What is a password manager?
Once upon a time, during the early years of the Internet, you may have had a handful of passwords for a few essential web applications that you used to shop, study, stay connected, and get work done. Today, things are much more complicated. A 2017 report from LastPass found, on average, people had to remember 191 different passwords—just for work—not to mention their personal passwords.
While technology promises to make our lives easier, and it generally does, every new website and application we sign up for is another password we have to remember. For most, it’s become impossible to remember all of them. The 2019 Google Online Security Survey found 52 percent of respondents reused the same password for multiple (but not all) accounts. This is a big no-no.
Using giant lists of stolen passwords (aka “dumps”) bought off the dark web, cybercriminals can brute force their way into other sites or use old passwords to extort users in scams. This is the data breach domino effect. One breach leads to another and another and so on.
According to the 2019 Verizon Data Breach Investigations report, 80 percent of data breaches are caused by compromised, weak, and reused passwords.
So, how did we get here, and what can we do about it?
The famous xkcd web comic “Password Strength” explained it best: “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
It’s true. 20 years ago cybersecurity professionals admonished consumers for failing to change default passwords on IoT devices (like your Internet router) or using easy to guess passwords like “12345” or “password”. Out of this came the long and strong password xkcd pokes fun at: a common word with a mixture of uppercase and lowercase letters, at least one number, and one symbol.
When creating a new account, websites demand that we create long and strong passwords. Failing that, we aren’t even allowed to make an account. Assuming one gets past the account creation phase, you’re going to promptly forget the Enigma machine cypher you just made and resign yourself to using the “Forgot Password?” link as your everyday log in option.
Fortunately, you don’t have to remember all those passwords. A password manager can remember them for you.
Malwarebytes Labs defines a password manager as “a software application designed to store and manage online credentials. It also generates passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.”
Once all your account usernames and passwords have been entered into the vault, your master password is the only one you have to commit to memory. Entering your master password unlocks your password vault, and from your vault you can then retrieve whatever password you need.
What are the benefits of using a password manager?
You don’t have to memorize all your passwords anymore. You only need to remember the master password that unlocks your password vault. And if you opt for a cloud-based password manager, you can access your password vault anywhere, from any device.
They can auto-generate highly secure passwords for you. Password managers will typically ask you if you’d like to use an auto-generated password whenever you create a new account with a website or application. These random passwords are long, alphanumeric, and essentially impossible to guess.
They can alert you to a phishing site. Here’s a quick gloss on phishing scams. Spam emails are spoofed or faked to look like they’re coming from a legitimate sender, like a friend, family member, coworker, or organization you do business with. Links contained within the email direct to similarly spoofed malicious websites designed to harvest login credentials. If you’re using a browser-based password manager, it will not auto-complete the username and password fields since it doesn’t recognize the website as the one tied to the password.
They can help your beneficiaries when you pass away. This is called a digital inheritance. In the event of your death, your family or whoever you designate to administer your estate will gain access to your password vault.
Password managers save time. Beyond just storing passwords for you, many password managers also auto-fill credentials for faster access to online accounts. In addition, some can store and auto-fill name, address, email, phone number, and credit card info. This can be a huge timesaver when shopping online, for example.
Many password managers sync across different operating systems (OSes). If you’re a Windows user at work and a Mac user at home, jump on your Android Monday through Friday and turn to iOS on the weekends, you’ll be able to quickly access your passwords regardless of which platform you’re on. Ditto for all the most popular web browsers; i.e., Chrome, Firefox, Edge, Internet Explorer, and Safari.
They help protect your identity. In a roundabout way, passwords managers help protect against identity theft, and here’s why. By using a unique password for every site, you’re essentially segmenting your data across each website and application you use. If a criminal hacks one of your accounts, they won’t necessarily be able to get into any of the others. It’s not foolproof, but it’s an additional layer of security that you’ll certainly appreciate in the aftermath of a data breach.
Are password managers safe?
Password managers have been hacked, but their overall track record when it comes to securing user data is very good.
Password manager LastPass suffered a data breach in 2015. During the breach, cybercriminals made off with user emails but did not manage to steal any passwords. Even if they did, most password managers, including LastPass, use hardcore military-grade encryption to keep passwords safe.
Compare this to Facebook, Google, and Twitter. All three tech giants have admitted to accidentally storing user passwords in plain, readable text—no encryption to speak of—for some of their users, going back several years. And in the case of Google, all the way back to 2005. As far as anyone knows, none of the passwords were stolen, though Google reset affected passwords “out of an abundance of caution” immediately after discovering their mistake.
Latest news on password managers
What are the types of password managers?
