Please use a password manager

Don’t wait—be proactive about personal security or likely regret it later.

As an ever increasing share of our lives are becoming digital the risk to our personal data is growing. The sites and applications we use do their best (hopefully) to secure our data, but at least part of the burden lies on us. One, if not the most, important part of which is our login credentials.

Apart from 2-factor authentication (which relatively few sites support) the best way I know to meet this burden is to use a password manager. Out of concern I posted about this and found out that relatively few of my friends & family use one. They were either not aware of the risk or of password managers a solution, or had mistaken notions about password managers and the security of their own “method.” This article addresses those concerns.

Why bother?

Major data breaches, like the recent Equifax breach are becoming more common. As if our personal information being stolen isn’t bad enough, big data breaches may include password data (hopefully hashed), potentially allowing attackers to login to and steal data from our other accounts or worse. If you use the same password on multiple sites, it’s just a matter of time.

Major data breaches and hacks becoming more common as shown visualized by informationisbeautiful.net. Shown in terms of data sensitivity (top) and size of leak (bottom) from 2004 to 2017 as of September 2017.

The problem is made worse by ever-increasing speed of computers, which can brute force passwords quicker than ever. Short passwords that are easy to remember are also easier to crack. Passwords need to be relatively long, random, and unique to be resilient to attack. Unfortunately good passwords are the ones that are too difficult to remember.

Combine these two facts — needing unique passwords for each account and needing complex passwords too difficult to remember — and you have a perfect reason to use a password manager.

What are the options?

  • Don’t register online accounts, keep a low profile. This is already difficult and becoming less practical as time goes on.
  • Use 2-factor authentication (makes sharing a password less risky), but only a small number of sites support 2-factor authentication. It’s also adds a step to the login process, slowing it down.
  • Use social login (e.g. Facebook, Google), but once again many sites do not support this, especially sensitive ones. Furthermore, increases the risk if someone gains access to your social account.
  • Use a password manager. This is the only solution that works pretty universally, makes your passwords more secure, and makes your login process more convenient rather than less so.

Isn’t storing password in the password manager a risk itself?

Yes of course, the more dependent we are on password managers, the bigger target they will become. Good password managers, however, strongly encrypt your data. Even if an attacker gains access to the data file, they would have to decrypt it to get any usable information. This is very difficult and not worth the effort in most cases. Unfortunately it’s not impossible, and indeed a recent breach of OneLogin exposed the encrypted data of their users, which the hackers may have been able to decrypt. If they have not done so already, OneLogin users need to change their passwords right away.

Considering the alternative, however, consistently using a password manager at least means you will always have a list of accounts which can be updated periodically and as needed.

I should also mention that the OneLogin hack put users’ data at risk because the data was stored in the cloud, presumably to facilitate syncing. Doing so makes OneLogin a target for attackers, who want to expend the least effort for the most reward and therefore will target online systems which host data from many users. Storing data locally and not in the cloud, disincentives attackers. A great deal of effort is needed to get the data of an individual person or family. Good password managers let you choose where to store your password data. 1Password, for example, stores data locally by default but lets you choose a sync strategy from various methods.

The sync method is customizable in 1Password.

I don’t need a password manager, I have an easy to remember system

This is not a silver bullet. Many people have systems and, just like common passwords, they tend to share things in common. Attackers are well aware of these techniques. That knowledge has been baked into cracking algorithms and due to this systems may actually do more harm than good. Are you a security and cryptography expert? Can you guarantee your system is a good one? The best system is random and too difficult to remember.

For the sake of argument let’s assume your system is a good one. Even this does not remove the risk. Over time as more breaches reveal your password, the likelihood that your system is compromised increases. Once your system is compromised, the attacker can use it to guess your login on other sites.

Finally, have you considered that using your system is actually slower than a password manager? I’m a very fast typer but my password manager is still faster.

I don’t need a password manager, I use pass phrases

Long pass phrases are generally better than passwords but unfortunately many sites don’t support them (character and length restrictions). Furthermore while they are easier to remember than passwords, it still doesn’t solve the problem of tending to use the same password on multiple sites or resorting to a system.

However, I do recommend using a pass phrase as the master password for your password manager, which is the key that unlocks all of the password data. This allows you to choose and memorize a very long master password without difficulty.

