Passwords, passwords, passwords.
We have so many passwords to create and remember, don't we?
According to recent research conducted by NordPass, the average internet user has approximately 70 - 80 passwords to remember.
No matter how you try to slice it, that's a ton of passwords to memorize for the average internet user.
(Want to know something crazier? According to research done by LastPass, the average "business" user has 191 passwords to remember.)
If you're looking for a way to follow all the good advice pieces of creating strong passwords and not reusing passwords, where can you turn?
Enter the password manager (or password keeper to some). These handy pieces of software remember your 70 to 80 passwords, so you don't have to.
Truthfully, some password managers have more features and therefore do more things than others.
That's why there are so many on the market. People like and need different things. It's just the name of the game.
At their most core function, password managers are pieces of software that securely create and store login credentials.
The credentials are stored in an encrypted digital "vault." The key to this vault is typically what is called your master password.
Now we know what password managers are. But how do they work?
Some variations between password managers exist, but they all have the same core mechanics for the most part.
Password managers will offer to record your username and password that you enter into a website. Your username and password then get stored into the vault.
When you visit that website again, the password manager will offer to fill the site's login fields with the corresponding username and password from the vault.
(Keep in mind that this "vault" should be encrypted using solid methods.
Additionally, the password manager should be audited and regularly patched for known security vulnerabilities; I go more in depth about all of these later in this post.)
That's really all there is to it.
There are several reasons to use a password manager.
To start, they make your life a little easier. Plus, they're better at creating and storing passwords than most of us (including you and me).
1. Remember 1 password
With regular use of a password manager, you only have to remember 1 password.
That's your master password.
As we've talked about earlier, this master password is what grants you access to the credentials stored in the "vault" of your password manager.
That simplifies your online life quite a bit, doesn't it?
You'll still have all the accounts you need. You'll have reliably strong and unique passwords for each of your accounts.
And you don't have to remember any of them!
While you only have to remember one password, I do suggest you commit a couple others to memory.
Passwords I recommend you always remember are those of your primary email account and your frequently used devices.
There are other passwords that are worth committing to memory too, but whether you want to remember those depends on you and your own life.
(I go into more detail on worthy passwords to remember in a completely separate post.)
In any case, you'll want to absolutely make sure you do remember your password manager's master password. Resetting it is often impossible.
Yes, you read that correctly: resetting your master password is often impossible. Many password managers don't store your master password anywhere.
Not in the cloud, not on your device(s), not on their servers. Nowhere.
If you forget it, your only recourse is often to delete all the information contained in your password vault and start anew.
Always remember that master password! It's as easy as that.
2. More secure storage for your passwords
Password managers store your passwords in a "vault."
In a lot of password managers, this vault is secured via enhanced encryption methods - think of the likes of AES-256.
So far, AES-256 has proven impossible to crack via brute force; it's estimated that it would take over a trillion years for a single powerful computer to brute force AES-256.
AES-256 was originally developed for use by the US government. Today, it is one of the most secure and widely available commercial encryption method aroud.
What does this all mean?
This means that if a password manager is using the likes of AES-256 encryptions, then you can be assured that your passwords are reasonably safe.
(I say reasonably because, when it comes to any piece of software, nothing is 100%.)
Keep in mind that AES-256 isn't the only strong encryption method out there.
In fact, there are plenty more, such as:
These listed encryption methods serve slightly different methods in the safekeeping of data, but they're all reliably strong.
Password managers typically use a combination of PBKDF2 and AES-256.
Ultimately, all of the above mean that you can stop storing your passwords in a word document on your PC.
And no, before you ask, storing them in the notes app on your smartphone isn't much better either.
3. Generate strong passwords
Password managers can easily generate truly strong passwords for you.
Now, you might have even learned some cool ways to reliably create strong passwords. Or what you and I think is a strong password.
The truth is, it's likely the passwords you use can be traditionally cracked or guessed in a lot of cases.
Unfortunately, our human brains enjoy using heuristics, which are just shortcuts. Heuristics are usually helpful until it comes to data privacy and online security measures.
