Password management

Aims and objectives

This module will:

  • provide information and guidance on account security
  • explore the use and benefits of password managers
  • outline common security issues

After completing this module, you will be able to:

  • create passwords that are harder to guess and crack
  • understand how accounts are hacked and ways to reduce your risk
  • practice proper account and password management

4. Account and password management

Account management

Creating a secure password is important, but no matter how secure your password is you can still be vulnerable if your account management is lacking. An example of bad account management would be using the same secure password and email address across multiple accounts. If Facebook gets hacked and your username and password are stolen, hackers can use that information to then access your Instagram or various other online accounts. 

On websites like Spotify, you can conveniently 'Login with Facebook' so that you don't need to create a separate account for every site you use. However, this convenience comes at a cost, because every time you use your Facebook login to access another service, you are giving that other service access to your personal data stored by Facebook. This also allows an attacker to only require access to your Facebook account to start getting access to everywhere else that you associated that Facebook login. By using the 'Login with Facebook' option you are essentially using Facebook as a password manager to remember your username and password for a number of sites and services.

Ever noticed after doing some online shopping, adverts in other websites showing similar items to the ones you just searched? This is a demonstration of your personal data being sold and exchanged to target you.

Read "No boundaries for Facebook data: third-party trackers abuse Facebook login" on Freedom to Tinker.

Password management

Password managers provide a similar level of convenience to "Login with Facebook" but are much safer.

Password managers create an encrypted database of all your usernames and passwords, that only you can access with a master password. This means you only need to remember one password to have access to all of your accounts. Most password managers will include the ability to generate secure passwords that you can use for new or existing account logins. Because you only need to remember one master password, you can generate and store complex passwords for your needs. This way, you are not relying on your memory and easy passwords to remember many different account login details.

BitWarden password generator function

To make website logins easy, most password managers have browser extensions that either insert the information into required login fields automatically or allow you to copy and paste the details. Not all websites and appls allow automatic login filling or pasting into login fields.

What to consider when choosing a password manager

There are a large number of password managers available for use. You need to research which service you want to use. A lot of these solutions have reports or blogs on their site discussing how it works and what they do to protect your details, for instance 1Password has a white paper going into a lot of depth on their service and mission. Some things to consider when making a decision:

  • Is my password stored only on my computer or is it backed up in the cloud? Given the growing popularity of using password managers, they are a prime target for a data breach due to the sheer amount of account information they may store. You have to decide between maximum security vs usability and convenience. If a password manager stores passwords in the cloud, they often have a phone app and browser extension allowing syncing across devices. This means that your information is being sent across the internet to allow your other devices access, making that less secure than never being sent across the internet.
  • If they are backed up in the cloud, is the information encrypted before it is backed up or after it has been backed up? If the information is encrypted after it has been backed up in the cloud, then it was potentially sent over the internet as plain text and is a lot easier for attackers to gain access to.
  • Are there any recorded breaches of the password manager in the past, and how did the service react? LastPass suffered a secrutiy breach in 2015, however it was quick to fix the flaw. LastPass also publicly addressed the breach, how it occured and what was stolen. This type of communication is important because it allows users to change their password, usernames etc to avoid trouble in the future.

Below is a table outlining the features of popular free solutions, some of these services offer freemium plans for additional features. This is a mix of open-source and commercial services. Make sure to do your own research and decide which will work best for you.

Password Manager

Passwords stored

Passwords encrypted

Phone App

Browser Extension

1Password Cloud Local device Yes Yes
BitWarden Cloud Local device Yes Yes
Password Safe Local device Local device

Yes

(Unofficial)

No
iCloud Keychain Optional In-transit

Yes

(Apple devices only)

No
dashlane Cloud Local device Yes Yes
KeePass Local device Local device

Yes

(Unofficial)

Yes

(Unofficial)

LastPass Cloud Local device Yes Yes

Duration:   Approximately 20 minutes


Graduate attributes

Knowledge and skills you can gain to contribute to your Graduate attributes:

 Critical judgement

 Ethical and social understanding


Check your knowledge

Check what you know about this topic:

Take the quiz

Support at UQ

Access UQ services to assist you with personal or study-related issues.