Password Managers Work

A password manager acts like a digital safe; it securely stores your usernames, passwords and other sensitive information. When a website requires you to login to your account, the password manager can automatically retrieve your password and securely log you into the website. This makes it simple to have hundreds of unique, strong passwords, since you do not have to remember them.

OUCH! Oct 2015 Password Managers

Password managers store your details in a database, which is sometimes called a vault. The password manager encrypts the vault’s contents and protects it with a master password that only you know. When you need to retrieve your credentials, perhaps to log into your online bank or email accounts, you simply type your master password into your password manager to unlock the vault.

Some password managers store your vault on your local system or smartphone, while others store it on a remote website maintained by the company that built the password manager. In addition, most password managers include the ability to automatically synchronize the vault’s contents across multiple devices that you authorize. This way, when you update a password on your laptop, those changes are synchronized to your smartphone, tablet or any other computers you are using. Regardless where the database is stored, you need to install the password manager application on your system or device to use it.

When you first set up a password manager, you need to manually enter or import your logins and passwords. Afterwards, the password manager can detect when you’re attempting to register for a new online account or update the password for an existing account, automatically updating the vault accordingly. This is possible because most password managers work hand-in-hand with your web browser. This integration also allows them to automatically log you into websites.

Password managers are designed to securely store your sensitive data. However, it’s critical that the master password you use to protect the vault’s contents is strong and very difficult for others to guess. In fact, we recommend you make your master password a passphrase, which is one of the strongest types of passwords possible. If your password manager supports two-step verification, use that for your master password. Finally, make sure that you do not use your master password for any other system or account. This way, even if a hacker manages to obtain a copy of your vault, they will be unable to guess the password and access its contents. Finally, be sure you remember your master password. If you forget it, you will not be able to access any of your other passwords.

Choosing a Password Manager

There are many free and commercial password managers to choose from. When trying to find the one that’s best for you, please keep the following in mind:

  • Confirm that the password manager will work on all the systems and mobile devices where you might need to access your vault. The solution should also make it easy to keep the vault’s contents synchronized across all of your devices.
  • Use only well-known and trusted password managers. Be wary of products that have not been around for a long time or have little to no community feedback. Just like fake anti-virus software, cyber criminals can create fake password managers to steal your information.
  • Your password manager should be simple for you to use. If you find the solution too complex to understand, find an alternative that better fits your style and expertise.
  • Make sure whatever solution you choose continues to be actively updated and patched, and be sure you are always using the latest version.
  • The password manager should make it easy for you to select strong passwords for your various accounts, including the ability to automatically generate strong passwords and show you the strength of the passwords you’ve chosen.
  • The password manager should give you the option of storing other sensitive data, such as the answers to your secret security questions, credit cards or frequent flier numbers.
  • Be wary of password managers that employ proprietary or unknown encryption techniques, rather than encrypting your vault using industry-standard methods. If the vendor advertises how they developed their own encryption solution, stay away from them.
  • Avoid any password manager that claims to be able to recover your master password for you. This means they know your master password, which exposes you to much more risk.

Password managers are a powerful solution to securely store all of your passwords and other sensitive data. However, since they safeguard such important information, make sure you use a strong master password that is not only hard for an attacker to guess, but easy for you to remember.

License

OUCH! newsletter is under the Creative Commons license.  You are free to share / distribute it but may not sell or modify it.

In This Issue

How Password Managers Work
Choosing a Password Manager

English
OUCH-201510_en.pdf
Guest Editor
Thumbnail

Lenny Zeltser

Malware Analysis Expert, Author
Lenny Zeltser is an information security and malware analysis expert. He currently serves on SANS Board of Technology Directors and is VP of Products at Minerva Labs. He teaches courses through SANS primarily on Malware, has co-authored four books on network security, malware and digital forensics
Twitter
lennyzeltser

Subscribe to OUCH!, our Monthly Security Awareness Newsletter

Get monthly content to keep you up to date on the latest Security Awareness News and Tips.

The SANS Institute provides training related to cybersecurity and the safe use of technology within your organization. To provide this training, the SANS Institute captures and processes personal data and as such has been identified as a “controller” of your information.

The information provided to SANS Institute for training purposes may include name, email address, phone number(s), address, company, department, job function, industry, organizational memberships, and geographic region. The SANS Institute may also collect data about devices and software used to access the training and training systems; this data includes browser version, operating system version, IP addresses, access times, connection duration, and other browser analytics. As training is delivered, the SANS Institute processes and stores data associated with training assignments, completion, and scores on any learning activity that is delivered. SANS may also utilize third party processors to provide these services.

If your information is provided by your employer, this information is used as part of the initial or ongoing training cycle. The purpose for collecting this data is to allow the SANS Institute and your employer to assign, deliver, record and report on your cybersecurity training. Your information and training records will be shared only with you and your employer.

At any time you have the right to receive a copy of the personal data you have provided to us in an electronically readable format.

A data protection regime is in place to oversee the effective and secure transmission, processing, storage, and eventual disposal of your personal data, and data related to your training. The SANS Institute will retain your data until you request that it be removed, after which it will be securely disposed of. The SANS Institute will never sell your personally identifiable data and will only share your personally identifiable data with SANS cyber security solutions partners when you provide agreement to do so.

When you consent to us using your information for the purposes of sending you information on SANS products or services you are providing us with your consent to send you materials detailing our products and services that we consider will be of interest to you, based on your use of the educational material that we provide as resources. We profile you this way to make the materials more relevant to you. We will only send you information on products from within the SANS services portfolio.

If, at any point, you believe your personal information to be incorrect, you may request to see a copy of your data, ask to have the errant data corrected, or ask that it be securely disposed of. If your information is provided by your employer, the SANS Institute will work directly with your employer to promptly address the matter. If you wish to raise a complaint or concern, or have questions relating to GDPR, please contact the Data Protection Officer via gdprprivacy@sans.org.

SANS has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the EU Data Protection Authorities (DPAs), or where applicable instead, to the Swiss Federal Data Protection and Information Commissioner. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the following web site for more information and to file a complaint with the EU DPAs: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

You may, at any time, withdraw your consent; to do so, please contact gdprprivacy@sans.org.

The SANS Institute is a U.S. company founded in 1989 that specializes in information security and cybersecurity training. All information provided to SANS Institute will be transferred to and processed in the United States. The SANS Institute is committed to comply with the Privacy Shield Framework which has been found adequate by the European Commission to enable international data transfer under EU law. For more information, please see www.sans.org or contact gdprprivacy@sans.org.

SANS Security Awareness

301-654-SANS (7267)
Monday-Friday, 9am-8pm EST/EDT

Social

  • Facebook
  • Twitter
  • Linked In

Footer

  • Products
  • Why SANS
  • About
  • Reports
  • Case Studies
  • Resources

Footer utility

  • Support
  • SANS.org
  • Contact
  • VLE Help

Stay up-to-date on the latest security awareness news and tips. 

Subscribe to our monthly newsletter, OUCH!

Subscribe Now

Copyright Nav

  • ©2018 SANS™ Institute
  • Privacy Policy
  • Trademark Usage Policy
  • Credits