We often go back to what we know and what works. If what we know works, we usually have little incentive to change what we're doing.
What I'm saying is that while your passwords might be "strong," they might also follow a formula that is easy to figure out.
For example, let's say our method for creating passwords follows this kind of formula:
capital letter + name + 3 numbers + symbol
Note: Don't use this formula to create passwords. It's not strong enough. This formula is used just to illustrate my point!
Outputs for our "strong password formula" could be:
Contrary to what you and I think, this doesn't create the strongest password.
But it is strong enough for most website password requirements out there.
However, let's say one of these passwords somehow gets leaked to the bad guys. If we follow that same formula for other accounts, then it only becomes a matter of time before the rest of your passwords get figured out.
We have a real problem on our hands then.
Fortunately, like I've said, password managers can generate strong passwords.
And I mean strong. Something like these (and stronger):
They can create these with the click of a button, as many times as you like. You really don't even have to think about it.
In a lot of cases, these passwords are a lot better than what you and I can come up with and remember.
4. Prevent the reuse of passwords
I can't think of a situation where reusing passwords have any security benefit.
That's probably because none exist.
But I can understand why people reuse passwords; there are just so many accounts that the average user has - across personal lives, work, and school.
All these accounts require passwords. On top of that, many of these accounts have differing password requirements. Remembering them all can be a real pain in the ass.
You might have a few, say four or five passwords that are considered "strong." So, across all these different accounts you have, you reuse these "strong" passwords.
You read about how reusing passwords is bad practice, and guess what?
You still reuse them!
There's not really a fault with you per se; the bottom line is password reuse is convenient for us as humans.
There's also the plus of limiting the use of "Forgot Password?" because going through hoops to reset multiple passwords gets old and annoying fast.
Unfortunately, hackers love when we fall into this trap of convenience.
This is because in this case, decent security is severely compromised in favor of convenience - it makes their jobs easier.
All they have to do is somehow get the login credentials for one (or more) of the places you have accounts at, and then try credential stuffing.
Credential stuffing is where the bad guys get ahold of login information (email/username and password) for one account. They then try the stolen or leaked login details across multiple sites, often using various automatic credential stuffing tools to do so.
If you reuse passwords, it becomes only a matter of time before the hackers gain access to your other accounts too.
Naturally, that becomes a bigger issue for you to deal with. You must do damage control across many accounts, versus just one.
Password managers alleviate much of this by generating strong passwords and storing them securely for you.
The passwords generated are hard to reasonably crack through brute force means. The fact that each of your accounts has a unique password makes credential stuffing nearly impossible.
No point in reusing the same passwords for convenience you have something handy to generate and remember them for you, right?
I want to start off by saying: there is no piece of security software that provides 100% protection from anything.
This includes your antivirus, ad blocker, privacy browser, VPNs, SmartDNS's, and whatever other software you can think of.
With that said, password managers can be hacked.
In fact, some companies that make password management software have been hacked.
And some have been hacked more than others.
For this reason alone is why you should do due diligence into the brands and companies that develop the different password managers across the market.
However, password managers are much safer than potentially running your accounts with weak passwords, or reusing passwords across multiple accounts.
Don't all your passwords and other sensitive information become exposed?
Password managers worth using will have several defense layers when it comes to dealing with breaches and attacks.
In fact, in some breaches that have occurred against the more popular password managers, the attackers weren't able to make off with user credentials stored in the vault.
That doesn't mean they didn't get some information, but it does mean that stored user credentials were safe.
Additionally, without getting into too many technicalities, "hacked" can mean different things. Meaning, a "hack" is a catchall for many different attacks they can get carried out against multiple types of security software.
A lot of what data gets compromised depends on the type of attack/exploit used and how well implemented (if at all) existing defenses are.
There's also the response to the "hack" that plays into the dynamic as well.
Responses come from developers, who should work as quickly as possible to fix the security issues; they also come from users, who should change passwords and enable two-factor authentication where needed.
With all that said, there is risk involved when using any type of software. However, most users don't have to worry about an attack exposing all the content of their manager's vaults.
It goes without saying: humans are usually weakest link in password creation, management, and storage.
