Passwords have been around for a while. Since the ‘60s, in fact. Yet people are still bad at them. It seems like every social media hack of a celebrity account and every DDoS attack that shuts down the internet could have been prevented with proper password maintenance. As always, make sure your passwords don’t suck.
A great way to make sure your passwords don’t suck is via a password manager. If you’ve read any of our materials or blogs or even so much as follow us on social media, then you know that we proudly champion password managers as a must-have option for the security-aware. And with the holidays right around the corner, you can bet that PMs are our top recommended gift!
What is a password manager?
Say goodbye to the impossible task of remembering all those passwords and logins. The average person has about 90 accounts. All of them need unique (read: different) passwords, but since we don’t have photographic memories, it’s likely the same passwords get used multiple times which is a major security fail.
Password managers solve this issue. PMs will store and sync your credentials across multiple devices. They will also automatically generate unique, impossible-to-crack passwords for each account. The task of importing your logins into a password manager is super simple. Most will automatically pull in any credentials that are cached in your browsers and, in some cases, recommend updating passwords seen as weak (which is probably all of them).
Updating passwords is still a bit tedious. This is one thing the manager cannot do for you (at least not for every account). You will need to go to the website and manually select the option to change your login credentials. But since the manager can generate passwords for you, the process is as simplified as ever.
Here’s a quick step-by-step guide on how to set up your manager:
Step 1: Download and install the software.
Step 2: Launch the software and setup your account.
Step 3: Create a strong master password. This step is ultra important as your master password gives access to all of your other accounts. A strong, unique master password is imperative to your security.
Step 4: Install the browser plugin. Most managers support Chrome, FireFox and Safari.
Step 5: Import all cached accounts. The manager will pull in any passwords and logins you have saved in your preferred browser. What’s great about this is even if there are some accounts that are not saved or the manager didn’t import, the first time you login into that account the manager will prompt you to save it. You only have to do it once.
Step 6: Update your passwords. As mentioned, this step can be tedious. But it’s also very important that you change any weak or common passwords. The manager will autogenerate them and save them for you.
Step 7: Install the software on your other devices and sync your account.
Step 8: Relax! You now never again have to worry about remembering logins and passwords, with the exception of your master password.
But wait, there’s more! Not only will the manager autofill your logins for you (if you use the browser plugin), it can also store your personal information like full name, address, date of birth, and autofill that information as well. The same is true for credit cards. With a password manager, you will no longer have to dig out your card and manually enter numbers and expiration dates to make purchases.
It can also save digital purchases as receipts, store IDs like your driver’s license and passport, and store secure notes that you want to password protect. Trust us when we say that once you start using a password manager, you’ll wonder how you ever got by without one.
But are password managers safe?
There is no such thing as absolute security. Let’s just start with that. Nothing will ever be perfectly secured. Keep that in mind as we move forward.
You may have read about the LastPass hack from earlier this year. Thankfully, the vulnerability was discovered by an ethical hacker who notified LastPass and they immediately fixed the problem. The other time they were hacked required the user to click on a malicious link. If you know us at all, then you know that we are in the business of yelling at people for clicking on sh*t. As always, think before you click!
But let’s get into the nuts and bolts. Just how safe are these managers? They do present that age old “all your eggs in one basket” scenario, so we can understand the concern. If a criminal hacker were to get our master passwords, they’d have access to a bounty of logins (and credit card information). Thankfully, it’s highly unlikely for a criminal to crack your master password (assuming you created strong one to begin with).
Here are five reasons password managers are safe:
- No one has access to your master password, not even the people that build and sell the software. Only you know the master password. If you forget it, it cannot be recovered.
- Most managers use AES-256 encryption, which is the strongest in the industry and even used by governments. Your passwords, if you use sync, are stored in the cloud. So top-level encryption is important.
- Most managers allow you to enable two-factor authentication. With 2FA enabled, it is impossible for a criminal to login to your account unless they also have your second device such as your smartphone. We highly recommend utilizing 2FA.
- You don’t need to use the cloud. Some managers give you the option to utilize local sync, which stores your passwords locally across your network. If that’s not an option, you can disable sync and simply export your passwords to a spreadsheet. There are drawbacks to this as the autofill functions will no longer work, but you can copy and paste your credentials from the spreadsheet and remove the fear of a cloud server being hacked.
- Passwords generated by the manager for you are nearly uncrackable. They generally follow the SNL rule (symbols, numbers and letters) and automatically use upper and lowercase.
As mentioned, nothing in the online world will ever be 100 percent secure, including password managers. But even as technology evolves and alternatives—such as biometrics—become more common, we are many years away from replacing strong, unique passwords as the top security measure. Which means that even if password managers have their vulnerabilities (being stored in the cloud and all), they are still dramatic improvement on your information security than not using one.
Okay, I’m convinced. But which one should I buy?
Congratulations! You’ve just made a wise step that will save you time, make your life easier, and keep you more secure than you’ve ever been before. Pat yourself on the back!
Now all you have to do is pick a password manager. Which one is the best? While we’re not in the business of product reviews, the author of this blog has used Dashlane for quite some time and confidently recommends their service. The software is user-friendly, easy to setup, and the interface is clean and intuitive. But don’t just take my word for it. Do your own research. Figure out which features are the most important to you. Ask about security either via their contact forms or via social media. These companies are active on Twitter and quick to respond. Most of them have materials on their website about their security such as this from Dashlane and this from Sticky Password.
Here’s a quick checklist of items we recommend researching:
- What encryption does it use? AES-256 is preferred.
- Is two-factor authentication supported?
- Where is the data being stored? Which service do they use for cloud storage? (Dashlane, for example, uses Amazon’s AWS servers, which are well known for their security standards.)
- Who has access to the master password? (Ideally, only you.)
- How many devices does it support?
- Does it support fingerprint readers or facial recognition?
- Is there a free version to demo?
- Can passwords be stored locally instead of the cloud?
Most of these programs are going to be similarly priced, so that’s less of an issue. But don’t just pick one and pay in full. If there are free demos—which there are in most cases—download them and give them a try. If you don’t like a particular manager, move onto the next one. There is some research to be done but it’s well worth it.
For more information, here are two reviews that compare several password managers and their subsequent features and price:
Latest posts by Justin Bonnema (see all)
- Account Compromised? What to do After a Data Breach - January 17, 2019
- Welcome to the Security Awareness Company - January 10, 2019
- The Security Awareness Program Playbook - January 3, 2019