Blog

Links

Use a password manager, for your own good

posted: February 14, 2021

tl;dr: My humble attempt to convince everyone to use a password manager...

If you are still using the same password, perhaps with minor variations, across multiple websites and apps, or keeping track of your passwords by writing them on a piece of paper, this post is for you. I will attempt to convince you why you should be using a password manager: a tool that encrypts all your passwords, allowing access to them by entering a single, master password.

It’s easy!

A password manager actually gives you what you want: just one password to remember and type, to gain access to all the websites and apps that you use. The only trick is that it becomes a three step process. You enter your one master password into the password manager, then search for the unique password for the website or app that you are accessing, then copy the unique password into the password box on the website or app. After you become used to the process it takes just a few seconds, as your muscle memory will kick into gear. On an average workday, I am in my password manager at least a dozen times.

Most password managers even come with browser plugins that attempt to recognize when you are logging into a website, and automatically paste in the correct password, or give you a small set of passwords from which to choose. I find that the plugins work most of the time but not always; the fallback is just to use the main password manager app. The expense is not severe; some come with free tiers, and when you get to the point of needing to pay, you’ll find that it is worth the price. I pay $60/year for Dashlane Premium, which I measure against the time I’d have to spend dealing with a security breach due to poor password practices.

Dashlane's one password to access them all

Better unique passwords

You should be using a unique, unguessable, unrelated password for every different website and app that you use. That is because, through no fault of your own, the databases behind websites and apps are often breached by hackers, exposing usernames (which are often email addresses) and passwords along with other personal information. You can check to see how often your email address and other personal information has been hacked on HaveIBeenPwned?

That website just contains data from known breaches; there are, of course, unknown breaches. The problem is that once your username and password for one website or app is known, hackers can easily try that same username and password on other websites or apps, to see if you are reusing the same password. Your username and password may have been breached on small-ecommerce-site.com, but hackers will try to login with your stolen credentials on chase.com, gmail.com, and other important sites. This can all be done, and almost certainly will be done, not by someone entering your information into a browser, but by an automated program. Even if you change your password slightly across different sites, users can try minor variations if they really are determined. If a database of millions of users is breached, the hackers will almost certainly find some percentage of usernames and passwords that can be used to hack into important sites to steal money and important data.

Password managers help prevent this by making it easy to use a unique password for each website and app, and by generating a password for you whenever you need a new one. You can go ahead and use a password like ^sn-MLZU=-Ny3]8RQbgcFqT*!p4^jM because you will just be generating it in the password manager and then copying and pasting it whenever needed. On rare occasions this process fails, forcing you to type the long, cryptic password, but this is a small price to pay for good security.

Sorry, you cannot remember enough passwords

Unless you are an Internet hermit, and visit only a few websites and apps, you almost certainly have more passwords to remember than is humanly possible to do, especially if they are long, cryptic ones like the example above. I use two different password managers, one for personal use and one for work. My personal password manager currently has 256 passwords in it (2 to the 8th power, an important number in the computer business), plus some other encrypted notes. My work password manager has hundreds more, and allows passwords to be shared among specific groups of employees. Password managers make it easy to handle all the passwords that I need.

Easy to share passwords

Another feature that good password managers offer is the ability to securely share passwords with other users of the password manager. Often, for personal usage, there is a “family plan” available. In a business, secure password sharing among groups of employees is an absolute requirement.

Security conscious employers require password managers

If you work at an employer with good computer security practices, they will almost certainly require you to use a password manager. So why not adopt the same practice for your personal use?

Good options available

Password managers typically consist of small, native applications that you install on all the various computers and mobile devices that you use, plus browser plugins that can help you log into websites. I’ve used Dashlane for my personal use for years. I chose it because of the quality of the native MacOS application, which was rated best-in-class in reviews at the time, and because of the strength of its encryption scheme. But I’ve also used LastPass and 1Password on the job. My current employer switched from LastPass to 1Password. There are differences between them, but they all get the job done and are much better than using nothing.

If I were allowed to make just two computer security recommendations, they would be:

  1. Use a password manager
  2. Don’t email passwords and other secrets, which is the focus of this post

Those recommendations won’t close all potential security holes, but they will be a big improvement if you’re not following them today.