Categories
Planning

Why you should use a password manager and how to get started

Just a reminder, in case you haven’t started using one of these vital security tools.

Why you should use a password manager and how to get started

” title=”Secure Every Entry Point” gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7″ data-src=”https://hips.hearstapps.com/pop.h-cdn.co/assets/15/52/2048×1535/gallery-1450978383-14890125691-ac45795fb5-k.jpg?resize=480:*” data-sizes=”auto” data-srcset=”https://hips.hearstapps.com/pop.h-cdn.co/assets/15/52/2048×1535/gallery-1450978383-14890125691-ac45795fb5-k.jpg?resize=640:* 640w,https://hips.hearstapps.com/pop.h-cdn.co/assets/15/52/2048×1535/gallery-1450978383-14890125691-ac45795fb5-k.jpg?resize=768:* 768w,https://hips.hearstapps.com/pop.h-cdn.co/assets/15/52/2048×1535/gallery-1450978383-14890125691-ac45795fb5-k.jpg?resize=980:* 980w”>

Security researcher Troy Hunt recently discovered and revealed what is perhaps the largest cache of stolen emails and passwords in hacking history. Bundled together in a collection ominously called “Collection #1” are some 773 million emails, 21 million passwords, and over one billion unique combinations of the two, an 87 GB package of stolen credentials. The source of the data, or multiple sources, isn’t immediately evident.

You can check if your email or password was included in the enormous bounty by going to Have I Been Pwned, which has been updated to include the new data. But whether or not you were caught in this breach, you should assume that you will be caught in one in the future. That doesn’t mean giving up on security, but it does mean treating your username-password combinations in a different way. Specifically, it means assuming they eventually will be stolen. And the best way to protect yourself in that scenario is to use a password manager so you can make sure, with relative ease, that every one of your passwords is long, complex, and, most importantly, unique.

If you’re unfamiliar, password managers such as 1Password or LastPass offer a simple service: They will store all your pesky passwords (and help you generate new ones if need be) and then dole them out to whatever service you’re logging into through the use of browser add-ons and apps. They’re much like the password tools already built into your browser itself—the ones that ask you if you want to save your password for this site so you don’t have it enter it again. (Here are some good reasons not to rely on those.) Password managers, however, were built for this specific purpose and include a suite of tools that let you access the same library of passwords across your devices. This cache of passwords is, of course, protected by a super-password of its own—one you obviously need to choose wisely.

Yes, this does pose a risk of its own, as you might already be screaming at your screen. Having your passwords all in the same place does mean they’re a target for hackers and the vault your passwords are stored in is not necessarily impenetrable. Over the years, LastPass—Wirecutter’s pick for the best manager and my personal choice—has fallen victim to hacks and vulnerabilities. Thanks to encryption and prompt fixes, however, there hasn’t been an avalanche of passwords released onto the internet. 1Password, meanwhile, was vulnerable to the recent “CloudBleed” hack, though encryption mitigated the damage there as well.

Why you should use a password manager and how to get started

Those problems may seem like a deal-breaker, but let me tell you why they’re not. Take a moment to consider the alternative. No, not the IT department’s fantasy world, that never-gonna-happen scenario where you create a strong, unique password for every account, memorize each one, and refresh them every few months. We both know it’s not like that. The reality is that in your attempts to handle all those passwords yourself, you will commit the cardinal sin of reusing some. That is actually far more risky than using a password manager. If a single site that uses this password falls, every account that uses it is compromised. You’ll need to remember all the sites where you reused that password and then change them all.

I don’t even know half my passwords because they are 30-character nightmares I never type.

With a password manager, on the other hand, it’s trivial to make all your passwords unique. I don’t even know what half of my passwords are, because they are impossible-to-memorize 30-character nightmares of numbers, text, and symbols that I never actually type. When I have to change them now and then, no problem. LastPass even has a feature that will auto-change your passwords for supported sites. If the very worst should happen and my passwords are somehow exposed, my most crucial accounts are protected by two-factor authentication, and yours should be as well.

While the risks of password managers are pretty much outweighed by the ease with which they allow you to make your passwords strong and unique, they do have their downsides. Apps like LastPass and 1Password are available on virtually every device, but you will have to download them on new gadgets before logging in to other things. This also makes logging in to your accounts on someone else’s device a strange and potentially risky proposition.

