You Need A Password Manager

It’s 2020 — it’s time to take the plunge.

Published in

The Startup

4 min readApr 21, 2020

There’s no shortage of articles around data breaches that include email and password addresses. And when you consider that over half of Internet users use the same password for all of their accounts, you have a recipe for personal disaster.

The hardworking people over at HaveIBeenPwned keep track of these breaches, collect as much of the breach data as possible, and then allow you to check to see if your email address has been part of one (or a lot!) of them. If the username and password show up on the list and you know they are the same as other accounts, you can bet that the infamous “dark web” will be trying to get in other places as well.

The best defense is to limit the exposure to these breaches, so that one compromised account doesn’t impact any of your other accounts. Coming up with new, unique, passwords is a pain, and storing them securely is another issue. Enter password managers.

What’s all the fuss over password managers

Password managers create long, complex passwords that you’ll never need to remember. They store these passwords in an encrypted container, kept secure by a password only you know (we’ll get to that later). In addition to storing passwords, these containers can store secret questions, account numbers, and all sorts of vital information you need on a periodic basis. They take time to set up, but relieve a lot of the headache of proper account management.

Step 1: Pick a password manager

A lot of selecting a password manager comes down to cost and features that you’re looking for. Some of the larger players in this space:

1Password —Started out with a lot of iOS and macOS integrations, but has full support for all the major platforms.
LastPass — Another popular cloud-based choice, though with some pervious issues with weaknesses in their code.
BitWarden — An open source, free, platform that can also provide additional features for an annual cost.
KeePass — Another open source contender that keeps the data on your local device, and requires another method to sync across all platforms.

Pick one that suits your needs and your wallet, and move on to step 2.

Step 2: Set a master password

You need to come up with your master password, the one that will protect all the others. Make it good! The best password is one that is long, but that you can remember. Most people have several passwords that they have used across their accounts. One tip is to take all of these passwords, put a “!” or a “$” between them and voila, a long, secure password that’s easy to remember. Pick a favorite sports team, tack it on the end, just to make sure it’s new. When a password is really long, a lot of what you have been told to avoid goes out the window.

If you choose a password manager that allows for multi-factor, be sure to set it up as well, as this will bolster the security of your manager.

Step 3: Start the migration

You have a nice, shiny, empty password file, and now you need to fill it up! Find some sites that you don’t use as much and not as important to your social and financial well-being. While less important to put behind a secure password, it’s a good way to get your feet wet without locking yourself out. Log in using your normal password and change the password using one generated by your password manager. Length and complexity are up to you, and most software will tell you how secure your password settings are. Start out with 20 characters and alphanumeric, and you should have something that is secure, but easy to read if you need to.

Don’t cheat! If you log into a site with a password you know, your first trip is to the account settings to change it.

This is also a great time to double check that each account is using the correct email address, to unsubscribe from any newsletters you no longer want, and to update mailing addresses.

Step 4: Bask in your secure new world, and then start all over again

Microsoft and NIST have made headlines in the past few years as they start recommending companies shy away from forcing users to change their passwords every 90, 180, or 365 days as it may do more harm than good. While it may be tempting to set it and forget it, take the time periodically to change the master password and the passwords for your financial, health, and email accounts to ensure that if they were compromised, they’ve been changed.

Password management is a great example of where a little work goes a long way. Take the time to set it up, and you’ll feel in much better shape for the next breach.

A note on my KeePass workflow

When I went the password manager route several years ago, I ended up with KeePass on my laptop, phone, and work computer. I liked the ability to control the file entirely, and that it was free. Syncing is performed by storing the KeePass file on my Box drive. The password protecting the file is long enough that it will be safe until quantum computing really ramps up, and it is paired with a key file that is kept separate on each individual device. All in all, it’s a risk I’m willing to take.

In researching this post I spent some time taking a look at BitWarden, and think that will be worth kicking the tires. If I am able to elevate my homelab in a way to run it locally, it might take over for KeePass.