This is the fourth part of a series about passwords—what they are, how they work, and how to use them securely.
- Click here to read the first part of the series, Passwords Part 1: What is a password?
- Click here to read the second part of the series, Passwords Part 2: The problem(s) with passwords.
- Click here to read the third part of the series, Passwords Part 3: How to use passwords securely.
In Part 1, we looked into some password foundations—secure systems, secure accounts, the username, the password, encryption and decryption. In Part 2, we talked about why passwords can be such a pain to use. In Part 3, we examined the most secure ways to treat and use passwords.
And that leaves us now with a bit of a conundrum. Since we know that we can’t use short, easy-to-remember passwords that contain real words, what does that really mean?
It means that, in order to increase our online security, we need to use passwords that are long, confusing, and hard to guess. Oh, and they will absolutely be hard to remember.
So, how the heck are we supposed to use them?!?
It just so happens that, if you are reading this, you have a handy, powerful device (or several) that can do most of the heavy lifting when it comes to remembering passwords. Your computer! And your smartphone or tablet, too, of course.
That brings us to my preferred solution for remembering complex passwords: password managers.
Some fine print
Now, before we go too much further, I have to do a bit of disclosure. I have a client that is a technology startup developing a new type of password manager. The product is not yet on the market. But I do have a potentially biased opinion when it comes to password managers. Also, because the product is not on the market, I will be mentioning or recommending some companies that will be potential competitors of my client in the future. But rest assured, I will NEVER recommend a product or service that I would not be comfortable using myself or recommending to my Mom.
Ok, whew, disclosure complete.
What is a password manager?
A password manager is a software program that runs on your computer or other digital devices and is designed to make it easy for you to generate and save complex passwords.
Some password managers are websites that will be accessible to all of your modern devices. These most often store your secure data in the cloud, which just means that your data is held on one or many computers all over the world, rather than only on your computer.
This cloud access makes sharing passwords between your phone, computer, and tablet very convenient, but it also begs some questions, like “is my data safe, can my data be accessed by employees of the software company, and can the website be hacked?” If secure, cloud computer systems and websites can get hacked or suffer other security breaches, and the password manager is a secure website that stores data on the cloud, isn’t that website also at risk of being hacked or breached?
The answer is yes.
All secure systems, including websites and computer programs that run in the cloud, are at some level of risk of being hacked or suffering other types of breaches. The question you then have to ask yourself are, “How much do I trust that website or app and is it worth the risk?”
Assessing risk
Much of what you will hear from me in regards to online security and privacy is not about absolutes. Aside from some glaring truths about online security, such as the need to adhere to password best practices and the importance of running software updates, many of the issues you will face in being safer online will require you to make choices about the amount of risk you’re willing to take.
We all need to regularly ask ourselves, “Is what I’m about to do worth the risk?” And, of course, how can you assess risk if you don’t the facts about how things work?
My mission is to give as many people as possible the tools they need to improve their digital critical thinking and technology risk assessment. So, when you ask me if using software password managers will make your stored data 100% safe, I have to answer “no.”
What I can say, is that any reputable company that wants to make money keeping your data safe has a vested interest in doing their best to stay on top of security. However, some will make choices in their products that favour convenience over security.
Here are three basic requirements that, I believe, all password managers should have:
- First, the product should employ the highest level encryption possible. At the time of writing, 256-bit AES encryption is the most common form of high-security encryption. The military and most online baking systems use it.
- Second, user data stored in secure accounts should be encrypted before it is transferred from the user’s device to the secure system. This will mean that an individual’s data can only be decrypted, or unscrambled, on their devices. No one from the software company will ever be able to access plain text passwords. This also means that no hacker will be able to intercept plain text data as moves from the device to the secure system.
- Third, the password manager should use some type of secondary authentication. All password managers will require a single “master” password to log in. But what if someone gets access to your master password? Won’t that put you at risk? Multi-factor authentication will require you to verify your identity on a smartphone or other device when you try to log in to your account. This makes it much harder for someone to break into your account. Some products will require you to have a physical key. This is usually an encoded USB drive or something similar to an electronic fob for unlocking your car. For more information about multi-factor authentication, read the third article in this series.
If the password manager you’re considering doesn’t satisfy these basic requirements, I recommend avoiding it. If it does, then you need to make a choice about whether or not the product and company seems reputable enough to trust. This may include a bit of research to find out if, or how often, that company has been hacked in the past.
Other types of password managers
Some password managers are not websites, but programs that need to be installed separately on your computer and mobile devices. Sometimes, these products will save your data ONLY on your device, not in the cloud. If cloud storage of your data makes you nervous, then you may want to consider this type of password manager.
Other password managers are websites that require you to install a web browser extension. An extension is a small computer program that operates inside of Google Chrome, Safari, or other web browsers. These products can be harder to set up and manage. You should avoid them if you’re not comfortable with managing browser extensions.
Some password managers to consider
While I encourage you to do your own research into which password manager is best for you. As a start, here are a few options from reputable companies that satisfy my minimum requirement listed above:
- LastPass is arguably the most popular password manager out there. While it satisfies my minimum requirements, you should also know that it requires you to install a browser extension, as well as install a separate mobile app for use on a smartphone or tablet. This makes it one of the more difficult products to get going. LastPass also uses autofill features in your web browser and mobile device. This will automatically fill your stored usernames and passwords into forms. This method has been known to cause security flaws in the past. LastPass also has a history of security vulnerabilities, although the company regularly updates its and security flaws it comes across.
- 1Password also satisfies my minimum requirements, but also requires installation of separate programs and browser extensions. Like LastPass, it also uses autofill features.
- Dashlane is another option that meets my minimum requirements. It will require you to install separate software on your computer and mobile devices in order to work. Like LastPass and 1Password, Dashlane also uses autofill features.
- You can find more options for password managers in this recent CNET article.
Whichever choice you make, please remember to adhere to the golden rule of passwords: If you can remember the password, it’s not secure enough.
Have fun, and be safe!
Rob Parker, aka the Grumpy Designer