Why you need to use a password manager

If you thought the age of passwords will soon be over, think again. They’re here to stay — for now.

Passwords are cumbersome and hard to remember — and just when you do, you’re told to change them again. And sometimes passwords can be guessed and are easily hackable. But while nobody likes passwords, they’re a fact of life. And while big tech and startups small have tried to kill off passwords by replacing them with fingerprints and face-scanning technology, neither are perfect and many still resort back to the trusty (but frustrating) password.

How do you make living with passwords easier? You need a password manager.

What is a password manager?

Think of a password manager like a book of your passwords, locked by a master key that only you know and other security protections to guard your most sensitive secrets.

Password managers don’t just store your passwords — they help you generate and save strong, unique passwords when you sign up to new websites. That means whenever you go to a website or app, you can pull up your password manager, copy your password, paste it into the login box, and you’re in. Often, password managers come with browser extensions that automatically fill in your password for you.

And because many of the password managers out there have encrypted sync across devices, you can take your passwords anywhere with you — even on your phone.

You might think a “master key” to your password manager might sound like a single point of failure. What if someone gets my master password? That’s a reasonable and rational fear. But assuming that you’ve chosen a strong and unique, but memorable, master password that you’ve not used anywhere else is a near-perfect way to protect the rest of your passwords from improper access. Plus, most password managers also come with additional protections, like two-factor authentication, meaning a determined hacker could not access your password manager with just your master password alone.

Why do you need to use one?

Password managers take the hassle out of creating and remembering strong passwords, and storing other secrets like tokens, credit cards and even crypto keys. It’s that simple. But there are three good reasons why you should care.

Passwords are stolen all the time. Sites and services are at constant risk of breaches as much as you are to phishing attacks that try to trick you into handing over your password. Although companies are meant to scramble your password when they store it — a process known as hashing — not all use strong or modern algorithms, making it easy for hackers to reverse that hashing and read your password in plain text. Some companies don’t bother to hash at all! That puts your accounts at risk of fraud or your data at risk of being used against you for identity theft.

But the longer and more complex your passwords are, the longer it takes for hackers to unscramble them. That can be a password that’s a mix of uppercase and lowercase characters, numbers, symbols and punctuation — or, as many are moving towards, the use of deliberately lengthy pass-phrases, which make up several unique words that can be easily remembered but can be far stronger than shorter passwords.

The other problem is the sheer number of passwords we have to remember. Banks, social media accounts, our email and utilities — it’s easy to just use one password across the board. But that makes “credential stuffing” easier. That’s when hackers take your password from one breached site and try to log in to your account on other sites. Using a password manager makes it so much easier to generate and store stronger passwords that are unique to each site, preventing credential stuffing attacks.

And, for the times you’re in a crowded or busy place — like a coffee shop or an airplane — think of who is around you. Typing in passwords can be seen, copied and later used by nearby eavesdroppers. Using a password manager in many cases removes the need to type any passwords in at all. The more popular password manager features also let you securely share passwords with your friends or colleagues.

Which password manager should you use?

The simple answer is that it’s up to you. All password managers perform largely the same tasks — but different apps will have more or relevant features to you than others.

Up-to-date iPhone and iPad users have a password manager built-in by default — so there’s no excuse not to use one. You can sync your passwords across devices using iCloud Keychain. Apple also has a Chrome extension for those who want to access their iOS passwords on another browser or a Windows computer.

For anyone else, most password managers are free — with the option to upgrade to get better features.

If you want your passwords to sync across devices for example, 1Password is widely used and integrates with Troy Hunt’s Pwned Passwords database, so you can tell if (and avoid!) a password that has been previously leaked or exposed in a data breach.

DashLane has a free offering for a single device.

Some password managers are open source, like KeePass and BitWarden allowing anyone to read the source code. KeePass doesn’t use the cloud so it never leaves your computer unless you move it. That’s much better for the super paranoid, but also for those who might face a wider range of threats — such as those who work in government. Because it’s open source, others have taken the project and created their own open source versions, like KeePassXC, which includes a range of more modern features.

Although most browsers like Chrome, Firefox, and Safari allow you to save your passwords, some security experts warn that password-stealing malware targets browsers in the hope of stealing passwords and other sensitive secrets.

Like all software, vulnerabilities and weaknesses in any password manager can put your data at risk. But so long as you keep your password manager up to date — most browser extensions are automatically updated — your risk is significantly reduced.

Simply put: using a password manager is far better for your overall security than not using one.

Cybersecurity 101 - TechCrunch