Inevitably, you’ll stumble across a device that isn’t supported, and then you’re spending five minutes typing your incomprehensible Amazon password onto a Kindle manually while looking back at your phone for reference all the while. (It pays to keep a handful of the crucial passwords strong, but still something you can memorize.) And for the full suite of features any password manager offers, you’re going to have to shell out a little bit of cash. It’s worth it for the convenience and peace of mind.

A password manager is a crucial piece of security kit, so long as you’re aware of its limitations and risks. You can use LastPass for free on your desktop and phone, or sign up for a $12 premium plan. You can also try 1Password for free for 30 days before the $36/year subscription kicks in.

Published August 5, 2019

  • Why you should use a password manager and how to get started

Share this post

You probably know that it’s not a good idea to use “password” as a password, or your pet’s name, or your birthday. But the worst thing you can do with your passwords—and something that more than 50 percent of people are doing, according to a recent Virginia Tech study—is to reuse the same ones across multiple sites. If even one of those accounts is compromised in a data breach, it doesn’t matter how strong your password is—hackers can easily use it to get into your other accounts.

But even though I should know better, up until a few months ago I was still reusing the same dozen or so passwords across all of my everything (though at least I had turned on two-factor authentication where I could). It’s just too difficult to come up with (and remember) unique, strong passwords for dozens of sites. That’s why, after much cajoling from co-workers, I started using a password manager—and it’s why you should be using one, too. Aside from using two-factor authentication and keeping your operating system and Web browser up to date, it’s the most important thing you can do to protect yourself online.

Why you need a password manager

A password manager is a secure, automated, all-digital replacement for the little notepad that you might have all of your passwords scribbled down in now, but it’s also more than that. Password managers generate strong new passwords when you create accounts or change a password, and they store all of your passwords—and, in many cases, your credit card numbers, addresses, bank accounts, and other information—in one place, protecting them with a single strong master password. If you remember your master password, your password manager will remember everything else, filling in your username and password for you whenever you log in to a site or app on your phone or computer.

You can generate, save, and auto-fill passwords with Google’s Smart Lock (in Chrome and Android) or Apple’s Keychain (in Safari and iOS), but a good password manager goes a lot further—it can proactively alert you when you’re reusing a password or when your passwords are weak and easy to guess or hack, and some password managers will even let you know when online accounts are hacked and your passwords have been exposed. For accounts that you need to share with family members, friends, or co-workers—a joint bank account or mortgage site, a shared Twitter account, or your insurance and medical records, for instance—many password managers offer family plans that make it simple to share strong, complex passwords without requiring multiple people to remember them or write them down.

Learning to use a password manager seems intimidating, but once you start using one to make strong random passwords that you’re not on the hook to remember, you’ll wonder how you lived without one. Usually, improving your digital security means making your devices more annoying to use; a password manager is a rare opportunity to make yourself more secure and less annoyed.

A password manager for any budget

Wirecutter’s favorite password manager is 1Password. It has great apps for PCs, Macs, and all kinds of tablets and phones, and those apps will tell you exactly what’s wrong with your passwords and how to fix them, whether they’re weak, reused, or even compromised in a hack. If you’re not using two-factor authentication to further protect your accounts already, 1Password can generate, store, and insert those codes for you when you need them. And 1Password’s family plan makes it easy to share passwords for accounts you share with your family members and friends (and to keep their passwords safe, too).

If you can’t or don’t want to pay the $36 per year for a 1Password subscription, you can find good free options too. Wirecutter’s favorite is LastPass Free—its apps aren’t as full-featured as 1Password’s, and its recommendations for fixing password problems aren’t as clearly explained or as easy to act on, but it’s still pretty simple to use and it still works on just about any computer, tablet, or phone.

These aren’t the only good password managers out there, but these two are easy to learn, backed by good customer support, and designed to store your passwords securely. You don’t need to understand hashing or AES-256 encryption, except to know that it means that even if 1Password or LastPass has its servers hacked, your passwords will remain unreadable to anyone who doesn’t have your master password. Both 1Password and LastPass are transparent about their security processes, and you can visit their sites to learn more.