Weren't aware? That's okay - now you know!
We humans just aren't good when it comes to digital security. We're more fallible than the strongest and most robust security technology.
Since, we command this "robust security technology" (at least, for now), we're still prone to our unsecure human ways.
For example, there's not much to be done if you create a weak master password for your password manager.
Likewise, social engineering is another glaring weakness of us humans. We're way more likely to be manipulated and taken advantage of by others than a machine.
Your device's safety
This mostly pertains to password managers that are stored locally.
However, it can still apply to those who use the cloud.
Your password manager doesn't make you or your device immune to other security threats such as malware or phishing attacks.
The safety of your device matters when it comes your password manager.
You should keep all software (including your password manager) updated on all devices. You should have an antivirus program installed where appropriate.
You shouldn't allow just anyone access to your devices. You shouldn't click on odd or suspicious links or download and install shady programs.
Ideally you should avoid visiting shady websites - especially if you don't use a privacy focused or secure browser.
This isn't the absolute worst way to store passwords, especially if you "secure" or "lock" your notes using a password + some type of encryption protocol.
But it's not that secure, even if you keep your notes app only on your phone and don't sync the notes to any other device.
Look, a notes app - even with its password protection function - just wasn't made to store super sensitive information like your passwords.
There's a lot that can go wrong with storing the "keys to your kingdom" this way:
Your device can get stolen. If the thieves don't break into and steal the data off the phone, you can bet they're wiping it and selling your device off. In any case, you have a potential compromise and a loss of data.
Biometrics can be bypassed. Fingerprint sensors and facial recognition aren't as secure as we're made to think. Biometrics can easily be forged or "stolen."
Constantly copy and pasting passwords. The clipboard on any device is simply not secure. When using a notes app, you will be constantly copy and pasting passwords. Who's to say other applications don't snoop in your clipboard?
Password strength and uniqueness is still an issue. Even with an encrypted notes app, you'll have to create truly strong and unique passwords for all online accounts. We humans aren't too good at that; you'll end up using fundamentally weak passwords or reusing the same "strong password" across different accounts. Guaranteed.
Think you're safer because you use Apple products?
You're partially right. Apple tends to be more user privacy and security focused, even if by a smidge.
Other than that, unfortunately, the iOS and macOS locked notes aren't as secure as you may think. Locked notes are susceptible to data-leakage and exploits.
These locked note exploits might not get fixed as quickly as they would be in the case of a password manager because, again, the notes app wasn't made for storing passwords.
This holds true for other current and future vulnerabilities as well.
My web browser
Using the password-saving function of whatever browser you may use isn't secure.
Yes, this even holds true for privacy and security-focused browsers.
Well, unfortunately, even privacy browsers often store passwords in plaintext.
Plaintext means it's super easy to read. There's nothing to decipher or figure out - it's spelled out for any computer to read, very similar to how you are reading this guide.
Any half-baked malware or script can install on your system and/or web browser of choice, and snoop around for sensitive information.
And you best believe the bad guys know all about the pitfalls of browsers.
If you store your usernames and passwords in your web browser, you run a real chance that a bad character can run a script to read the plaintext files (which include your passwords) created by your browser.
Pen and paper
I'm not going to lie to you; physically writing down your passwords isn't the most terrible idea around.
In fact, in the context of online threats, which include the likes of hackers and scammers, it's pretty secure and can be a reasonable option.
Think about it: if the threat is online only, then a good countermeasure is to store information offline and nondigitally. Then, there's no way for these threats to access sensitive information except via physical means.
However, that's about where the true benefit of using pen and paper to store your passwords ends.
When you physically write down this information, the biggest risks to your passwords are:
- them getting lost or destroyed
- someone stealing/seeing them
Now, when it comes to your paper storage of passwords getting "lost or destroyed," you might think that likelihood is low.
After all, the likelihood of someone breaking into your home and looking for passwords to steal is slim (hint: most burglars are looking for readily identifiable and sellable valuables.)
