For years, I read many, many articles about password managers – much like this one – and despite the fact that I’ve been working in the information security field for about a decade, I still resisted trying them out. It seemed like a lot of hassle, and who needs more of that?
Instead, I kept an arsenal of passwords in my head: A few “disposable” ones for sites I didn’t care much about that I reused constantly, a couple other slightly-more complicated passwords that I used more sparingly, and for a few really crucial sites (mainly financial ones) I had long, complex, and unique passwords that I managed to remember due to sheer repetition and stubbornness.
While on a long vacation abroad a few years ago, I found myself needing to send an urgent message to family, and my email account was one of those accounts using a long, complex password. Since it had been several weeks since I’d logged in, no matter what I tried I just could not remember my password. I tried to log in so many times I locked myself out of my account.
Mea culpa.
When I got back from my trip, I knew it was time to stop this madness and use a password manager for once and for all. Now I’ve been using a password manager for several years, I can’t imagine still trying to juggle a few weak passwords in my head.
If my story about juggling a few sets of passwords in your head sounds familiar, I’m here to convince you to take the plunge and use a password manager once and for all.
Here’s why:
They’re simple to set up and easy to use
Before using my first password manager, I imagined I’d have to sit down for hours in front of a big spreadsheet, recounting every username and password for every website I frequent. Nobody would look forward to that kind of chore.
Thankfully that’s not how it works. Password managers work to capture your existing username and password credentials the first time it sees you enter them on a website, and then it stores them in a secure password vault for recall next time. The idea is that the only password you’ll ever have to remember once you set up a password manager is the vault’s master password.
As you go about your business online – for example, as you log in to your email account – the password manager will notice that you’ve typed in some credentials and will offer to save them in the password vault for you. Next time you log in, the password manager will enter your credentials for you automatically, easy as that.
And when you change your account’s password, which you really should if it’s one you’ve reused somewhere, the password manager will detect the change and update the password on file for you.
They make sure your passwords are unique and strong
I can’t emphasize it enough: you really should be using unique, strong passwords on all websites you use. Why? When a site gets hacked, hackers will often take the credential data they’ve mined – usernames and passwords – and try that data out on other websites to break in to accounts there, too. Sadly, it works because so many people reuse credential information across many websites. (You can check to see if your information has been used in an attack like this via haveibeenpwned.com.)
But as services online proliferate, creating – let alone remembering – a unique password for every single one becomes practically impossible. Thankfully, password managers can step in and help here by generating unique passwords for you.
A strong* password should be of decent length, contain a good mix of upper and lowercase letters, numbers, and unique characters. That means a good password could look something like this: Vp$lskFOyS4h^oqI.
It’s hard enough to try and think of dozens of passwords that look like that, let alone trying to remember them. Thankfully, the password manager takes care of both of these tasks for you.
So in the worst-case scenario, if your account is involved in a website breach, if you’re using a unique password, the hacker only gets access to that one account, not a treasure trove of all your other ones.
* Remember: Just because a site doesn’t require a strong password doesn’t mean you shouldn’t use one. Let’s not make an attacker’s job easy for them!
Seriously, you can’t remember all those passwords
When you use a password manager, your passwords can be mobile yet still secure. Most password managers allow you to sync your account from multiple machines (so you can have access at your home and work computers, for example). Others in addition offer a phone app (LastPass), or for you to export your encrypted key information to a secure file or to a USB key (KeePass) – either option allows you to access your secure password vault while on the go.
One of my favorite use cases is for securely sharing credentials to an account used by trusted parties. For example, while my spouse and I both have our own personal password manager accounts that we keep private, we can opt to share specific credential sets between our two accounts so we can both securely access them, and keep those credentials synced.
This makes things like accessing the monthly electricity bill or joint banking accounts much, much easier. Plus, if one of us changes the password to one of these shared accounts, since the password manager keeps track of the changes we both automatically have the updated credentials.
It might make you feel a bit wary to have all your passwords stored in one central place, but any password manager worth its salt uses heavy-duty encryption to keep your information safe. In addition, many offer two-factor authentication (2FA)!
Ready to try a password manager? Great!
If I’ve convinced you to give a password manager a try, the best way to get started is to dive right in. Most have a free version you can use, with some premium features you have to pay to unlock. Below are the four I’m most familiar with, but there are a lot of options available to you.
- 1Password
- Dashlane
- LastPass
- KeePass
So how about it, are you going to give a password manager a try or are you still not convinced? Are you already a password manager fan? Let us know in the comments.
