An ode to password managers

 •  Tips Great Tool

Do you remember all your passwords?
If so, that's not good!


This post will not be as technical as my usual posts are and so it's for everyone, as everyone uses a computer, phone or tablet and sooner or later needs to deal with passwords.

This post is about the importance of password managers. There are so many of them these days, both free and paid. They are easy to install and easy to use, but many people still either don't know about this approach or don't bother trying it. If this post will convince at least one person to move from memorizing 1-5 passwords to using a password manager, I will be more than happy.


Common approaches

Let's list common approaches to password management:

  1. One memorized password for everything.
  2. Two passwords: first for important stuff, second for everything else.
  3. Multiple (probably five-ten) passwords - all memorized. This approach makes it easy to forget which password is for which website.
  4. Password system: for example for gmail.com I may have password liamgrotciv (reversed 'gmail' plus reversed first name).
  5. A paper or electronic list of all passwords.
  6. Saving all passwords in the browser, e.g. google passwords
  7. Online cloud based password managers, which securely generate and save passwords somewhere in the cloud and allows access to them from all devices.
  8. Offline password managers that securely save passwords somewhere on a certain device. It is the user's job to synchronize passwords between all devices.
  9. Hardware password managers.

If you use methods 7-9, then you probably have already thought about the importance of this topic. If not, please bare with me for three more minutes.

Reasons

How we manage our passwords becomes more and more important, because we all use tons of services (which almost always require you to have login/password) and their count only grows every day.

Let's be honest, no matter how good the memory is, sometimes we may forget a password for a particular website or even a home WiFi router.

Also, if you use the same password for multiple services (or even more than one), it is extremely risky. If one little service you signed up long ago, used it once and forgot about it will leak your password, then all your other accounts can be compromised.

Many services allow us to connect using Facebook or Gmail account, but not all. Plus, those services may ask us to allow them to access our Gmail/Facebook contact list and we don't want that.

Some people may ignore the importance of the problem and think that there is no need to hack them, or they have nothing to hide, or who needs to read their emails. If this is your approach, please, reconsider it. There are so many ways to hurt you by knowing your email password: starting from erasing your cloud drive to getting access to your profile on different social networks.

What a password manager can do for you

  • generate strong, complex and unique passwords
  • store passwords, logins and other data (e.g. credit card numbers) securely
  • synchronize passwords between multiple platforms and devices
  • backup and restore data
  • remind to change passwords once in a while (which is a very good practice) and simplify the changing process

Managed cloud based password managers vs local password managers

Local password managers are usually free to use. They represent an app, which you can run on your device (often many platforms are supported). After you provide your master password, the app opens a file, which is stored locally and contains all your password in an encrypted form. Then you can search your username/password for a particular website or create a new one.

keepass

KeePassX password manager


You have to carry yourself about synchronization between multiple platforms and devices, doing backups and updating your client. For synchronization, you can use something like [Dropbox]. The approach with your own synchronization allows you to add another layer of encryption. You can use a tool like Cryptomator to encrypt your local files before uploading them to a cloud drive. Encrypting some files in your cloud drive may be a good thing to do even when they have nothing to do with passwords.

The image is from Cryptsync website


Cloud password managers are not free, but they solve all the problems mentioned above (synchronization and backups) and add an extra convenience, as you can integrate them with your browser and won't need to jump to a different application to copy your username/password.

1Password on the picture below displays a little icon in your login form and can either generate a new password for you (when you are creating a new account) or insert the proper password (when you want to login using an existing account). It makes life incredibly simpler.

1password

Unfortunately the browser integration adds another layer of software, which an attacker can use. E.g.: read more details on how LastPass (probably, the most popular password manager) leaked passwords through chrome extension. It is still not a reason for not using browser integration. Such issues are fixed very quickly (often before they become known publicly) and the good thing is that browser updates your extensions automatically and you won't have to worry about this.

Which password manager is better

There is no right answer. I prefer 1Password or KeyPassX + Cryptomator + CloudDrive. But be aware, that most password managers were found to have at least minor security exploits one or multiple times over the years on at least one platform they support and there will be more in the future. So it's important to always keep your client up to date.

How long my passwords should be?

There is no need to argue on this topic. Longer - better, with as many different symbols as possible. You won't have to memorize them anyway. In my opinion 16-32 symbols is a good interval.

What about my master password?

Take this very seriously. It should be long (a sentence with at least six words and numbers) and hard to guess. The most important thing to keep in mind is that you should never forget your master password.

Good password managers should not allow you to reset your master password. If they do, then this is a potential hole in security system. Simply put it: if you have an option to reset your master password, then your service provider has this option as well.

Conclusion

Any password manager is better and much more secure than none. Download a password manager and start using it. It will only take fifteen minutes to set up. Then you will love it.