You Need a Password Manager

Table of Contents

History

The Internet is not a safe place. It was never designed to be. Its adoption has increased far beyond what its creators ever dreamed could ever be achieved. Security was an after-thought, because the creators were too wide-eyed and optimistic to think that anyone could ever use this new technology for evil. But today we no longer use the internet for its original purpose of sharing academic papers. We use it for communication, for business, for commerce, for research, for recreation.

As we continue into the 21st century, one 20th-century holdout returns to bite us in the butt again and again: passwords. Companies fall victim to breaches carried out by state-sponsored actors, opportunistic hackers, and curious researchers. With each new breach comes another treasure trove of user logins and passwords. Thorough analysis of the exfiltrated data only confirms what we already know: people are lazy when it comes to passwords. They're short, they're weak, and they're re-used between different websites. It is important to stress that this is not your fault. Once upon a time, the average person only had a handful of passwords they had to remember. Whether it was the password to their local/work computer, to their email provider, or to their favorite message board, no one really cared if your password was only six characters and all lowercase. In most cases the password was stored locally--it's not as though it could be shared with anyone.

The User's Dilemma

Today, however, the average person has dozens of logins. They have multiple computers they might log into in a given day. They have several different email addresses to manage their personal/work/student emails. They have logins for their various social networks, logins for their music streaming sites, their gaming sites, their e-commerce sites. They have logins for their banks, their pay-stubs, their insurance providers, their medical bills. And each site (for your safety, of course), mandates a password that must satisfy the following requirements:

When presented with such ridiculous requirements, one can hardly be blamed for constructing the perfect password once and using it for multiple sites. The problem arises when this one password becomes compromised. It is now no longer one account that is in danger, but every website on which you might have ever used that username/password combination. The value in the leaked username and password is no longer in providing access to that particular website, but in what other websites might also use that same username-password combo.

The only way to mitigate the danger posed by a password leak is to use a unique, random password for every site that you visit. Using a random, unique password provides the following benefits:

Once you have created a random, unique password for every website, you need a way to store them. This is where a password manager comes in. A password manager acts as a personal database of all of your passwords, allowing you to retrieve them whenever you need to login somewhere. Password managers come in all sorts of flavors. Some will simply store the passwords for you. Others will offer to generate random passwords for you as needed. Some can hook in to your browsers via add-ons or extensions so that you don't even need to go through the trouble of copying and pasting the password into the site's login form.

Getting a Password Manager

You have many options to choose from for finding a reliable password manager. If you only have one device (say, just a laptop), a limited, free password manager will probably work for you. If you have multiple devices, however, you may wish to invest in a password manager that is multi-platform. Some ones worth considering are:

Paid password managers are not the only option, however. The free application Keepass is a perfectly fine, free and open source password manager with community-made ports to various platforms. You can even sync your database between devices with a little bit of work.

KeePass is free, open source, and cross-platform. It even includes a "portable", installation-free version of the app if you wish to use it on an employee or student laptop.

The Next Step After Getting a Password Manager

Getting a password manager is only the first step. Now you have to start using it. This means that for all new websites at which you register moving forward, you should not try to come up with the password yourself. Instead, you should let the password manager generate a secure password for you, based on the requirements of the website. If the site will allow numbers, capital letters, and special characters (and most sites should), let the password manager put those into the randomly generated password in order to maximize its entropy. Sites rarely tell you what the maximum length of a password that they will accept (until you exceed it), but in general, you should endeavor to make the password as long as the site will allow. If the site will allow 25 characters, make it 25 characters. A longer password is more difficult to crack, and it makes no difference to the password manager how long the string is that it stores.

Next, you'll need to begin the process of 'migrating' your existing accounts to the password manager's password safe. This means doing the following:

  1. For every site you can think of, login to the website using your old password.
  2. If you are using one of your password manager's browser add-ons, the password manager will prompt you as to whether you would like the site you just logged into to be added to your safe. This should automatically capture the URL of the website, your login ID, and the password. If they did not all get captured, review the entry in your password manager's safe/vault and make sure that the entry contains the correct URL/username/password. All three of these must be correct in order for the password manager to work properly.
  3. Now, log out of the website and then verify that you can use the password manager in order to login. Again, if you have a browser add-on/extension for your password manager, the add-on may detect that you are visiting a website for which you have a stored login and automatically fill in the username and password field. If not, you will need to manually copy the username and password from the vault and then paste it into the login form. Some password managers like KeePass take proactive steps to prevent your password from being pillaged from the system clipboard by automatically clearing your clipboard after so many seconds whenever a password if copied from the KeePass vault. In those cases, you will need to make sure that you paste the password within ten seconds, or you will have to copy it again.
  4. Once you have successfully migrated all of your passwords to the password manager vault, you will want to start changing them from the original password into something randomly generated. This process can be long and tedious, and so I would recommend that you change your most "at risk" logins first: these would include anything that is tied to a credit card, anything that can be used to log in to other websites (e.g. your Google, Facebook, or Microsoft accounts), and any e-mail logins you might have that are listed as recovery accounts for other logins. Many password managers have services that can pro-actively scan your database for risks like logins that have potentially been compromised, logins with weak passwords, or logins that contain re-used passwords with other logins. These are ones that you should change as soon as possible. Finally, when all others have been changed, begin changing the ones that are strong but NOT random. Ideally, you want your entire vault to contain randomly-generated passwords.
  5. Some password managers have existing relationships with various websites such that they can try to login and change the password for you automatically. Those logins will usually be labeled in the vault with an option to Automatically Change Password. For others, you will need to login to the website itself and change the password using the website's "Change Password" page. When you are prompted to enter the new password, use the password manager's Generate Secure Password option to create something random and cryptographically secure. At this step you may want to briefly copy the newly-generated password into Notepad, just until you can confirm that it has been updated in your vault. If your password manager has a browser add-on, the password manager should detect that you submitted a new password for the website's login and offer to update the vault automatically. If it does not, edit the entry in the password vault and manually copy the password you pasted earlier into Notepad back into the vault and save it.
  6. As before, log out of the website and confirm that your password manager is able to login using the new credentials. The password will typically be masked within the vault, but there is almost always an option to 'peek' at it and look at the plain-text password. If it updated correctly, the password should now be a string of random characters. If the new, randomly-generated password does not allow you to login to the website but your old password still works, then it's possible that the database hasn't been updated yet on the website's end. Sometimes this happens. Wait a few minutes and then try again. If neither the old nor the new password work, then you'll have to reset your password and try again (this is why it's a good idea to get your recovery e-mails migrated early).
While rotating passwords periodically is a good idea, focus first on getting them randomized and unique. They are less dangerous when leaked if they only work for one website, so rotating them is less critical.

Frequently Asked Questions

How does putting all of my passwords into a password database / password manager make them any safer?

Any password manager worth your time will take steps to make sure that everything within your password database is securely encrypted. Your password database will usually be secured by, you guessed it, a password. When securing your password database, this would be the one time you should not to use a random password. Instead, most password managers recommend that you secure your password database with a password phrase. A password phrase simply means that it is at least several words long. You are highly encouraged to come up with your own sentence that will be memorable to you. Failing originality, many pick something long but familiar to them: a line of poetry, a song verse, a particularly horrid pick-up line, etc. If written like a normal English sentence, with proper capitalization and punctuation, you are likely to achieve the desired mix of letter cases and special characters without going too far out of your way.

Danger: A password manager is useless if you do not have a good strong Master Password protecting your vault. Do not skimp on complexity! Make the Master Password long and complex.

The average password is weaker than it should be because complex passwords are difficult to remember. Nobody wants to go through the agonizing process of making the long, heavily punctuated!!!, cAsE mIxEd, v0w3ls-r3pl@c3d-w1th-nVmb3rs passwords that are strongly recommended for every single website. But when you have a password manager, the passwords can be however long and complicated they need to be because you no longer need to remember them. When you only have to remember a single password phrase to open the password safe, it frees you from the burden of having to remember the individual logins and allows you to replace them with something secure.

How does a leaked Myspace password give hackers access to my Facebook/Yahoo/Amazon account?

Most websites store their users' credentials in a database of some kind. Within a poorly secured database (think of a message board created circa 2001), the database might look something like this:

Username Email Address Password
KnuckleJoe5686 knucklejoe@yahoo.com qwerty123456
JohnSmith1987 john.smith@gmail.com Im@d3@s3cVr3p@ssw0rd!
Lord_of_Pants ryan.milhouse.kennedy@nyu.edu ThereAreTooManyOstriches

The above is a simplification, because very few websites these days store the password directly (unfortunately, some still do). Instead they store something called a "hash," which is a way of transforming the password such that it can be used to verify a password's correctness without storing the password itself in plain-text. While this technique mitigates the risk of the raw password being figured out should the hash be exposed, it does not completely eliminate the risk. Hackers continue to find ways of reversing the hash such that the original password can be determined, either through brute forcing (which takes a long time) or via the use of rainbow tables (a precomputed 'dictionary' of common words and their computed hashes. What were once considered 'secure' hashes like MD5 have been so thoroughly broken by the speed of modern processors that it has become trivial to crack: an entire database can be quickly decrypted.

Most websites identify you via a username or e-mail address. While a unique username per site would be safer, you are unfortunately required to still submit an e-mail address in order for the website to send you confirmation and recovery e-mails. This means that your e-mail address is still being stored in the database, even if you login with a username. A bad actor who sees the exposed database will look at the second entry at the table, "john.smith@gmail.com" and decide to see what other websites they can log into using john.smith@gmail.com and password "Im@d3@s3cVr3p@ssw0rd!". If John registered for Facebook using that same e-mail address and used the same password, the bad actor can now login to John's Facebook. If John registered for Amazon using the same credentials, the bad actor now has access to John's Amazon account, and potentially John's saved credit cards.