James H. Wesson (@jameshwesson)
100% agree. I’ve been using KeePass for several years now since it was one of the first cross platform apps that also had an iOS app and would work with DropBox. I had to use it just now to get to the twitter account I wanted to use here to login. :)
KeePass is certainly more manual than the others, but I appreciate the ability to keep the file on a cloud drive of your choice instead of synching with a service.
Zee Hanon
Same here, also use on a USB key as well.
Mike
Doesn’t this mean that if you lose your luggage on holiday then you’re locked out of everything because you literally do not know your own passwords?
Opaque Oracle
I do regular backups of my password manager file onto an external hard drive along with the rest of my files, which has saved my butt more than once. When starting over with a new computer, I download the password manager software first, load up the file, and it’s just as it was before.
If you’re talking about still needing to get into things while on holiday with no luggage – you can certainly also get software that syncs your passwords to the cloud. I’m not sure how trustworthy it is, but it has to be better than the alternatives.
John P
The better password managers sync access between multiple devices. With Keeper, I have access from my Smartphone, computer, Chrome whichever option I choose to make available for myself..
Maria Varmazis
Well, I generally don’t store my passwords in my luggage so it hasn’t been an issue thus far. But I’ll keep you posted ;)
John P
Apparently, you don’t know how password managers work. Do the research them comment.
Good password managers provide backup code(s) and an alternative method (e.g. 2 factor) in the event you forget the master password. They also offer secure/encrypted backup of your password file (or you can do it easily yourself).
Mike
Supposedly this article is about why you should use them. This is the research.
How do you recover the contents after a natural disaster has destroyed all your physical possessions?
qqq
I use KeePass on desktop but how can I use my passwords anywhere else? Recently I had to login on mobile and well… I ended up typing 50 character password manually. This is definitely wrong but I am not aware of any other way. Similar issue with using my password on another PC – carrying USB all the time is a bother. Do I store database + software in Dropbox / Drive? Both require password to retrieve it, so it makes it at least 2 passwords to remember.
Maria Varmazis
Interesting question. I have a feeling the answer may be in using one of the KeePass plugins, but I need to investigate and check this for you. I’m going to be writing an article on using KeePass shortly and will make sure to address this in there.
megan
I use KeePass on desktop and on Android there is an app – KeePass2Android that will read the password file. I manually copy the password file over to my phone so that I don’t have to put my passwords in the cloud. I keep my desktop version as the “master” copy and know that they could get out of sync. But that is a small price to pay for not having to put my passwords in the cloud. And then I don’t have to type the really long passwords on my mobile device.
Renny
There are versions of KeePass for just about any device – mobile or PC – so that if you store your KeePass database in Dropbox/Drive then any device that syncs up with that can access your up-to-date KeePass database.
I understand megan’s concern, but I am comfortable putting my database in the cloud because the keyfile that is additionally required to decrypt the database never sees the cloud – I manually copy it to each device that I use KeePass on.
Kathryn
I’ve been using LastPass for about a year. It was definitely worth the $10 annual fee to be able to sync the passwords on to mobile devices.
Nick
When you use LastPass on an iPod or othe mobile device does it automatically login to the app and browser, if required?
gman
Yes, if you launch the website from the last pass interface. You can do a quick search from the opening page if you have tons of websites, only requires a few letters to shorten list.
Maria Varmazis
Agreed, I’m also a big fan of LastPass and find the annual fee to be worth every penny.
Jim
Aren’t we trading dependencies on many companies’ internal security for one company’s internal security? Seems like an “all your eggs in one basket”. Now, I would expect these companies to have better security than Ma & Pa Kettle’s House of Pancakes, but I’m putting ALL my passwords into this one product.
Have there been any security-focused reviews of the security of password-manager authoring companies.?
Maria Varmazis
That’s definitely a concern many people have, and generally those folks opt for password managers like KeePass where you store your encrypted password vault locally (on a machine you own). They detail the level of encryption they use here: http://keepass.info/features.html#lnksec — right now the encryption algorithms they use are pretty much top of the crop.
Jim
Sounds good. I think I’ll look into it. My current model has Excel doing the same thing from a workbook, but these companies even outstrip MS Office in terms of security.
Neo
Agree. putting all your eggs in one basket is definitely a point of concern. For an offline password manager like KeePass and Enpass password manager, the database security always depend on two things: Software security or encryption engine and your Master Password strength.
Renny
In addition, KeePass is open source, so that the community can make sure that there are no security flaws.
Brent
That’s certainly something you should look at when evaluating password managers. Some products, like Lastpass, are designed to protect your vault data with the assumption that at some point they, as an organization, will be breached.
