Almost everyone with a few online website logins has a method for remembering passwords. But how secure do you think your method is? This resource describes password managers, why you should use a password manager to be more secure online.
About Password Managers
A password manager is a piece of software—usually cloud-based for accessibility—which lets users keep their sensitive website access information (such as username, password and URL) in an encrypted form so it cannot be easily stolen (usernames and passwords are examples of sensitive website access information).
With a password manager, you only need to remember one password—which is commonly known as the ‘master password’. With this, you can unlock your password vault to access and use all of the passwords it secures. Instead of having to memorise all your passwords, you can use a password manager to create complex passwords that are significantly more secure.
Password managers also enable you to use a unique password for every website you have a login for. This is helpful, especially if one website becomes compromised.
Some password managers are free to use, and some attract a small monthly or yearly subscription fee depending on the array of features you want access to.
In recent times, some password managers have also introduced new features that enable them to identify known recent exploits or hacks of services (such as your bank, superannuation provider or cryptocurrency exchange) and to cross-reference this list with services that you have login details for, enabling them to alert you if one or more of your logins may have been compromised so that you can change your login details as soon as possible to avoid any negative implications.
Most cloud-based services have mobile apps or browser extensions, allowing you to sync your password vault across devices. This means you can access all your passwords on any device at any time.
Password Manager Examples
There are a few major players in the password manager space, most common of which are 1Password and LastPass. If you are looking into other password managers, ensure that they encrypt your vault using a master password and that they never store or know your master password (otherwise all of your logins may be susceptible to higher levels of risk).
1Password’s name comes from the one password you have to remember—the master password! They have been in operation since 2006 and have a great reputation among the cyber security industry as being a leader in the space.
1Password comes with all of the typical features that you should expect from a leading online security company and have enjoyed a great track record in securing users’ data.
LastPass is one of the most popular password managers and has also been in operation for many years. Among LastPass’ features are multi-factor authentication (MFA) and local password vault encryption.
Types of Password Managers
Desktop-based password managers
A desktop password manager keeps your passwords in an encrypted file locally on your device. They don’t sync to cloud storage and most don’t sync to your other devices. Desktop-based password managers are great if you don’t want your passwords to be stored in an online database.
Cloud-based password managers
A password manager operating their service from the cloud gives you access whenever you have an internet connection. Your passwords are encrypted and stored on their servers.
Accessibility is the key benefit of using a cloud-based password manager. These types of managers usually have software for any browser—via browser extensions—and also local software that can be installed into the major operating systems.
Single Sign-On (SSO)
SSO is used widely on the internet and in business by allowing users to have a virtual ID card which lets them access the systems they need. It’s like a swipe card to access an office building which can open many doors. Being able to access many things reduces forgotten passwords, which IT departments typically dislike dealing with.
Password Manager Tips
It’s important the password manager company you choose has programmatic safeguards in place to ensure they can’t access your passwords without your master password.
Here are steps you can take to get the most out of your password manager and keep general security best practices in your daily routines:
- Configure the password manager correctly on all the devices you need it to be on.
- Using two-factor authentication (2FA) via Yubikey or Google Authenticator programs is a MUST when making sure your password vault is inaccessible to anyone except yourself.
- Do not keep any MFA codes in your password manager. Not even back-up codes.
- Absolutely do not store crypto private keys or mnemonic phrases in your password manager
- Avoid using your browser’s built-in password manager to manage passwords and credit card information. These don’t offer the same level of security as dedicated password managers.
- Don’t store high-security data in your password manager. For example, website hosting/domain registrar accounts and SSH keys to secure servers.
- If your password doesn’t auto-fill, look carefully to check you aren’t on a phishing website. Auto-fill only works if the URL is exactly correct.
Password Best Practices
There are steps you can take to bolster your online security and ensure you don’t fall victim to hackers.
- Use a unique password for each website
- Use 2FA for websites wherever possible AND to secure your password manager’s vault
- Use randomly generated passwords created by your password manager with a high character count and an array of upper/lowercase letters, numerals and symbols
- Never use your master password anywhere except for the vault
- Try using passphrases—a password with 4 or 5 words in it—instead of singular passwords