Many people underestimate the importance of good password management practices. Passwords are often the only line of defense that you have against someone other than yourself gaining access to your accounts and data. Worse still, many people re-use the same passwords across multiple accounts, making it that much easier for an adversary to gain access to multiple accounts. The reason for this is that humans are not good at remembering long and complex passwords, not to mention multiple long and complex passwords required for todays digitally connected human.
Fortunately, there is a solution to this problem. Enter Password Managers. Password managers, as the name suggests, manage all of your passwords for you so you don’t have to. Most of them include handy tools that can generate complex passwords, change your passwords for supported sites automatically on your behalf and have browser plugins that can perform auto-fill on login forms. This makes it far easier to ensure that you are using secure passwords that are not easily guessed and are regularly rotated.
In addition to password managers, it is important to have a ‘password policy’ for yourself. Anyone that has worked in a corporate environment is probably familiar with having to change their password on a regular basis (typically every 60-90 days), the password having to be a certain length and meet certain complexity requirements. You should take this same approach with the passwords you use in your personal life. While this can be somewhat of an inconvenience, it will dramatically increase the security posture of your accounts – and password managers can make this process far less painful.
What if I don’t trust password managers storing all of my passwords? Well, if you are of the belief that having your passwords stored on someone else’s server is a greater risk than those mentioned at the top of this article, the following should ease your mind.
- Most good password managers encrypt your password locally (on your computer) before uploading it to the cloud.
- Your passwords are encrypted using your master password.
- Most password managers use very strong encryption, making it infeasible due to the time it would take to decrypt for an attacker to even try – if they somehow gained access to the encrypted passwords at all.
- If using a password policy, your password will likely change often enough that an attacker would likely be too late to use it if they were to compromise one.
Still do not like the idea of storing your passwords on someone else’s server? For that, there are offline password managers that you can use to store a database of passwords locally on your computer. Of corse, you will be responsible for backing up this database as well as ensuring no one else gets a copy of it. Additionally, these often do not offer the same functionality of the password managers outlined above, such as auto-fill on web forms or automatically changing your passwords on a schedule.
Don’t want to use a password manager at all? In this case, it is important to use strong passwords – pass-phrases really. Rather than using a password, which is typically short, think of a short phrase and use that as a password, replacing common letters with similar special characters or numbers, for example:
- i = !
- a = @
- h = 4
- t = 7
This will help to ensure your passwords are long and complex without the need for a password manager. It is still highly recommended to change your passwords regularly though and not re-use these pass-phrases across multiple services.
Taking into consideration all that is outlined above, here are some recommendations for good password managers that I have used – though I don’t endorse any one of them and will leave it to you to choose the one with the best feature set for your needs.
Online Password Managers:
- LastPass – https://www.lastpass.com/
- DashLane – https://www.dashlane.com/
- BitWarden – https://bitwarden.com/
Offline Password Managers:
KeePass – https://keepass.com/