And when it comes to them getting destroyed, the likelihood of a fire burning everything in your home to ashes is equally slim. Right? (According to the US Fire Administration, there were approximately 379,600 residential fires in the US in 2018.)
Yes, you're right.
But here's the thing - your physical threats are most likely not going to be of either extreme.
When it comes to passwords getting lost or destroyed, this can happen in more common ways than you think. Examples include the paper/notebook getting drenched in water (or coffee) or you losing the storage medium in public.
When it comes to the wrong people coming across them, well, that could be literally anyone in your life; from roommates to family members.
All it takes is for the wrong set of "curious" eyes to land on the goldmine of passwords you keep in the notebook tucked away in your desk drawer.
Storing your passwords in any kind of word-processing document (such as .docx, .pdf, or .txt) is about as bad as storing your login information in your web browser.
Yes, this remains true even if you password protect and encrypt that document.
Here's why: when you store your passwords locally in a word (or any text) document, you're relying on an assumption that your PC is 100% safe.
With all the threats to our PC out there, we all know that the safety of our PC's is never 100%. It's just the way things are, even if we might think otherwise.
What threats are there? Here are just a few:
- Trojans (& other backdoors)
- Script attacks (including clickjacking & autofill attacks)
- Wi-Fi attacks
Don't forget the more local threats either, such as theft or someone hopping on your PC without permission.
From that list of threats, we can use malware to hammer home a point.
Machines get infected with all kinds of malware and spyware literally all the time. Over 7 billion malware attacks were reported in 2019.
Dig further and you'll find that anywhere between 270,000 to 350,000 new pieces of malware are detected every day.
(Even if you take the low-end number of 270,000 and multiply it by 365, you'll get a whopping 98,550,000 new pieces of malware discovered in a year.)
For example, have you ever heard of ransomware (before we listed it above)?
Ransomware is a type of malware that installs itself and encrypts some, most, or your entire system.
The key to decrypt your system and/or files is stored on some unknown server/computer likely on the other side of the globe.
A "ransom" is demanded - usually to be paid via cryptocurrency - by the malware in order for your files to unlock.
In most cases, it's near impossible even for cryptography experts to decrypt and restore your files.
So, if you don't pay the demanded ransom, you're out of luck. Even if you do pay it that doesn't always guarantee your files will be unlocked.
Plus, these attacks are constantly evolving. The data that the ransomware encrypts will probably be backed up to the hacker's server, where they can do anything they want with it.
What does all this mean?
In this case of ransomware attack, your word document can (and likely will be) attacked. Its contents - your passwords - will be held hostage and at your attacker's mercy.
In the case of any type of attack that compromises your computer, the word document and its contents can become easily and severely compromised.
My mind power?
You can try to remember your passwords with mind power alone.
It's certainly an option. Maybe not the most efficient option, but it is in option.
We actually suggest you always remember a couple of passwords, in addition to your password manager's master password.
However, let's be realistic: How many passwords do you truly remember?
And how many times have you reset the ones you don't remember?
On top of that, you'll be relying on brain power to generate strong, unique passwords and to remember them.
And clearly, we humans just aren't suited to doing that reliably. Eventually you'll start creating passwords that are easy for computers to guess.
If you happen to create a truly "strong password," you're far more likely to use it across different online accounts, which leaves you open to credential stuffing type attacks.
But I'm sure you have better things to spend time remembering, right?
Many factors may go into your decision to pick which password manager to use.
In addition to security protocols such as type(s) of encryption method(s), password managers can vary in other features as well.
They also vary in price, and the quality and quantity of security audits performed.
The encryption protocols and processes surrounding the storage of your passwords is important.
As I've already mentioned earlier, you'll want to be sure whatever password manager you choose uses a super solid encryption protocol such as AES-256.
Ideally, the password manager should use multiple encryption protocols for the storage of data.
The developers should also be forthcoming with information about how your data is secured.
For password managers that use the cloud, you'll want to ensure that it only uses solid end-to-end encryption (E2EE) protocols when it communicates with cloud servers.
First you should decide if a free option could be for you.
Unlike in the world of VPNs (Virtual Private Networks), free password managers aren't necessarily a bad idea.