I heard that people's passwords get leaked because they're "weak" and easy to guess. I followed all the guides and made a strong, "secure" password. Why am I still at risk?

In the past year alone, several dozen high-profile corporations and websites were hacked. Their databases were breached, and their users' credentials were leaked through no fault of their own. You cannot survive under the assumption that creating a secure password is enough to prevent it from being leaked, because you are implicitly trusting the website to do an adequate job of protecting it. As numerous leaks have shown, they don't.

Put another way, it is not your fault if your password gets leaked. It is your fault if that leaks allows an attacker to gain access to another one of your logins.

Why should I care if my Yahoo account from ten years ago gets leaked? I don't even use it anymore.

Maybe not. But maybe that e-mail address still has valuable information in it. Maybe there are old invoices from shopping purchases you made ten years ago that still contain pertinent billing information. Maybe that ten year-old Yahoo account is still listed as a recovery e-mail address for the Facebook account that you also set up ten years ago. In which case, a hacker could gain access to your Apple/Facebook/Amazon account by using the "Forgot My Password" option and triggering a password reset e-mail to be sent to the Yahoo e-mail which they now control.

Warning: Never use that spam-ridden "only-check-it-once-a-year" e-mail address as a recovery e-mail unless you are willing to secure it. If you rarely check it, you will be slow to notice that it has been compromised.

I just don't have anything of value for people to steal.

Sure you do. Your Amazon/eBay/PayPal accounts gives an attacker unfettered access to your credit cards. Your Apple account can be used to remotely lock out and wipe your iPhone, iPad, or Macbook (before the Android crowd starts to gloat: your Gmail account can do the same thing to your Android phone, Android tablet, and Chromebook). Your Facebook account could lure your friends and family into infecting themselves with ransomware when they visit a bogus link posted on your wall. Your student e-mail address could be used to send a request to your university's Office of Admissions, asking them to drop you from all of your classes.

Why can't I just keep all of my passwords in a Notepad file?

A plain-text file sitting on your desktop is highly vulnerable to access a third-party. It offers no defense against someone opening the file when you step away from your computer and now having an organized, human-readable list of all of your passwords. A good password manager will be encrypted, making it unusable to an attacker if the file is stolen without having been unlocked. Additionally, password managers with dedicated programs that encompass the database will often implement additional security measures, such as automatically locking the database after it has been opened if it is not accessed for a certain period of time.

Don't Do It: Putting all of your passwords into a plain text file is bad. Calling the file "passwords.txt" is very bad. Putting the passwords.txt file on your desktop is a grave sin, and if it's still there by the time you finish reading this, you deserve whatever misfortune befalls you.

I don't want to store my passwords. I use a method for creating secure passwords such that I never need to write them down.

Most of the "methods" that have been suggested for creating secure passwords that do not need to be maintained in a database consist of the following parts:

  • Some piece that doesn't change (e.g. a fixed phrase that forms part of the password)
  • A piece that changes according to the domain of the website
  • A final hash or manipulation

For instance, someone might start with a memorized phrase, "Sup3r_S3cr3t_P@ssw0rd", that they keep consistent across all of their passwords, but then append the name of the website to the end so that every website's password is technically unique. Their Facebook password would hence be "Sup3r_S3cr3t_P@ssw0rd_Facebook".

While seemingly effective at first glance, the password would still pose a security risk to your other passwords were it ever exposed. If someone were to figure out how you came up with one, they would theoretically be able to figure out how you come up with any of them. Should one of your passwords ever be included in a leak, someone who sees the word "Facebook" in the leak would easily guess that your Amazon password is probably "Sup3r_S3cr3t_P@ssw0rd_Amazon". Now you must come up with an entirely new method for generating your passwords!

What if I hash the password somehow so that the method is not obvious? Then if the password is leaked, I will just hash it again.

If we take away the fancy terminology, re-hashing an already exposed password is sort of like taking your password "Sup3r_S3cr3t_P@ssw0rd_Yahoo" after it has already been leaked and adding a one or an exclamation point to the end of it, so that it now says "Sup3r_S3cr3t_P@ssw0rd_Yahoo1!" And if Yahoo really screws up and lets it get stolen again? Well, just hash it again, I suppose (or replace that '1' with a '2'). Yes, your password is now "secret" once more, and yes, you can still remember it, but this assumes that Yahoo is the only password of your that will ever be leaked (it won't be). Once four or five of them have been breached, forcing a password reset, you now have to keep track of which sites were generated via your original method, and which ones now have a '1' at the end of them. Or a '2'. You'll soon have to write down that info. And as long as you're storing a list of which 'generation' of passwords you're using on various sites, why not just store the passwords?