Recent breaches at LastPass have brought the use of a password manager into question. Is it still a safe, secure way to manage your accounts? Is a Single-Sign-On (SSO) system more effective?

Web-based systems and applications are exponentially growing in today’s technology-driven environment. On a daily basis, we access anywhere from 8-15 systems or applications on average.

The safest and most secure method of accessing these programs is by utilizing different login credentials for each system. This practice limits the likelihood a hacker could steal a single credential combination and manage to break into every single application you use.

So what are the potential pitfalls to be aware of for both password managers and SSO systems?

Many organizations use SSO to minimize the number of logins a user must remember. If your organization uses SSO, but you still use a system with an individual username/password, you should contact IT and see if the application is able to migrate to the SSO platform in use.

The potential downside? Even with SSO, a hacker can access your master credential combination and push multi-factor authentication to your phone to authorize the fraudulent session. An unsuspecting user may authorize out of habit or general lack of attention or awareness during a busy day.

Encrypted password manager vaults, even when exposed, can be difficult to crack. Password managers, like LastPass, may fall victim to data breaches, but unless the encryption key that keeps your credential combinations secure is discovered, your systems are still safely locked and you can change your master-level manager password to once again keep your vault from prying eyes.

Tips to remember to keep your credential combinations as safe as possible:

  • Use a password management software. Password management software helps maintain unique and complex passwords for multiple systems.
  • Do not use the same password for multiple systems. If one system is compromised, the other systems would be at risk if the same password was used universally.
  • Do not write down a complete password. If you must write down a password, use an easily remembered trick like withholding two letters from the written password. By withholding a few characters from your actual password, it’s unlikely a hacker could discover the correct combination before locking out the account with failed attempts.

Example:

Actual
ADx5!B23hfg

Written
AD!B23hfg

NOTE: When utilizing this method, do not remove the first or last two characters. To increase difficulty, remove a certain number of characters from within the interior of the password string or phrase.

As always, if you believe one of your passwords has been compromised, notify your IT department and change login credentials accordingly.