But, yes, there is always risk to be calculated and in general using a password manager is better than juggling passwords in your mind because of all of the extended benefits. My favorites: longer generated passwords, notifications if any accounts were disclosed in breaches; notifications of old, duplicate or weak passwords, storage for secure notes/files, and auto-password changes.
Jim
So, if it’s stored on your own server, does that preclude using them on remote devices (like phones when away from home)?
J Page
I know someone who isn’t particularly techie, but who can generally find his way around a computer, who uses lastpass and finds it to be inconsistent and kinda hard to use. That said his bank’s website does put the username and the password fields inside separate html form elements, which doesn’t help.
Personally I don’t like the whole, all my eggs in one basket aspect of a password manager. I prefer having my own system to calculate the password based on the site name and some secret. Something like Blum’s mental hash. I have only one thing to remember and an infinite number of good passwords.
Maria Varmazis
I can definitely see that concern. I’ve noticed some websites are particularly awful at being password manager-friendly, and have come across the same issue where the fields aren’t recognized as they should be. I find that I have to manually copy and paste the fields in from my vault — having the browser plugin for LastPass makes this easier, but not as easy at it should be. I’m not sure if this is LastPass’ fault or the bank’s.
I’m glad you have a method that works for you, especially one that’s firmly locked in the domain of your mind :) Knowing me, I’d forget my own personal mapping/keys. But if your memory isn’t as sieve-like as mine, it definitely beats using “password1234” on every website.
ve1arn
Been a Keepass fan for a while now and keep the file in my dropbox folder for access from any of my machines. I also keep a printout in a secure place as well, just in case .
Alan Wilcox
1Password has worked excellently for years on my Mac and iPhone & iPad. The password file lives on all three … I sync them all up to the Mac weekly if/when I change passwords.
I’m paranoid about putting the p/w file on iCloud even though it’s encrypted. My passphrase is huge … but the only one I need to remember.
gerrit neyrinck
I’m also using lastpass password manager. Bit if I’m recalling correctly they have been suffering a security breach as well?
I’m using it on all my devices: pc, phone in combination with the fingerprint reader, tablet, etc.
I’m using the premium version for 5 years or so.
Paul Ducklin
Security stories in recent years about LastPass:
https://nakedsecurity.sophos.com/?s=LastPass
Jim
Are there stories on their competition? Or, is LastPass the only one that has been breached?
Paul Ducklin
Not sure off the top of my head…try clicking on our magnifyng glass and trying a search :-)
IIRC, the LastPass problems were pretty quickly and responsibly sorted out. I don’t use it, but if I did I don’t think any of those incidents would have made me switch.
Jim
Actually, the speed with which they announce and correct breaches might make me switch TO them. Every company has security issues. The bottom-line question to me is how they handle them. There are myriad numbers of bad ways to handle breaches. LastPass seems to have handled theirs very well.
Taylor
Just started using LastPass because it’s one of the only apps to support Windows Phone. First time using a password manager and can’t understand why I’ve put if off for so long!
marc v
Maria, nice write up. As you review KeePass, would you consider it from a family perspective? My wife & I both access much of the same websites. Now that our children are getting older there are new websites that 3 sometimes 4 of us access. If I use KeePass and regularly update the password how does she or our children get the updated information? I like the fact that you can install and run KeePass solely on a thumb drive as I have mine attached to my car key ring, so it’s with me all the time. But how do we manage keeping all of these passwords current and synced between multiple people?
Maria Varmazis
Hi Marc – Thank you! If I understand correctly, the assumption here is that each of your family member would have their own KeePass account? I believe you’d need some element of KeePass it running on a shared, centralized network location (which could be a private home server, for example). They seem to have some capabilities around that: http://keepass.info/help/base/multiuser.html
I’ll keep digging and see if there’s a plugin that addresses this, but knowing our Naked Security readers — many of whom are avid KeePass users — they’ll know a solution more quickly than I do for this one. (Admittedly, to address the situation you’ve described, I opted for a cloud-based password manager personally. But that brings its own set of problems of course.)
marc v
Thanks Maria, I’ll look into the multiuser option from KeePass. An example of the scenario I’m speaking of could be our household bank account. Both my wife and I use the same profile to access the account, since the bank hasn’t figured out how to have multiple profiles access the same financial account. We also log in from many different devices; home PC, work PC, my mobile, her mobile, you name it… So, if we want to use KeePass’ feature of generating a strong password then we would need to ensure that we can access the current stored credentials from our configured database(?) Guess I need to just “jump in” and start trying different set up options.
Eric
I use KeePass, KeePassX, KeePassDroid, MiniKeePass, so far so good.
