Cybersecurity & Standards, Government Surveillance
Put It In The Vault: Why You Should Use a Password Manager
Data breaches are on the rise. I have previously written about how keeping your software up to date and using two step login can help protect your online accounts. While you have the power to update software on your devices, you can’t control if or how often a website you use updates their software. And not every site offers protections like two-step login that might help secure your account and the information it holds. In these cases, a good password may be all that stands between your account and someone taking over your account or getting access to the information in one of your online accounts.
However, if you feel frustrated that a “good” password is often long, complex, and difficult to remember, you are not alone: research done by Microsoft has found that the average user has approximately 25 accounts with passwords. Remembering just one thing that is longer than about seven characters is difficult for the average person.
A password manager is a piece of software that helps you generate long, complex passwords, then securely stores all of these passwords in an encrypted virtual container. Thus, instead of remembering tens of passwords for each individual site, you instead merely remember one (strong) master password which unlocks the password manager software, where all your other passwords are stored. The password manager can then type the password for you into online forms or websites, or you can copy and paste it into the password field yourself.
Furthermore, in addition to having a usability benefit, there is a security benefit as well: if you use the same password on multiple websites, if any of those sites are breached, hackers can try to re-use your login credentials on other sites.
Since you may now be limiting yourself to one strong password for all of your accounts, you may still be concerned – after all, aren’t “good” passwords usually very long, complex, and hard to remember? Creating a password can feel like a catch-22: if it’s long and complex enough to thwart an attacker, it’s almost impossible to memorize. Luckily, there is a hack: since the human brain can generally remember 7±2 “chunks” of information, and a “chunk” could be a word, you can use a passphrase – a series of seven words that is easy to remember, but hard for a computer to crack. Unfortunately, people are bad at picking passphrases – they tend to use phrases from movies and TV shows, so you will want to use Diceware, a password generation system that uses a series of dice rolls to string together random words to generate your passphrase.
Now, at this point you may be wondering: what is the best password manager, then? Unfortunately, there isn’t one perfect password manager – it depends on your personal values and threat model. When picking a password manager, you should think about what factors are most important to you:
- Software License: due to the ability to audit open source code, some people may only want to trust their passwords to open source software
- Cost: Does the software require an ongoing fee to use?
- Compatibility: What operating systems does the software support?
- Usefulness: Can the manager sync your passwords across multiple devices by storing the database in the cloud?
- Complexity: How easy is the manager to use?
There are many other solutions out there which offer pretty much any combination of license, cost, compatibility, and ability to cloud sync that you could desire. For example, Encryptr is open source, supports cloud sync, and works on all the major desktop and smartphone operating systems. If you are less concerned about syncing your passwords across multiple devices, KeePass is fully open source and stores its password database locally. And if you’re less concerned about whether your password manager is open source, there are many products such as 1Password, Dashlane, and LastPass.
Finally, it should be noted that a password manager does not have to be a software program. If you simply want to generate strong passwords and write them down, that is fine. We already are good at protecting small pieces of sensitive information – credit cards, for example. So just remember: if you do choose to write down your passwords, put that piece of paper or notebook in a safe place – someplace you’d feel safe leaving a wallet full of cash.