Can’t I just save passwords in my browser?

There are many reasons why this solution falls short:

  • Browsers don’t take the security of your passwords quite as seriously in that they don’t require a master password to unlock. You only need to be signed into the computer.
  • This method is not convenient when using computers other than your own. How do you sign-in on a public computer?
  • Browser passwords only work in the browser. That’s not a practical solution these days, in which your password is often needed for both web and mobile apps.
  • Password managers can store more than just passwords, which is very convenient. I use the password manager to store and fill credentials, credit cards, which browsers can also do. I also use the password manager to store other sensitive information I am likely to need: licenses, identities, bank account numbers, and any other information I might need access to on-the-go.

For these reasons I generally turn off the save password feature in my browser. You should think of your password manager as a digital vault that you can carry around.

Which password manager?

I’ve tried LastPass, 1Password, and dashlane. I personally prefer 1Password but the most important thing is that it’s secure and works with the least amount of hassle. Being secure is obvious, but low hassle is also important because the system is only secure if you use it. Low hassle means that:

  • It’s integrated with the places I need to use passwords, and creating, updating, and filling passwords is fast and easy.
  • It’s available on the platforms I use, and passwords are kept in sync so I always have the information I need to login.
  • It works reasonably well in a variety of situations and designs, and is well maintained with few bugs and crashes.
  • Takes security seriously, taking steps (strong end-to-end encryption, does not store one of the keys required to decrypt the data) so that data cannot be compromised even in the event of a breech.
Some popular choices of password managers.

For me, 1Password provides for the first two points. I use the desktop app and browser extensions to manage passwords on web applications, and the iOS app to manage passwords on my mobile devices. Various syncing services are supported—I happen to use Dropbox. 1Password also does reasonably well on the third point. More on this later. Other password managers meet these requirements as well, and I encourage you to try them and find one that works for you.

OK I downloaded a password manager. I’m safe now right?

No, you need to keep a few very important things in mind to make your password manager effective:

  • Use it on every site. Everywhere. Exceptions just make the whole system more vulnerable and more of a hassle (less likely to succeed).
  • Generate unique passwords for each site. Make them long when you can. At least 20–30 characters. The longer the password is, the harder it is to crack (exponentially harder, actually). You won’t need to type them most of the time anyway since the password manager will fill them in for you.
The random password generator in 1Password.
  • Change your passwords periodically. Not every site supports password managers perfectly. You will sometimes need to copy passwords to the clipboard in order to paste them in a login form. This isn’t very secure and could lead your password to be compromised in a number of ways. Good password managers will automatically clear password data from the clipboard after a short time, but this isn’t a perfect solution. Periodically changing your password also minimizes your exposure if an attacker had some how accessed one of tour accounts unbeknownst to you. This happens all the time.
  • Don’t get frustrated. Some services still have ridiculous and silly password restrictions. I just signed up on a website today that restricts passwords to 12 characters. It sucks, but at least the password was random so about as secure as I can make it given the restriction.
  • Make your master password very long too, perhaps using a passphrase that would be difficult to guess. It’s probably a good idea to change your master password occasionally too, to minimize the risk that it was leaked or picked up by a key logger at some point.
  • On that note, don’t share your master password except perhaps with your spouse. If you want to share passwords, have the other person setup their own vault and share individual passwords with them using the sharing feature within the password manager.

What is vulnerable in a password manager?

While I recommend using a password manager, I emphasize that it is not a perfect solution or a guarantee of personal security. When used properly it will significantly reduce your risk, nut not to zero. Given this, is there anything that should be avoided in a password manager?

My advice is to think twice about storing things which are both sensitive an permanent. Imagine that an attacker gains access to your password data but is unable to decrypt it. That’s great but won’t last. Even the best encryption may be breakable in the future with faster computers. Once your data is out there, there is a good chance it could eventually be opened. That’s not a huge problem for credentials, which are not likely to be valid still, but permanent information, such as your social security number, could be at risk.

Summary

Use a password manager, every time and everywhere. Generate strong, random and unique passwords for each account. Your information will be more secure, and your life less frustrating than with the alternatives at present. If something better comes along, lets talk about it.