Making a good master password

Because your master password is responsible for protecting all of your account information, you must make it long and difficult to guess. But because you’ll need to type it in when you start using a new computer or phone, when you need to log in to change account settings, or when you restart your computer or browser, it should also be easy for you to remember; otherwise you could lock yourself out of your account and lose access to everything.

Both 1Password and LastPass have good advice on how to make a master password, and perhaps surprisingly, they don’t recommend long strings of random lowercase and uppercase letters, numbers, and symbols. Instead, you need a long but memorable password, perhaps composed of multiple random words with dashes, periods, or some other easy-to-remember punctuation in between, like “discard-memento-burble-pacer.” 1Password’s password generator is a handy way to make one of these passwords regardless of the software you use.

No matter how memorable your master password is, you should write it down and store it somewhere to make sure you don’t forget or lose it. The most secure way to do this is to write it on an actual piece of paper and keep it somewhere safe, such as a locked desk drawer or Wirecutter’s recommended fireproof document safe. Writing it down the old-fashioned way is actually much more secure than storing it digitally, especially on a cloud syncing service such as Google Drive, Dropbox, or iCloud; 1Password even has a handy “emergency kit” printout that tells you exactly what you need to write down.

Commit to a password manager to make your online life easier and more secure.

Let’s start with the why. The reason why you should use a password manager is twofold: it makes your online life more secure — and easier in the process.

A password manager stores the passwords for your various online accounts and profiles and saves you from having to remember and enter each one each time you visit a password-protected site. Instead, your passwords are encrypted and held by your password manager, which you then protect with a master password. Since you are saved from having to remember all of your passwords, you will be less tempted by the dangerously poor idea of using the same password for all of your accounts. With a password manager, you can create strong passwords for all of your accounts and keep all of those passwords saved behind a stronger master password, leaving you to remember but a single password.

Which password manager you choose to use is less important than actually choosing one and then using it. Most password managers offer limited free services with paid plans via either a subscription or paid app that lets you store an unlimited number of passwords and sync them across devices, including Windows PCs, Macs and mobile devices. To help you choose the right product for your purposes, Jason Parker earlier this year wrote about six of the best password managers.

Regardless of the password manager you end up picking, the setup process is roughly the same. I use PasswordBox because the app was recently acquired by Intel Security and is currently giving the store away for free. Without paying a cent, I can store as many passwords as I have while syncing across my Windows desktop, MacBook Pro, and iPhone and iPad. According to the Password Box blog, it is offering premium subscriptions for free until it releases its next product.

Setting up a password manager

With PasswordBox, you can sign up for an account via its mobile app or the PasswordBox website on a computer. I chose the latter and downloaded PasswordBox from its website, which turned out to be a browser extension. I created my free account by giving my name, email, and choosing a master password. Before we proceed, allow me a few words on creating a strong password.

Your master password should not be be a repeat or even a derivative of one of your other passwords currently in use. Create a unique password that contains at least eight characters, including both upper- and lower-case letters, numbers and symbols.

Screenshot by Matt Elliott/CNET

After creating your account, you can then use the browser extension and the mobile app to add your accounts. PasswordBox lists a number of the more popular services such as Dropbox, Facebook and Twitter, and you can manually add others. Like other password managers, PasswordBox can store more than just your passwords. It has a Wallet section for storing credit card numbers, your social security number and the like. You can also securely share passwords with other PasswordBox users, and there is a password generator that creates strong passwords to replace the weak passwords you are likely using for many if not all of your online accounts. Lastly — and I do mean lastly — there is a Legacy Locker feature that will share your passwords with a trusted friend or family member in the event of your demise, helping your family manage your digital life after your actual life has ended.

Using a password manager

After a little legwork up front to add your password-protected accounts to your password manager of choice, you will then be free of the effort required to remember your bevy of passwords and entering them. For the accounts you have stored with PasswordBox, for example, you’ll be automatically logged in.

Screenshot by Matt Elliott/CNET

If that’s too easy for you, you can disable Auto-Login for certain accounts, which will require you to click or tap the log-in button (PasswordBox will still enter your username and password for you). If you have multiple accounts for a site, PasswordBox provides a drop-down menu to let you choose which account you’d like to use.

