You really need to be using a password manager

Password theft

Photo credit: Wikipedia user Psyomjesus. Licensed under CC BY-SA 4.0.

The news of yet another massive password breach at a major online service (this time it’s Yahoo!) provides me with an opportunity to give you a piece of advice: you really need to start using a password manager.

You. Yes, you. You need to start using a password manager. Like, right now.

Passwords, as a security mechanism, are broken. Utterly, utterly broken. But they’re all we have to secure our data on 99% of the services we use and rely on every day, so we have to do what we can to live with them. And the only way to live with passwords without putting your data at risk is to use a password manager.

What’s a password manager, you ask? It’s a little piece of software that provides a secure, encrypted vault, either on your computer or in “the cloud” (ugh), inside which you store all your passwords. It then connects up to your browser so that, when you encounter a login form, your username and password are retrieved from the vault and entered into the form automatically.

This may sound like just a little convenience, but it’s more than that. It’s actually very critical, because when you use a password manager, you no longer have to remember your passwords anymore. The software does the remembering for you. And that’s a Big Deal, for a couple of different reasons:

Strong passwords are safe passwords. Using a “strong” password — a very long string of completely random characters, instead of a dictionary word or short, less random string — gives you the best security against automated hack attempts. But very long strings of completely random characters are hard to remember, so people don’t use them. Letting the password manager do the remembering for you means that you can make your passwords as long and cryptic as you want without fear.

Unique passwords are safe passwords. If you use the same password on multiple services, you put yourself at risk, because if even one of those services gets hacked your accounts on all of them are suddenly vulnerable. What you want, ideally, is to have a completely unique password for each service you use; that way, if your Yahoo! account gets hacked, you just change the password there and you’re safe again. But remembering dozens (or hundreds, or thousands) of unique passwords is hard, so people just remember one or two and re-use those all over the place. Letting the password manager do the remembering for you means that it doesn’t matter how many passwords you have; your computer can remember a million of them as easily as it can remember two.

A good password manager can even go beyond just remembering passwords for you, and provide tools to help you further along these lines as well. Some provide password generators, for instance, that can automatically whip up new passwords for you based on any criteria you specify with the click of a button. (“Give me only 128-character passwords that include at least one number, one capital letter and one special character,” for instance.) That makes creating strong, unique passwords for each service you use a breeze. Others provide auditing tools that can show you at a glance which of your accounts are all using the same password, making it easy to go back and create strong, unique ones for them. There are also various “nice to have” features, like the ability to require two-factor authentication to access your password vault, or native support for mobile platforms like iOS and Android.

There are few things in the world that can make your life more secure and more convenient at the same time. A good password manager is one of them. You need to be using one.

What makes a good password manager

There’s no such thing as one password manager that’s perfect for everyone, unfortunately. This is because different types of password manager provide a different balance between security and convenience, so you’ll need to evaluate where you want to fall on that spectrum.

Here are the big places where that tradeoff happens:

Local storage vs. cloud. At the end of the day, your encrypted password vault is a file, and files have to live on a hard drive somewhere. So do you want yours to live on the hard drive of your own personal computer, or the hard drive of a server out in the cloud?

If you put it on your personal computer, you don’t have to worry about it leaking out if some remote service gets hacked. But if you put it on a server out in the cloud, you don’t have to worry about it leaking out if your personal computer gets stolen or physically compromised. Which of these threats seems like a higher priority to defend against is a decision you’ll have to make for yourself.

There’s also a convenience tradeoff involved. If you use more than one computer, or a computer plus other digital devices (smartphone, tablet, etc.), having your password vault live on a remote server can be convenient, because it removes the need to synchronize that file between all those devices. But it also means that you’re dependent on Internet access in order to get at your stored passwords, which may be inconvenient if you’re somewhere where reliable net access is limited or expensive.

Open source vs. closed source. Generally speaking, security tools whose source code is published are considered stronger than those whose code is not, since open source code can be reviewed and audited by third-party experts. But, open source tools tend to have clunkier and less elegant user interfaces than closed-source tools do, because closed source tools have programmers who are paid to work consistently polishing them to a bright shine. So you’ll need to think about how much security you’re willing to give up for a streamlined experience.

Free vs. “freemium” vs. for-pay. There’s also a few different ways the creators of these tools distribute them. Open-source tools tend, of course, to be free of charge. Closed-source tools usually cost money, though some offer a “freemium” basic tier.

Some good options

Here are some good password managers for your consideration. They all fall in different places on the tradeoffs outlined above, so I will refrain from pointing to one and saying “everyone just use this.” But I will briefly outline where each came down on those tradeoffs, to help you avoid wasting time evaluating tools that don’t fit your personal priorities.

This isn’t a comprehensive list of every password manager under the sun; it’s a short list of products I’m either personally familiar with and generally comfortable pointing people at, or that have been consistently reviewed positively over several years. (You’re trusting your password manager with enormous amounts of sensitive data, so this is not a place where you want to be using fly-by-night software.)

  • LastPass. Closed source; subscription pricing, free basic tier or $1.99/month (billed annually) for Premium version. Available for Windows, Mac and Linux. Stores passwords remotely.
  • Dashlane. Closed source; subscription pricing, free basic tier or $39.99/year for Pro version. Available for Windows and Mac. Stores passwords remotely.
  • 1Password. Closed source; subscription pricing, $2.99/mo. for one user or $4.99/mo. for up to five. Available for Mac (Windows version is in beta). Stores passwords locally.
  • KeePass. Free, open source. Runs natively on Windows, usable on Mac and Linux via Mono. Stores passwords locally. Large ecosystem of plugins and add-ons. Interface clunky but usable.

What do I use?

I personally use KeePass, storing the password vault locally and automatically synchronizing it between my machines and devices using the very secure service SpiderOak. For additional protection, the vault is set up to require both a password and a private key file be presented to unlock it.

This approach is much nerdier than anything I’d recommend for general audiences. Even then, though, it’s not perfectly secure; I’d like to replace the private key file with a physical authentication token, for instance, since key files can be copied while physical tokens are unique and thus require actual possession of the hardware token itself to use. Consumer-level physical authentication tokens sadly tend to be flaky and unreliable, though.