Password Managers and Security
How many online accounts do you have? How many passwords? I have over 99. I’d be more specific about the number but I don’t want to count them, and the counter in my PW Manager Dashboard only goes so high.
Admittedly, I probably have more accounts than most faculty and administrators. My job involves experimenting with online tools and teaching teachers how to use those tools should they pass muster. As education moved online, I found myself creating more accounts. Around the core set of accounts and passwords we pretty much all have (work and personal email, a couple bank accounts, eBay, Amazon, Facebook, etc.) I’ve piled up a mountain of new accounts that I’m not even going to try to list here. Right now I feel pretty secure about all these different faces I’ve created online, but that’s not always been the case. In order to keep track of all the usernames and passwords, I used to keep them more or less all the same. I don’t think I was, or am, alone in this. In fact I know otherwise after helping so many university employees with technical assistance. Most everyone not only ties all their online accounts to the same central email address, they also recycle the same password over and over. I did the same thing. I figured I was safe in the the crowd.
And then some former colleagues of mine, teachers and administrators, got hacked.
It could have been worse. As soon as their email accounts began spewing out identical, sketchy emails containing the same incomplete English and the same link to everyone in their Contacts lists, IT figured out what was going on and went through the proper channels to seize back control. A few Facebook accounts mutated into spam bots. I think I remember some money was spent on mysteriously spendy “furniture” in Asia. But in the end, at least officially, everything was salvaged.
More than anything else, what we had to thank for things not being worse was the hacker bot’s error of sending out all those phishing emails from the newly compromised accounts. The hackers could have been quieter about the whole thing and given themselves much more time with the accounts they’d stolen, and maybe we would never have discovered the breach.
Think about what was at stake for each of these people and for the school at which they worked. In addition to my former colleagues’ bank and web presence accounts, their logins for Blackboard and Banner had also been compromised. The hackers had access to student usernames, emails, grades, names, etc. Should the right administrator or advisor have been compromised, the hackers would also, potentially, have access to student physical and mailing addresses, next of kin, and more.
This isn’t meant to be a nightmare-scenario scare-tactics post (well not entirely), but neither is it meant to advertise on the part of any particular password manager. I can tell you that I use Dashlane, and that I like it quite a bit. However, it is only one among several recognized password managers that are highly recommended. You can see a short list of those I found in my research to be trustworthy at the end of this post.
The purpose of this entreaty is to remind everyone working at this university, and at others, that our permissions in the various school-related tools (Blackboard, Banner, Outlook) make us responsible for more than just our information. Consider trying out a password manager, so that each of your passwords can be entirely unique, and the failure of one doesn’t mean the failure of them all.
Check out this overview provided by LifeHacker on their favorite password managers. It’s more thorough than anything I could write on the subject, as I’ve found the one password manager that I’m going to use for the foreseeable future and I’m sticking with it.