About Password Managers
Passwords. Has anything else related to technology ever given us so many headaches? Probably not. Passwords are the most commonly used mechanism for protecting all kinds of information and services, but, alas, there are so many to remember! Unfortunately, hackers are aware of all the tricks we use to generate and remember passwords – all too often, they are successful at getting into our accounts via our weak passwords. Some of the challenges with passwords can be addressed with the use of a password manager. A password manager is an application that can generate, store and manage all of your account credentials (usernames and passwords) and their associated login portals (websites, URLs) in a secure, central location (“vault”). The vault is encrypted, so your passwords are never stored in clear-text anywhere. The benefit of using such an application is that each website and account can have a unique, truly random, long password, and you don’t have to remember it – the password manager can remember them for you, and even help you avoid typing your passwords into faked or insecure websites. There is some risk in storing “all the keys to the castle” in one location, but overall, there is a net benefit when you use a password manager configured securely, and as it’s intended. How do you choose a password manager that is right for you?
Here are some factors and features to consider when choosing a password manager:
- Price – Some password managers are one-time purchases, while others are based on a subscription billing model. Many password manager software vendors offer free versions of their applications as well. The free versions will come with limited features – the missing features may be ones that you really should use, so a paid version will likely be a more secure choice. You should investigate what happens to your passwords and how to export them if you stop paying (or get a new device).
- Method, location, and backup of password vault storage – Is the vault stored on the local device (laptop, desktop computer) or in the cloud? What backup options are available? Is the encryption algorithm used to secure the password vault strong enough? Can you handle the risk if you store the passwords locally and the device gets corrupted? Some people are wary of storing their passwords “in the cloud,” and if that is the case, then a password manager that stores the vault locally would be the best choice. Other people value the convenience of having their passwords available across multiple devices, which would require cloud syncing and/or storage. Good password managers can accommodate both approaches, and will allow you to configure the storage options you need.
- Import/Export of passwords – If you ever switch to a different password manager, you will need the ability to move the contents of your password vault.
- Ability to store more than just passwords – Some password managers can store other types of information, like credit card information, software license keys, WiFi passwords, answers to security questions for website logins, scanned images of passports, etc.
- Random password generator – This feature allows you to generate truly random passwords for your accounts. Look for the ability to specify length, and how many of each type of character (number, upper- and lower-case letters, special characters) you want in your generated passwords. The feature should be smart enough to recognize when you’re creating a new login, and offer to generate the password for you.
- Password auditing features – Good password managers can check for duplicate, old, or weak passwords for you. The better applications will even check to see if you have any passwords stored for websites that have been compromised.
- Compatibility – The more platforms the password manager will work on, the better, so look for one that will work on Apple iOS, Android, Windows and Mac.
- Availability of browser plugins - Make sure there is a browser plugin or extension for the browser you use, whether it is Chrome, Safari, Edge, Firefox, or something else. Without a browser extension, you lose a major benefit of using a password manager – autofilling login forms on websites.
- Autofill features - Can the application fill in web forms automatically, or remember websites? Will it remember more than just usernames and passwords? Can you set a different autofill option for each website? (You might not want to have autofill enabled everywhere, for security reasons.)
- Vendor support and reputation - You should pick a password manager written by a well-known and respected software vendor. Password managers are software programs that should be updated regularly to address flaws, just as you would with any other program.
- Password sharing capabilities - Some people require this feature, while some may prefer that it not be available at all. If you want to share passwords, look for the ability to restrict the passwords from view, and to make them read-only.
- Requirements for two - factor authentication and strong login passwords - Do not trust any password manager that does not require you to use two-factor authentication to access the vault, or that does not enforce complex passwords. The more options for setting up two-factor authentication, the better, but it should not allow SMS text messages as an option.
- Availability of other security features – Look for other features related to security. Can you set the password manager to log out after a certain amount of inactivity, or on a set schedule? Does the application allow you to trust certain devices? Can you use a biometric factor (like a fingerprint scan) when logging in? What account recovery options are available if you forget your vault password? Can the password manager detect odd login activity (like from another country)? Can you set the password manager to reprompt for the master password or send email alerts after certain events? Can you share a password in an emergency? Once you’ve selected your password manager, you need to set it up securely, and use it wisely to keep your passwords safe. Most of the recommendations for using a password manager securely can be reduced to a simple idea: if the feature or setting adds convenience, it lessens security. Because password managers hold the ‘keys to the castle,’ the balance between convenience and security should favor security. While this isn’t (and can’t) be an all-inclusive list, there are some basic things you should do while using a password manager.
Some good practices to keep in mind once you do find a password manager:
- Use a very good (“complex”), very long password for your master vault password, and memorize it. If you don’t want to memorize it, write it down and store it somewhere secure. If you only ever want to memorize one password, the vault password should be the one.
- Use two - factor authentication when logging into your vault. Don’t use SMS text messages for the 2nd factor, however. Smartphone apps like Google Authenticator and Authy, hardware tokens like Yubikeys, or push notifications to your phone are acceptable second factors. It’s best to set up at least two methods, so that if the primary second factor is unavailable, you have a backup method.
- Restrict what website logins the password manager will autofill for you. (Some password managers allow you to do this per account, others may have just one global setting.) It is convenient to use autofill, but it is more secure to copy and paste the information from the vault into the website.
- Be careful to not access your vault on unencrypted/open WiFi connections, if it is cloud-based.
- Use the URLs stored in the password manager for logging into websites, rather than typing in the URL in an address bar. This eliminates the possibility of you mistyping a website, and accidentally putting your credentials into a faked website that will steal your password.
- Learn about the recovery options if you forget or lose your master password, or if your vault account is otherwise compromised. It shouldn’t be extremely easy to recover your account, nor should it be impossible. Some options typically include a recovery email address, a recovery phone number, or setting up one-time passwords.
- Set the password manager to log out of the vault after a period of inactivity, and keep the period short (15 minutes or less). The password manager should also logout when you close the browser, if you use a password manager with a browser extension.
- Limit the number of devices the password manager can “trust” as well as the amount of time they are trusted.
- Only login to your vault when you need to. Don’t keep it open unnecessarily.
- If you use the password manager’s mobile app, make sure you secure the mobile device as well. Some of these recommendations may not be possible depending on the features of the password manager you use, but most should be available in the better password manager applications.