Desktop-based password managers store your passwords locally on your device, like your laptop, in an encrypted vault. You can’t access those passwords from any another device, and if you lose the device, then you lose all the passwords stored there. Locally-installed password managers are a great option for people who just don’t want their data stored on someone else’s network. Some locally-installed password managers strike a balance between privacy and convenience by allowing you to create multiple password vaults across your devices and sync them when you connect to the Internet.
Cloud-based password managers store your encrypted passwords on the service provider’s network. The service provider is directly responsible for the security of your passwords. The primary benefit of cloud-based password managers, 1Password and LastPass being good examples, is that you can access your password vault from any device as long as you have an Internet connection. Web-based password managers can come in different forms—most commonly as a browser extension, desktop app, or mobile app.
Single sign-on (SSO). Unlike a password manager that stores unique passwords for every application you use, SSO allows you to use one password for every application. Think of SSO as your digital passport. When entering a foreign country, a passport tells the officials at customs and immigration that your country of citizenship vouches for you and that you should be allowed to enter with minimal hassle. Likewise, when using SSO to log into an application, you aren’t required to verify your identity. Instead, the SSO provider vouches for your identity. Businesses favor SSOs over password managers for a few reasons. Chiefly, SSO is a secure and convenient way for employees to access the applications they need to get their jobs done. SSOs also reduce the amount of time IT spends troubleshooting and resetting forgotten passwords.
Password best practices
Don’t reuse passwords. Even with a password manager. Instead, create unique passwords for every site and let your password manager do what it’s designed to do.
Create complex passwords. Many password managers helpfully auto-suggest strong passwords whenever you create an account for a new site. If not, try to use a random combination of letters and numbers, and shift between uppercase and lowercase. The more complex and nonsensical, the better—especially since you won’t be required to remember it. The password manager will do that. The one key difference is in creating your master password (the one that unlocks all the other passwords). This one you will need to remember, so unless you’ve got an eidetic memory, try to think of something memorable to you, but not easily traced back to your identity. Then add in some caps, some letters, and some fancy characters, and you’ve got a well-protected password vault.
Use a passphrase. When it comes to creating your master password (the one that unlocks your other passwords), try using a passphrase; i.e., a series of words that are easy to remember, but hard to guess. Something familiar with a strange twist, for example: “bean burrito ice cream split.” Or just a bunch of random things that a human can easily visualize, but a computer can’t: “fancy rat neon avocado car.” Use your imagination! Pets, children, or other family names, or lines like “Let me in!” are far too common, and therefore easy for cybercriminals to decipher.
Enable two-factor (2FA) or multi-factor authentication (MFA). One of the best ways to secure any account, password manager or not, is to enable MFA. With an MFA-enabled password manager, you’ll be required to verify your identity using two or more authentication factors, which include something you know, something you possess, and something you are. The something you know is typically your password, but it can also be a PIN number. Something you possess might be your mobile phone, bank card, or a security token on a USB stick. Finally, something you are can be verified using biometrics, such as facial, voice, or iris recognition and fingerprint ID. Behavioral biometrics, such as keystrokes, can also be applied.
This extra layer of security means anyone attempting to log into your account (yourself included) will need to control those additional authentication factors outside of username and password. An example of this would be: After you enter your master password to access the password manager, a code would be sent to your mobile phone, which you would then need to enter before accessing the vault. One thing to keep in mind when using your phone as an authentication factor—phone numbers can be hijacked.
It’s called SIMjacking (aka SIM-swapping) and it happens when a cybercriminal, posing as you, convinces your phone carrier to reassign your phone number to their phone by successfully answering your security questions. A cursory social media search is often all it takes for crooks to glean the answers they need. And once criminals have control of your phone, they have everything they need to steal your identity. Accordingly, you might look to a software-based authenticator like Authy or Google Authenticator instead for critical accounts.
Think twice about free password managers. Many of the most popular free password managers actually operate under a freemium business model, meaning you have to pay up if you want the best—sometimes essential—features. Do you need your passwords to sync across browsers and devices? Do you need digital inheritance? Do you need to share logins with family? Do you need multi-factor authentication? Free password managers don’t usually include these features. MFA, in particular, is a must have. In the debate between free vs. paid, opt for a paid password manager.
Create a password manager policy. Here’s a tip for small- and medium-sized businesses: Create a password manager policy and let employees know it’s okay to use a password manager to secure their work accounts. Your staff is already using a hodgepodge of potentially insecure methods to try and manage their many passwords, and most data breaches start with a weak or reused password. An official password manager policy is your first line of defense against a cyberattack on your network.