Justin
I have been using KeePass for over 9 years now and always kept the KeePass database in a TrueCrypt volume. Works well for me. I still wouldn’t risk an ‘in the cloud’ password manager.
Paul Williams
Use Keepass; and used to use Lastpass, but I wasn’t comfortable when they got into bed with Letmein, so changed to Roboform, which seems to work very well.
Henry Barth
Chrome keeps passwords. It’s on my local machine. What is the vulnerability, if any?
Opaque Oracle
Chrome is linked to your Google account. Once someone signs into your Google account on any machine, they have access to all data (passwords, bookmarks, etc) saved in Chrome. Very handy, as long as you can be sure it’s you that’s signed in.
Bryan
I never sign into Chrome. I sacrifice convenience, but each instance is just like The Before Times: discrete sets of bookmarks, preferences, and saved passwds.
(sorry for the zombie comment; a recent article linked me here, so I re-read it)
Theodore C
While the rule “Never reuse passwords” is okay, you should give real consideration to not only create unique passwords for every site , but you should go a step further and create unique usernames as well.
Why? Ask yourself this. If you have a key that fits a vast quantity of locks why attach a tag that has a list of all those locks that it can be used at?
Martin Smith
I use the principle of having my own domain name (around £10/year) and change the name in front of @ for each web site/account. It also helps track which web sites are selling your e-mail to marketing companies so helps filter out junk e-mail too.
Derek Smith
I don’t like the risk of passwords being stored in the cloud.
I don’t like passwords being stored locally in a discoverable place or form, in case the code to access the passwords becomes compromised or has back doors. I am especially wary of password databases being remotely grabbed.
The worst scenario is one leaked password being randomly leaked or used from a randomly selected database, so that it takes a while for a password manager to come under suspicion.
Udil
Helpful article indeed. How do I relate the use of password managers as described to the use of key chain manager on MacBP? It fully and timely synchs my cred’s over all my devices, accessible everywhere, anywhere if need be and thus meets the (my) need, it’s vault is highly encrypted. Would you say mac (and icloud) users would need to consider adding pwmgttools on top of key chain in mac? Just wondering, not sure after reading the article, perhaps I read its focus (which?) wrong?
Paul Ducklin
If you’re happy with KeyChain as your password manager, I’d say you are already there :-)
I think that some people find it a bit intimidating, so it doesn’t usually make the short list of password managers.
To explain for non-Mac users: KeyChain is Apple’s built-in credential management system (for example, login passwords, cryptographic keys and Wi-Fi passwords are stored there). There’s a built-in app called KeyChain Utility to manage it all, and you can add your own keys in there as you wish.
We once wrote up a potential data leakage bug in KeyChain, so it hasn’t been perfect, but that was a while ago:
https://nakedsecurity.sophos.com/2015/06/18/apple-os-x-and-ios-in-the-vulnerability-spotlight-meet-cored-also-known-as-xara/
Tom Westheimer
My wife and I have used roboform for many years and share one database on many devices. Great support too.
Harvey Davis
Password Managers are great until your password manger account is hacked and then they have ALL OF YOUR PASSWORDS!!! I will roll the dice remembering multiple passwords and using two factor authentication.
Stephen Bates
While ever they try and sting you with a subscription, I’ll take my chances and memorise my own passwords. One off fee or you can take a running jump.
dd9000
Years ago, I used one of the first browser password managers. After a browser upgrade, it stopped working. Developer stopped updating. I had no idea what any of my passwords were. I still use a browser mgr for non-critical websites but keep a manual backup and have different system, under my control, for all the rest.
Bryan
Years ago I used one of the first wireless mice, because I found it neato. It was slow, inaccurate, and power hungry–requiring two new AA batteries every 10-14 days. I re-wired after a couple months, and resisted/resented wireless devices for years. Now in 2018 a bluetooth mouse can last months on a single AA, and their accuracy and speed is indistinguishable from a wired one–at least for normal office use.
Never say never.
Anonymous
what is the scope of password manager andriod app
Bill Gonzalez
What are your thoughts on using Apple’s Keychain to manage passwords? Asking for a friend…
Frank
You can use Sophos Mobile Security and use it with KeePass so you have Sophos Password Safe + QR scanner + Authenticator (based on google authenticator) a really good solution to almost all you can imagine and all from Sophos.
Dan Mullen
I use Bitwarden. Excellent open source alternative to LastPass, 1Password, Dashlane, etc. They do have a premium tier ($10/year) that gives you some additional nifty features, such as 2FA TOTP generation, but the free version is full-featured and includes sync between multiple devices.
Apps available for both Android and iOS devices, as well as Windows, Mac and Linux. Browser extensions available for all the main players too.