Do password managers work with government systems?

QUESTION: I’m considering a password manager, but I have a concern. I have several online accounts in the Defense Department‘s system. The DoD’s password requirements are particularly onerous. The passwords have to be at least 15 characters; use upper case, lower case, special characters, and numbers; can’t reuse any password from the previous 18 months; must change at least eight characters from the preceding password can’t have more than two duplicate adjoining characters (e.g. “aaa” is bad); can’t use my name, social security number, telephone number, or Zip Code; and — here’s the kicker — must be changed every 60 days! How do password managers deal with frequent mandatory changes? Do password managers generate passwords? Can I input password criteria into the application? Do they have a maximum number of passwords that can be stored? Thanks.

– Ed R.
Fort Walton Beach, Florida

THE GEEK’S ANSWER: Oh, what a great question, Ed! (It’s also among the last ones in my queue, so after this, I’m going to be writing off the cuff until I get some column fodder rolling in the door!) Other than answering your direct questions, the only thing you left me to talk about is to explain to the uninformed exactly what password managers are and what they can do. Let’s get started.

A password manager is a special type of software application that’s designed to securely store, generate, and even automatically fill in passwords and other credentials in applications and websites. They are available to work on smartphones, computers, pad devices, and pretty much any other device into which one might need to use a password to protect personal data.

One of the unique aspects of a password manager is that once you have one fully set up and working, you, the human user, don’t even need to know the passwords that protect your accounts and data. The password manager creates them, stores them, enters them when needed, and can update them on a regular basis.

The only password you need to know is the one to get into the password manager itself.

Now, to answer some of your questions, Ed. Those DoD security requirements might sound pretty harsh, but it has been proven that when people are allowed to choose their passwords without rule restrictions, they will choose pretty dumb and guessable passwords. QWERTY, 12345, and even PASSWORD are all common examples, selected by more people than you would probably expect.

Beyond that, there are password-cracking tools that can go through all the words in the dictionary in a few seconds and try each one, along with iterations that replace a with @ and E with 3, and all those tricks that we think are so clever. People who are experts at breaking user accounts are also up on all the techniques that we use having to do with names of kids, pets, anniversaries, birthdays, etc.

A quality password manager can be configured to create passwords of lengths far beyond your 15-character minimum, Ed. One online generator I’ve seen allows you to create passwords of up to 50 characters.

Typically, you can include any combination of uppercase, lowercase, numbers, and special characters. You can even tell it to make all the characters unique. The passwords generated by the password manager will be an angry-looking mishmash of characters guaranteed to meet the criteria that you specified.

It doesn’t matter that it’s not a pattern that’s familiar to you since you don’t need to remember it or type it in, with the possible exception of setting it into a system for the first time. And it will generate a unique password for every application and site you program it for—no more using the same password everywhere because you can’t remember all the passwords for multiple sites.

If there is a limit to the number of passwords, that will be clearly stated upfront. I doubt any limits will be so small as to have a practical effect on even the most prolific users.

One concern I have for you, Ed, is whether a third-party password manager is compatible with your DoD systems. Accessing them via personally owned hardware would not be an issue, but you could run into a problem if the hardware is government-owned.

Your organization’s IT department might not allow the software to be installed on government hardware, no matter how superior it is to allowing users to enter their passwords.

To view additional content, comment on articles, or submit a question, visit my website at ItsGeekToMe.co (not .com!)

Jeff Werner, a software engineer based in Niceville, Florida, has been writing his popular “It’s Geek to Me” tech column since 2007. He shares his expertise to help readers solve everyday tech challenges. To view additional content, comment on articles, or submit a question, visit ItsGeekToMe.co (not .com!).