A word about security before we conclude

All password managers use some level of encryption to protect your identity. PasswordBox, for example, uses Advanced Encryption Standard (AES-256) to encrypt the passwords you store with it. And it does not store your master password, which means there is no way it can fall into the wrong hands — while also meaning that you must remember it because there is no way to recover it should you forget it.

Why you should use a password manager and how to get started

A password manager can make your digital life both simpler and more secure. Are there any downsides to relying on software to create and store your passwords?

Recently we commemorated World Password Day with an article that dealt with five common mistakes to avoid when it comes to passwords. And although password protection can be considered a cornerstone of our digital existence, we rarely give it deep thought. Nothing drives that point home more than the annually compiled lists of the most-used passwords, which have ranked 12345 and password among the most-common choices year after year.

Our preference for flimsy passwords can be partly attributed to our use of a gazillion different services, which – unless you connect everything to your Google or Facebook account – often implies creating a new account. On the other hand, if you do have multiple complex passwords, they may prove difficult to remember. So, you opt to recycle the same simple password, since you’re thinking: where is the harm? Well, if a hacker breaks a recycled password, then your accounts may become an all-you-can-eat breakfast buffet for the attackers.

This is what a password manager – an application specifically designed to store your login details in an encrypted vault and to generate complex passwords for you – can help you avoid. By making it supremely easy to create, save and autofill a unique and strong password for each of your online accounts, this ‘digital safe’ can be an effective solution to your conundrum. All you need to remember is a single password called ‘master password’ .

Types of password managers

Most popular password vaults function as cloud applications that can be accessed through a browser. Regardless of your password manager of choice, you’ll have to create one strong master password that will protect all your stored credentials used to access the different services you use; so be very careful about your choice. In the case of a cloud-based manager, this is part of creating an account.

The manager will then take it from here. You can add all your existing accounts to it and when you sign up for new services, you can either use your own passphrases or it will use a built-in generator to create randomized, long, and secure passwords. Once you want to sign into any of the services that you use, the password manager automatically fills in your credentials and you’re all set.

If you have an issue with trusting cloud-based applications with your passwords, you can opt for a locally hosted vault, which will store everything on your device. In fact, you can choose from a number of open-source options, which provide a lot of the functionality of their cloud competitors, albeit often in a more modest design package. But what these apps may lack in aesthetics, they make up for in features.

Another option that you can go for besides cloud-based and open-source solutions are the managers that are included in reputable endpoint security suites and represent a suitable option to help you manage and secure your login credentials.

The pros and cons of using a password manager

There are various types of password managers to choose from, with cloud-based options being among the most popular. The added benefit of them using the cloud is having access to your passwords from anywhere. Most of the popular brands (1Password, Dashlane, LastPass, etc.) offer apps for your smartphone, so if you use multiple devices (which most of us do), then cloud-based services will sync all your passwords across all devices. Some even have desktop options and browser plug-ins, so they have all of the bases covered.

When it comes to subscriptions, the basic set of options is offered for free. If you find those lacking, you can always pay for one of the more premium tiers, which usually include more settings and added security features.

As convenient as all of this sounds, it comes with one caveat. You’re putting all your eggs in one basket, as it were; and some online password managers have faced their share of problems in the past. A few months ago for example, researchers found security flaws in a number of popular password managers: some Android versions of their apps were found to be susceptible to phishing attacks, while others allowed endless attempts at entering the master PIN.

It is important to keep in mind that since your data is stored on a server, in case of a breach or a successful hack, cybercriminals can download the information in bulk and your account may end up in that data trove. Should this happen, you are dependent on the operators of your chosen service having properly implemented strong encryption and on the strength of your master password; keep in mind that it guards the gate to most of your digital life.

As with any service, do your due diligence and read through the cybersecurity blogs and reviews from reputable independent testing organizations to see if the password manager of your choice has had any reported vulnerabilities recently. You should also thoroughly read through and understand and act upon all the security measures that the service has put in place to secure your passwords and accounts.

