Why you really should use a password manager
If you’ve used the internet for any period of time it’s a certainty that you have created dozens, if not hundreds, of login accounts across the web. E-commerce stores, social media, government services, smart gadgets and an endless list of other apps and sites that need to confirm who you are.
In principle this is reasonable and, if done well, somewhat secure. The problem is that it’s hard to do well. Why? Because passwords are inherently bad for humans to deal with when you need lots of them.
This is not a fault of any particular person, but simply because the way to use passwords effectively is unwieldy for the human brain to manage. The two key requirements are length and uniqueness, but having to remember long passwords that are unique to each site or app is literally impossible given how many we accumulate.
Why can’t we just use one password for everything?
Coming up with strong passwords that can be memorized is do-able, and it is often the case that people will reuse a familiar password across many different places. These passwords are associated with some sort of username to tell who you are, and this is now most commonly your email address. That means it’s probably the same everywhere you go.
We have seen how security flaws in software have been frequently exploited by hackers to extract millions of these email/password combinations from many different companies and services. This is such a problem that sites have been created to keep track and allow you to check if you’re email is one of them.
Those combinations are then made available to other hackers who then apply them to other sites to gain access to potentially more juicy targets such as banks, shopping sites and other ways to get at your money. This works all too often as people have used the same passwords in all those other places.
By only using any given password on one site, we can be sure that any one of these data breaches will not affect any other site you use. This is a very effective barrier to being widely hacked, and makes it much easier to lock down a breach quickly as you only need to change one password in one known place.
But how do I remember so many passwords?
Ideally we wouldn’t need to. Passwords are inherently flawed as an authentication system and it would be far better for everyone to switch to something like SQRL (aka Squirrel) from Gibson Research Corporation.
SQRL avoids the whole mess by using a cryptographically secure public/private key system that doesn’t require websites to keep anything secret at all, and dynamically generates unique keys on the fly.
Sadly such changes have to overcome enormous inertia from the established way of doing things, so this is where password managers come in.
Password Managers are software tools that allow you to store all your passwords in one place, and lock them up under a single master password. That then becomes the only one you need to remember as your passwords will sync across your various devices and browsers.
These tools will also allow you to automatically generate strong complex passwords for any new sites, or when you need to change one, and will also enter them for you. That actually makes it more convenient than using manually remembered passwords while also being far more secure.
An additional security benefit is that you won’t be easily fooled by spoofed domain names and scam sites. The app will only offer up the password to the exact address it is intended for, not a fake login page.
What problems does a password manager solve?
When a password database is compromised, providing it is encrypted correctly, the attacker still needs to decrypt each password before it can be used for anything. This takes exponentially longer the more complex a password is. They’ll start with a Dictionary Attack which will try all the commonly used and known passwords and word combinations, as these will get them a big chunk of users pretty quickly.
Having a password manager handle the recording and use of your passwords makes this much harder because they can be as crazy complex as you like. You don’t care anymore, because the app will (usually) enter it for you when you visit a site. This means every password will be much, much harder to decrypt if someone does get hold of it.
Having a different password for every single place you go on the web ensures that if any one company suffers a breach it doesn’t expose you anywhere else. Password managers allow you to automatically generate and store such passwords on demand so that you never need to worry about it, and guarantees every password is different.
Attacks often try and get our credentials for high value sites through other means, such as phishing attacks or DNS spoofing. This will take the form of a bogus link that goes to a highly accurate copy of the real site’s login page. They may also use a URL that at first glance appears legit, but is actually slightly different. An example might be a fake website for firstnational.com using the URL firstnationa1.com.
Even IT professionals can experience a lapse of concentration if they’re busy at the wrong time and get caught by one of these, it’s just that easy to overlook. Password Managers can protect you because they look for a perfectly matched URL to your saved password and won’t fill it for you if it’s wrong. This can be enough for you to question the site’s validity and stop yourself giving them your logon details.
Securing Credit Card Data
Most password managers will also allow you to securely store other information, such as credit card details, and enter these automatically into forms at your request. This allows you to minimize the number of sites where your credit card info is stored without being inconvenient to you next time you shop there. Simply opt out of saving your details for next time at the checkout, and let the password manager take care of it for you.
This one might seem odd, and it’s not a security problem per se, but being able to hand your important account info over to your executor or next of kin when the time comes can save them a lot of pain. Anyone who has had to deal with a deceased estate can attest to the hassle of trying to figure out what accounts need to be looked at and how to access them.
With a password manager you can write down your master login details and store it somewhere safe, providing the location in your will. Whoever is dealing with your affairs can then see exactly what accounts you had and easily take whatever action is necessary for each of them. Some apps even provide features for this purpose.
What do I recommend?
Naturally, having a nice list of every site and password you use creates a super valuable target for hackers, so it’s important to select a good one that meets some key criteria:
It must not store you master password in a way that can be recovered
You need to treat your master password very carefully. It needs to be long and hard to break, and it needs to be stored in a way that cannot be recovered by anyone else. If a password manager sends your password to their servers in a recoverable way, that’s a red flag.
It must use robust encryption and be transparent about how
With the master password unrecoverable, the database itself needs to be strongly encrypted using an proven open standard such as AES. This will mean that your password list is just a blob of random noise without your master password, so it doesn’t matter where it is kept.
It must be responsive to reported vulnerabilities and proactive in addressing them
All software has flaws, it’s complex and abstract, and even seemingly minor mistakes that don’t affect the functionality can create a crack that can be wedged open by an attacker.
Thankfully there are ‘good guys’ out there looking for these as well, and it’s important that any company be receptive and responsive to any issues that are reported to them to ensure they are fixed promptly. This seems obvious, but there are still companies that are far more hostile or dismissive to such reports than they should be.
There are a few good password managers out there, but the one that ticks all the boxes consistently for me is LastPass.
These guys have been open to having their code reviewed by security analysts, have always been super responsive to any issues raised, and don’t store anything on their end that can be used to unlock your password list.
It’s supported across virtually every platform and browser and can be used effectively without having to sign up for the pro version. It also includes some nice additional features such as alerting you if you have reused passwords in more than one place, and allowing you to run a security scan across your passwords to identify any weak spots and alert you to known data breaches you may have been exposed to.
Keeping our data safe on the internet is an ongoing challenge, and until the world moves away from using passwords to authenticate everyone we need to use them in the best way we can.
To do this, we need to use unique, long, complex passwords for each and every site and app we have. That would be impossible for us to remember, and painfully difficult to enter them all the time.
Password managers solve this by generating, storing, and entering these passwords for us, with us only needing to remember one good password to access them all. Doing so protects us from data breaches by ensuring any leaked username/password combination can’t be used anywhere else, and can be easily fixed by updating just that one site.