(If you didn't know: free VPNs are not worth the price tag in terms of security, privacy, and reliability.)
For example, the free version of Bitwarden could satisfy some user's needs.
However, depending on what features you want or need, you'll want to look across all options - paid and free.
In addition to choosing between free and paid options, you should look at whether the vault is stored locally or via cloud. There are pros and cons to each.
Honestly, more than likely, this will be the best option for the average user.
Passwords are stored on cloud servers. This enables you to access your vault from any device that you use. It also gives the ability to sync passwords across different devices.
Cloud storage gives the best accessibility and provides the most user convenience.
Robust cloud infrastructures will ensure that end-to-end encryption is used consistently.
However, cloud storage usually comes with some sort of price tag, meaning that it's rarely offered freely.
Additionally, the cloud is operated by a third-party, which is usually the company behind the password manager. Some people might have issues trusting a third-party with all their credentials.
Put simply, local storage doesn't give the easiest or most convenient user experience around.
It does make a hacker reconsider their attack in the sense that they'll more than likely have to use malware to compromise the password manager's security.
Storing password managers locally also means you're a less attractive target. More and more, hackers are targeting companies large and small because the overall return-on-investment is greater.
But do you remember when I mentioned that the confidentiality of passwords stored locally rely on the storage device's security?
The same principle applies here.
A locally stored password manager relies on your device's (and everything connected to it, including networks) security. That ranges from applying all released updates timely to avoiding phishing/malware attacks.
Ultimately, the responsibility of security rests on the shoulders of the user.
Make sure that the password manager you select is available on all platforms that you use.
For example, if you regularly use a Windows machine and a Linux machine, then you'll want to be sure that your password manager will work properly on both platforms.
It's also beneficial to make sure that your password manager works correctly with the operating system and web browser you use.
Another example: if you use Firefox on your Windows Laptop, you'll want to be sure that your password manager works on whatever browser you may use on your mobile device.
This is a little different from the levels and types of encryptions used to store your sensitive information.
You'll want a password manager that protects your information with a "master password."
You'll want that master password to be super strong and unique. Generally, length beats complexity.
passguessthisword(total chars: 17) beats something like
Pa5$w0rD (total chars: 8) because of its length, not its complexity.
You'll also want a password manager that offers/uses two-factor/multi-factor authentication.
Two-factor authentication (2FA): a second layer of security that helps to protect online accounts from unauthorized access. Common methods for 2FA are email and mobile phone (voice/text/push notifications).
If you have 2FA enabled for your password manager, when a hacker uses the stolen master password to gain access, they'll have to "confirm" they are indeed you.
Quick example when 2FA is enabled:
Hacker gets your master password
Hacker attempts to use your master password
Your 2FA option kicks in here
- Ex: if your 2FA option is a cell phone you might get a text message containing a one-time passcode
Assuming your authentication method isn't compromised, the hacker can't gain access to your account
- Additionally, you're alerted that someone other than you is trying to access your account
While no company is perfect, some are better than others.
There are some companies who have a password manager product that seem to always have some type of major security exploit unveiled.
Some of the most popular password managers have had:
- serious security vulnerabilities exposed (hacked)
- security or privacy breaches (data breaches).
In 2015, LastPass suffered a "single security incident." Their team stated that no vault data was exposed.
In 2016, numerous password managers (which include the likes of Dashlane, F-Secure Key, Avast Passwords, 1Password, and others) had "serious security flaws" in apps for the Android OS.
In 2017, LastPass had quite a handful of security issues that ranged from zero-day flaws and "major architectural problems."
Also in 2017, OneLogin had a "security incident" where hackers gained access to a set of Amazon Web Services (AWS) keys.
This is just information for you to keep in mind; do you want to choose a password manager which has a history of serious security breaches? Or is slow-to-patch identified security holes?
Put simply, if you don't find your password manager easy to use then you aren't going to use it.
(This also ties into the availability of your password manager as well; if it's not readily available, then you won't use it.)
Which would put us in the situation we're in now: creating largely fundamentally weak passwords, and then reusing these passwords across multiple online accounts.