When it comes to the locally installed open-source applications, some are able to generate passwords that cater to the specific requirements a site has for their creation. KeePass, for example, also has the nifty option of running straight from a USB. With open-source applications such as KeePass, you can also search for professional security audits of the core encryption and security function code.

Some things that might seem like drawbacks in password managers that store everything locally may actually add security. Since the codes are stored on a specific device, you may not have the option to sync them across all your other devices, but for a cybercriminal to gain access to them, they would have to target you specifically; this makes their job all the more difficult to perform. One of the ways they can access your passwords is by compromising your device by installing a keystroke logger. That makes the case for password managers included in endpoint security solutions, which are specifically designed to protect you from such threats.

On the other hand, you have to keep in mind that if you lose the device or it malfunctions, you may lose access to all your passwords that were stored on it. So, always keep a backup at hand, you never know when you’ll need it. That applies to locally installed open-source solutions as well; losing a device should be less of a problem with a cloud-based solution, since you can still access your passwords from another device.

Final thoughts

Although most of us have similar needs when it comes to managing our digital lives, there may be minute differences in our preferences. So, you need to be aware of which option suits your requirements the best. There are at least a few questions you should answer for yourself when choosing a password manager:

  • How does the service you’ve chosen store your data?
  • If something happens to your device, is the data recoverable?
  • Are there any additional security options you can activate to boost protection?

Be sure to choose your password manager carefully and avoid the common mistakes we mentioned at the beginning of the article when you’re creating your master password. For extra security, you can also add an extra authentication factor for all your valuable online accounts, or even for the password manager itself.

We use passwords everywhere to secure our important accounts, but how secure are your passwords? A password manager does what the name implies: it manages your passwords. Today, we are going to look at how they work and how they improve our security.

The Problem with Passwords

Passwords are designed to keep our accounts safe as long as we follow some basic best practices.

Passwords should be:

  • At least 12 characters
  • Contain a mix of uppercase, lowercase, numbers, and symbols
  • Unique to each account or device
  • Not contain words from a dictionary
  • Not contain personal information such as birthdays, names of family, etc
  • Should change regularly depending on the sensitivity of the account

These are easier said than done. How many accounts do you have between your personal life and work? 5, 10, 100? Imagine remembering 100 different passwords that had to follow all of these requirements. That’s not possible for most people. This leads to people using the same password across all their accounts. When one of them gets compromised all their accounts do, but they never notice.

Password managers help fix this problem.

What do Password Managers do?

Why you should use a password manager and how to get started

Password managers are applications that store and organize passwords. Your passwords get stored in an encrypted database that holds a list of your accounts, passwords, and other supplemental information. This database is secured using a master password. This password is like a key to your password vault. You only need to remember one password instead of 100.

Most password managers include tools for generating secure passwords, have apps for all major platforms, and include browser plugins. Many also can autofill forms on websites and log in for you.

Types of Password Managers

There are two major types of password managers: Ones that store your passwords locally, and ones that store them in the cloud. What you use will depend on your threat model and how much convenience you are willing to sacrifice for security.

Cloud Password Managers

Cloud password managers store your passwords on a server somewhere on the internet. This might be controlled by a company or hosted by you. This makes it easy to sync your password across many devices and many providers offer extra services on top of providing password storage. This is incredibly convenient, but it does come at the cost of security.

You have to trust someone when you use a cloud password manager, this is often the company that makes the password manager or a webhost if you are running your own. This is usually okay, as your passwords are encrypted on your machine, but it’s something to keep in mind.

Best Cloud Password Manager: Bitwarden

Why you should use a password manager and how to get started

I’d recommend the cloud password manager Bitwarden, if your threat model allows for it. I use Bitwarden on a daily bases for most of my accounts. It supports all major platforms and web browsers, it is FOSS, and you can host your own copy of it on your own servers if you don’t trust Bitwarden’s servers.

Bitwarden has a mobile and desktop app, as well as a browser extension for all major browsers. This means your passwords will be available to you anywhere. It can store personal information such as address and card numbers, making it easy to auto-fill online forms.

Bitwarden is free, but it does offer a premium service that includes encrypted file sharing and hardware token support. Most people don’t need these features, but it is a great way to support the open source project.

