Emily is a college student at a liberal arts college in the Chicago area. She has several online accounts, and she uses three primary passwords, which she shares between accounts, because she’s afraid of forgetting her passwords.
One afternoon, Emily visits the student loan office, to check on why her funds seem to be coming through late. She is shocked to discover that, according to the student loan department, all her loan money has already been paid out–to someone else’s bank account!
The Attack: University Emails & Identity Theft
Ivan focuses on college students with .edu email addresses, since he knows that they are a potential gold mine for identity thieves. He purchases the addresses off of the dark web, where username-password combinations are readily available for sale–in fact, a 2017 report by the Digital Citizens Alliance showed that several top universities had over 100,000 compromised accounts each, and in 2022 the FBI issued an alert to universities informing them that “Stolen higher education credential information, including usernames and passwords, were discovered advertised for sale on online criminal marketplaces (dark web) and in publicly accessible forums.”
Ivan can use the email to sign up for free student accounts, and mine their email accounts for information that he can use to compromise even more accounts. But lately he has graduated to something more audacious; in the last month, he took out student loans using stolen identities, and scored a huge payday.
Emily’s university username-password combination became compromised, after one of her other online accounts exposed passwords during a security breach. Because Emily reused her passwords, an attacker was able to match the leaked password up with her university email account. And after Ivan bought her username and password, and did a little digging, he found everything he needed to impersonate her and secure a loan in her name.
Reviewing Password Manager Alternatives
Emily made three major mistakes: she created weak passwords, she reused passwords, and she relied on passwords alone, instead of adding Multi-Factor Authentication. The best way to avoid making similar mistakes is to use a Password Manager, combined with Multi-Factor Authentication on all your accounts.
To understand why you need a password manager, it’s worth reviewing the shortcomings of other methods. One by one, let’s go through problems with password manager alternatives.
The first option is not to use any system to keep track of passwords. This is a bad idea; since strong passwords are hard to remember, either you will forget your passwords, or you will tend to use weak passwords, and reuse passwords between sites.
A second option is to write passwords down in a physical notebook. This solves the problems related to remembering your passwords, but you will still be tempted to use weak passwords and reuse them, because it’s annoying to copy out long random passwords by hand. Even worse, if you are the victim of a physical theft, all your digital accounts might be compromised.
A third option is to use the digital equivalent to a physical notebook, and store passwords using some kind of program, such as Notepad or Excel. While this solution offers greater safety from physical threats, it could be at risk from digital attack, and if your computer is compromised with any kind of malware or keylogger, your passwords will be compromised.
The final alternative to using a password manager, is to store passwords using a browser, such as Safari or Chrome. Unfortunately, the default settings for browser password management do not offer much security, and even when properly set up, browsers are never as secure as reliable password managers.
Using a Password Manager to Protect Your Accounts
In contrast to the options explored above, Password Managers only require you to memorize a single password, which you use to access the Password Manager itself. Then, from inside the Password Manager, you can automatically generate strong passwords, synchronize your passwords across your different devices, and ensure that you are using unique passwords for all your accounts. Password managers also provide functionality which allows you to store your Multi-Factor Authentication codes. Finally, many password managers include monitoring features, and can notify you of data breaches so that you can immediately change passwords, as well as alerting you about dark web activity related to your email addresses.
When choosing a password manager, you should do your homework. Avoid companies that use centralized password repositories that can be hacked; be on the lookout for companies who have had past security incidents; and look for products that have good reputations in the cybersecurity community.
Two solutions that are well respected currently are Bitwarden and 1Password. Bitwarden offers a free version for individual users and offers some robust features that make it a great choice for small businesses. 1Password developed out of the Apple ecosystem, and though not free, offers a modestly priced “1Password Families” plan that could be a great choice for families. With that said, apps change and needs vary, so take a look at what’s out there and compare features to choose the best password manager for your needs.
Whether you are at home or at work, you could be vulnerable to cyber crime if you don’t use a Password Manager and follow cybersecurity best practices. If your organization needs help creating and implementing a comprehensive security plan, contact us to schedule a cybersecurity assessment.