Note: This blog post was moved from an older blog
The other day, I read an article by security expert Troy Hunt on how “The only secure password is the one you can’t remember”. In it, he laments how we have so many online accounts and how with all these services comes the risk of massive data breaches that can cost you.
These accounts need passwords and given how many accounts we have, we fall into two bad habits when choosing passwords; weak passwords, which can be found and cracked easily, and reusing passwords where the breach of one service will result in the breach of more valuable services.
Now, there patterns that supposedly make passwords more secure and easier to remember, like sentences and substitutions, but remembering hundreds of passwords like “Il0vefurryp0rn” is hard. So what do we do now? Well, you could write them down on a piece of paper, but that’s a bad idea for obvious reasons.
A better solution is to use a password manager that allows you to generate passwords, store login details, save documents and secure them with 1Password (hehe) in a super safe vault. A secure password btw. Password managers are very secure and their security is constantly evaluated and improved upon. Heck, the password manager I use, LastPass, got breached and while attackers could get the vaults, they were strongly encrypted, making them useless, unless you have a lot of time on your hands.
Rather than tell you how password managers work, I’ll show you how I use my password manager, LastPass. I’m not being paid for this, but I wouldn’t mind it. Password managers typically feature browser extensions that let me log into websites quickly. If the site is being weird, I can just copy the password over and it will clear out the clipboard after a while so other apps can’t take a peek. I can randomly generate passwords for new accounts to specified parameters, login easily changes passwords on the fly, store form fills and credit card details to easily access, share an account with someone (either showing or hiding details) and even designate someone to access the vault in the case of an emergency.
If I move onto my mobile phone, I can secure the vault against a pin or fingerprint for quick access. I can also log into websites in the browser and generate logins. The best part with password managers on mobile phones is that I can log into apps. It uses the 1Password logo, but you can use any password manager. Nifty hey?
There is a slight benefit to the extensions in that they prevent phishing since the login details will only fill under the right URL match. You still need to take care of the websites you’re logging into, however. Also, password managers can’t stop you from Rubber Hose Cryptography (i.e. beating you with a hosepipe until you give in), so a password manager should serve as one element in your security arsenal as opposed to being the security arsenal (the Electronic Freedom Foundation has a great guide on it here).
Now, there are many password managers out there such as 1Password, Dashlane, Sticky Password, Clipprz, RoboForm and the built-in options on web browsers and iCloud. There are some superb open source options such as KeePass and Bitwarden which do need some tweaks to get them to the convenience of the previously mentioned methods. Some are solely cloud-based, which are slightly less secure and more convenient and others give you greater control as to where to store the encrypted vault ((S)FTP, Google Drive, Dropbox etc.). Some even have two-factor authentication in which a password AND something else to verify you, like an SMS code, a special file or “key”, or an app which generates codes needed to sign in. Two-factor authentication is another step you can take in ensuring account security. I’ll talk more about those another time.
With that, I hope you’re compelled to get a password manager now.