Local Password Managers

Local password managers save your passwords in a database stored on your device. This is significantly more secure in theory than using a cloud based password manager, but it can be really inconvenient, as you will have to come up with your own way to sync passwords across devices, such as a NextCloud server. Use a local password manager if security is your highest priority.

Best Local Password Manager: KeePassXC

Why you should use a password manager and how to get started

KeePassXC is a cross platform and FOSS password manager that works on your desktop. It has many powerful features including hardware token support, browser integration with all major browsers, and can keep track of personal data alongside passwords. KeePassXC does not have an official mobile app, but their are third party apps for that.

KeePassXC is based on another FOSS desktop password manager called KeePass. KeePass is a great password manager, but it is not officially cross-platform and was designed for windows.

I do not use KeePassXC or any other local password manager on a daily bases, so take this recommendation with a grain of salt.

There are KeePass compatible android apps on F-Droid, and the KeePass download page keeps track of some ports. Just remember that they are developed by independent developers unaffiliated with KeePass and KeePassXC.

There are other password managers out there and we will write an article about them in the future, but these two are the best that we have used.

Limitations of Password Managers

Password managers are great, but they do have some weaknesses to keep in mind:

You are replacing tens if not hundreds of passwords with a single master password. This is a single point of failure, so it is critical that you use a secure master password. It is important to use two-factor authentication whenever possible and never share your master password with anyone.

Cloud based password managers put your database in the hands of another entity. This is usually a non-issue, as any password manager worth its salt will do encryption on the users end and have no access to the actual unencrypted passwords. Just make sure that the server code has been audited.

I’ve said multiple times in the past to not use closed source tools for sensitive data, and I stand by it. Password managers hold the key to your digital life. Proprietary apps have too many issues: You cannot audit them, the terms of service can change on a moment’s notice (like it did with LastPass), and you could lose all your passwords if the company managing them shuts down. It’s not worth the risk.

Password Managers are the Best Way to Handle Passwords

We use passwords everywhere to protect our digital lives, so it’s imperative that we protect them. The problem is, we’re bad at keeping track of them and using the best practices to keep our accounts secure. Password managers can help by keeping tack of the many accounts we create. Check out Bitwarden and KeePassXC, and see what works for you.

Please share your experiences with password managers with us in the comments below.

A password manager promises both security and convenience.

By remembering your usernames and passwords for you, you’re free to give all your online sites and services strong, unique passwords without needing to memorize them all.

All you need to remember is a single password to unlock the password manager.

But how trustworthy are password managers, and is it safe to give one all your passwords?

Here’s what you need to know about password managers, and how they keep your data safe.

Password managers are the safest way to keep track of your passwords

“Password managers are safe, and far safer than not using one,” said Ron Culler, senior director of technology and solutions at ADT Cybersecurity.

That’s partially because password managers encourage users to practice good security hygiene — you can make every password unique, and every password long and complex.

In the early days of the internet when we only had to track a dozen passwords, it might have been possible to do that manually. The password manager company LastPass has said that its average user manages 191 passwords, making a tool like a password manager essential.

The way that password managers work is simple: you save all your passwords to the manager, and then create one “master” password for all of them. When you sign into a site, you just use that one master password — it’s the only one you need to remember.

That means you can make this one password lengthy and strong. Enabling two-factor authentication in the password manager app adds even more security.

Most importantly, all leading password managers use a technique called “zero knowledge.”

Zero-knowledge security means that although the password manager knows your passwords, the company that makes the manager doesn’t.

Chris Hallenbeck, chief information security officer for cybersecurity firm Tanium, described it to Business Insider like this: “What makes a password manager safe is its Zero Knowledge security model that consists of three layers of defense: the encrypted user data, the manager’s password which is not kept on the system, and the security key. A hacker would need to break down all three defenses to get access to the information.

“While these layers of defense don’t rule out all hacks and exposure, they greatly reduce the risk that a password manager could be hacked by a middleman,” Hallenbeck said. It also means that if a password manager company gets hacked, that intrusion can’t compromise customer data.

“Any tool has weaknesses,” said Mike Kiser, a senior identity strategist at security firm SailPoint. But Kiser points out that you’re far more likely to be the victim of a low-tech phishing attack than have your password manager get hacked. “I’d still use one,” said Kiser. “The advantages far outweigh the security risk.”

