Required UC training suggests using a 'password manager' ... which means what?

The advice to consider using a password manager, contained in UC's newly required cybersecurity awareness training, is apparently inspiring more people to ask what a password manager is.

cybersecurity awareness training

A password manager is a software application that stores and protects all of your passwords in one secure place. It acts as a virtual safe. It generates complex, distinct passwords for each of your accounts, and enters the passwords for you. The only password you have to remember is the one for your password manager.

It's not a new idea. In fact, about three-fourths of security experts use one, according to a blog post from Google. But about three-fourths of non-experts don't, which implies that most people don't know how a password manager can help them.

Using a password manager removes the temptation to re-use passwords for multiple accounts, which is risky, or to use a really simple password like "12345," which is even riskier. It also means you no longer need to remember a lot of different passwords, although you do need to be sure you don't forget the master password.

How to find a good one

There are many types of password managers. Ones with good reputations include KeePass and LastPass (both have free versions), but UC Davis does not endorse a particular product. A good password manager, says a paper from the security organization SANS Institute, will:

  • Use only well-known and trusted solutions. Be wary of solutions with a short history, or that have little or no community feedback.
  • Be actively updated and patched (always use the latest v ersion).
  • Be simple to use.
  • Encrypt your passwords using industry standard, strong, encryption. Be wary of any product that advertises a proprietary or unknown encryption method.
  • Run on all the computers you use. Advanced versions also work on mobile devices.
  • Provide tools for generating arbitrary passwords, and help manage password expiration dates.
  • Help you identify the relative strength of the passwords you've chosen.

Also, if your password manager provides a means for synchronizing the service across the different devices you use, then it should encrypt locally before sending information to the central system.

The topic stirred a discussion in early November on tsp-share, the UC Davis listserv for campus technologists, with members arguing for or against password managers. Most commenters favored them. Several listed the programs they use as individuals or in their units, including KeePass, 1Password and LastPass.

Lifehacker posted this review of password managers in January. PCMag summarized several paid products in this chart in October, and reviewed free options in June.

It's part of the solution, not the entire solution

There's never a total, perfect solution in information security, and that's true with password managers, too. Using one does not mean you can skip other basic good habits of cybersecurity, such as keeping all your software updated, and using secure wireless networks. You can read more about information security at security.ucdavis.edu.

The University of California cybersecurity awareness training is required for all faculty, staff, and student employees. If you haven't taken it yet, you have until Jan. 31, 20 16, to complete it. Watching the series of online videos, and answering the test questions, takes about 50 minutes.

The course is in the UC Learning Center. Log in with your Kerberos ID and search for "UC Cyber."