For the majority people out there (which includes you and me), you'll more than likely want your password manager to:
Generate secure passwords
The password manager you choose will ideally generate a unique and secure password for you, as we've discussed above.
The password manager's ability to generate passwords should take the big issues of using fundamentally weak passwords and password reuse out of the picture.
Generally, Autofill is where user (your) information gets automatically filled into field boxes, such as input fields on a web form.
In the context of password manager, Autofill usually refers to the password manager's ability to automatically put your information into login pages.
Autofill makes your life easier because you don't even have to type anything.
It also helps alleviate the issues associated with copying and pasting sensitive information like passwords. This is especially true if you accidentally
leave your password on your device's clipboard
Some password managers even go a step further and automatically log you into whatever account you're accessing.
Just be aware that the autofill feature of password managers can be compromised by website scripts designed to steal the data put into username and password fields.
Because of this, you might consider not using this function.
Auto Capture is where your password manager automatically records the login information you put into input fields, such as username and password fields.
This makes your life easier because you don't have to input your username/password combinations manually.
Some login pages or screens aren't very friendly to the Auto Capture of some password managers, so sometimes your information won't get recorded.
Should it fail, you always have the option of manually adding the login information to the vault yourself.
Some password managers offer more features than others.
This is almost a given because different people and organizations have different wants, needs, and expectations out of the password manager software they use.
I encourage you to take a look at your own situation and evaluate any and all extras that you may want or need.
You should also be aware that some features are "baked right in" to the product, while others are "additional toppings" (addons). You could be paying (extra) for some these cool features.
Password managers should generate strong and unique passwords and store them in a secure encrypted vault.
Some go a step further and analyze the strength of your existing stored passwords, alerting you to the weak or so-so ones.
A couple take it yet another step and compare your stored passwords to a database of exposed passwords, much like the website Have I Been Pwned. It should tell you if you're using a leaked password.
Are you a frequent international traveler?
You've probably encountered the some of the stricter crossing border procedures of certain countries like New Zealand and even the US.
These stricter procedures are increasingly demanding access to personal devices you're carrying on you, such as your smartphone.
This means that you might have to unlock your phone and hand it over to border control officers. If you have a password manager, they could theoretically ask you to unlock that as well.
Fortunately, some password managers have a travel mode that you can enable.
In this travel mode, you temporarily remove designated passwords from the vault. You won't be able to access these accounts and neither will customs.
It's a good way of keeping your more sensitive accounts private from random border guards.
(Do you really want your banking passwords exposed to someone you don't know, government agent or not?)
File Encryption + Storage
Plenty of password managers on the market allow you to store files in the fault, in addition to login credentials.
Storing a file in the vault should give it the same level of encrypted protection as your usernames and passwords.
There may be some cases where you wish to share access to your password manager with someone else.
Sharing access usually means also sharing your master password. Can't you imagine all the things that could go wrong by doing this?
Thankfully, some password managers have realized that there is a potential need for shared access. They have created more secure and viable ways for sharing access, should you need to do so.
Some have family plans and others feature enterprise-level plans. In most "shared access" plans, the admin (most likely you) can control everyone's access.
We don't like to think about our deaths, so we often put off creating a will.
If you do have a will, you probably don't have any information about your accounts included.
As our lives become more and more digitalized, you'll find that you might want to leave your online credentials to heirs or to whoever is handling your estate after your passing.
Many popular password managers understand this growing need. As such, many of them support leaving a digital legacy that makes it easier for those designated to settle your affairs.
Password managers have way more pros than they do cons.
Their biggest pro is that they eliminate the ballooning issue of password reuse across multiple accounts.
Plus, it only helps that many of the reputable password managers offer to generate strong passwords and automatically store login credentials in the vault.
Ultimately, they make digital life easier and more secure., which seems to be a rarity in the constant war between security and convenience.
There's almost no excuse not to use one these days. They're increasingly becoming easier to use and most of the remotely good ones are being constantly updated with new and improved features.
This guide will be updated periodically. If you have a suggestion, then I advise you to contact us.
As always, stay safe out there!