So, to takeaway: no solution is perfectly safe all the time. But using a password manager is possibly the best way to protect your data.

Why you should use a password manager and how to get started

If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember — and just when you did, you’re told to change it again. And sometimes passwords can be guessed and are easily hackable.

Nobody likes passwords but they’re a fact of life. And while some have tried to kill them off by replacing them with fingerprints and face-scanning technology, neither are perfect and many still resort back to the trusty (but frustrating) password.

How do you make them better? You need a password manager.

What is a password manager?

Think of a password manager like a book of your passwords, locked by a master key that only you know.

Some of you think that might sound bad. What if someone gets my master password? That’s a reasonable and rational fear. But assuming that you’ve chosen a strong and unique, but rememberable, master password that you’ve not used anywhere else is a near-perfect way to protect the rest of your passwords from improper access.

Password managers don’t just store your passwords — they help you generate and save strong, unique passwords when you sign up to new websites. That means whenever you go to a website or app, you can pull up your password manager, copy your password, paste it into the login box, and you’re in. Often, password managers come with browser extensions that automatically fill in your password for you.

And because many of the password managers out there have encrypted sync across devices, you can take your passwords anywhere with you — even on your phone.

Why do you need to use one?

Password managers take the hassle out of creating and remembering strong passwords. It’s that simple. But there are three good reasons why you should care.

Passwords are stolen all the time. Sites and services are at risk of breaches as much as you are to phishing attacks that try to trick you into turning over your password. Although companies are meant to scramble your password whenever you enter it — known as hashing — not all use strong or modern algorithms, making it easy for hackers to reverse that hashing and read your password in plain text. Some companies don’t bother to hash at all! That puts your accounts at risk of fraud or your data at risk of being used against you for identity theft.

But the longer and more complex your password is — a mix of uppercase and lowercase characters, numbers, symbols and punctuation — the longer it takes for hackers to unscramble your password.

The other problem is the sheer number of passwords we have to remember. Banks, social media accounts, our email and utilities — it’s easy to just use one password across the board. But that makes “credential stuffing” easier. That’s when hackers take your password from one breached site and try to log in to your account on other sites. Using a password manager makes it so much easier to generate and store stronger passwords that are unique to each site, preventing credential stuffing attacks.

And, for the times you’re in a crowded or busy place — like a coffee shop or an airplane — think of who is around you. Typing in passwords can be seen, copied and later used by nearby eavesdroppers. Using a password manager in many cases removes the need to type any passwords in at all.

Which password manager should you use?

The simple answer is that it’s up to you. All password managers perform largely the same duties — but different apps will have more or relevant features to you than others.

Anyone running iOS 11 or later — which is most iPhone and iPad users — will have a password manager by default — so there’s no excuse. You can sync your passwords across devices using iCloud Keychain.

For anyone else — most password managers are free, with the option to upgrade to get better features.

If you want your passwords to sync across devices for example, LastPass is a good option. 1Password is widely used and integrates with Troy Hunt’s Pwned Passwords database, so you can tell if (and avoid!) a password that has been previously leaked or exposed in a data breach.

Many password managers are cross-platform, like Dashlane, which also work on mobile devices, allowing you to take your passwords wherever you go.

And, some are open source, like KeePass, allowing anyone to read the source code. KeePass doesn’t use the cloud so it never leaves your computer unless you move it. That’s much better for the super paranoid, but also for those who might face a wider range of threats — such as those who work in government.

What you might find useful is this evaluation of five password managers, which offers a breakdown by features.

Like all software, vulnerabilities and weaknesses in any password manager can make put your data at risk. But so long as you keep your password manager up to date — most browser extensions are automatically updated — your risk is significantly reduced.

Simply put: using a password manager is far better for your overall security than not using one.

  • Password managers are the safest way to keep track of your passwords, as they allow you to use stronger passwords without needing to memorise anything.
  • Security experts generally recommend using password managers to keep your data safe.
  • Password managers usually rely on a “zero knowledge” technique, where the company that runs the manager doesn’t know your passwords – this keeps your data safe even if the company is hacked.
  • Visit Business Insider’s Tech Reference library for more stories.

A password manager promises both security and convenience.

By remembering your usernames and passwords for you, you’re free to give all your online sites and services strong, unique passwords without needing to memorise them all.

All you need to remember is a single password to unlock the password manager.

But how trustworthy are password managers, and is it safe to give one all your passwords?

Here’s what you need to know about password managers, and how they keep your data safe.

Password managers are the safest way to keep track of your passwords

“Password managers are safe, and far safer than not using one,” said Ron Culler, senior director of technology and solutions at ADT Cybersecurity.

That’s partially because password managers encourage users to practice good security hygiene – you can make every password unique, and every password long and complex.

In the early days of the internet when we only had to track a dozen passwords, it might have been possible to do that manually. The password manager company LastPass has said that its average user manages 191 passwords, making a tool like a password manager essential.

The way that password managers work is simple: you save all your passwords to the manager, and then create one “master” password for all of them. When you sign into a site, you just use that one master password – it’s the only one you need to remember.

That means you can make this one password lengthy and strong. Enabling two-factor authentication in the password manager app adds even more security.

Most importantly, all leading password managers use a technique called “zero knowledge.”

Zero-knowledge security means that although the password manager knows your passwords, the company that makes the manager doesn’t.

Chris Hallenbeck, chief information security officer for cybersecurity firm Tanium, described it to Business Insider like this: “What makes a password manager safe is its Zero Knowledge security model that consists of three layers of defence: the encrypted user data, the manager’s password which is not kept on the system, and the security key. A hacker would need to break down all three defences to get access to the information.

“While these layers of defence don’t rule out all hacks and exposure, they greatly reduce the risk that a password manager could be hacked by a middleman,” Hallenbeck said. It also means that if a password manager company gets hacked, that intrusion can’t compromise customer data.

“Any tool has weaknesses,” said Mike Kiser, a senior identity strategist at security firm SailPoint. But Kiser points out that you’re far more likely to be the victim of a low-tech phishing attack than have your password manager get hacked. “I’d still use one,” said Kiser. “The advantages far outweigh the security risk.”

So, to takeaway: no solution is perfectly safe all the time. But using a password manager is possibly the best way to protect your data.

To revist this article, visit My Profile, then View saved stories.

Why you should use a password manager and how to get started

Photograph: Ashley Jouhar/Getty Images

To revist this article, visit My Profile, then View saved stories.

Odds are that you, like the rest of us, are spending more time in front of a computer than you used to. You’re probably not looking for another addition to your digital to-do list, but allow me to make one humble recommendation: Get started with a password manager. Now is a perfect time.

Here’s why: The more you browse, the better password managers become. As you log in to your favorite apps and web sites, they ask you if you’d like to save your password to their database so you never have to remember it—or even enter it manually—again. And right now we’re all using our computers more than ever. We’re using them to work, keep in touch with family and friends, play videogames, or just kill time while in self-isolation or under stay-at-home orders.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more.

A password manager keeps track of all of the passwords you use around the web—for your email, for online shopping, for banking or paying the bills—so you don’t have to remember them. The good ones will help you identify passwords that you’ve reused on multiple sites, or are weak and easily broken. They can even notify you when a site you use has been breached, so you can quickly change the password and protect your account.

“Most people are not actually following all the rules for good passwords, because it is really hard to do that without a password manager,” says Lorrie Cranor, director of the CyLab Security and Privacy Institute at Carnegie Mellon University. “People often cope by reusing the same password on multiple accounts. But if that password gets breached on any of your accounts, you could have a big problem, because attackers will try the same password on all your accounts.”

If your passwords are already weak, she explains, odds are one of them will be breached eventually anyway. If you’ve been using the same password in multiple places, well, that’s even more of your personal data at risk. “By using a password manager and generating random passwords for all your accounts, you significantly reduce the chance of having your password stolen, and if it does get stolen it will only impact that one account,” Cranor says.

And yes, the best password managers cost money (although some good ones are free, or have a free tier), but consider this: The cost of a password manager is likely less than you’d spend trying to recover a breached account that contains all of your personal data, or what you’d spend on a subscription to an identity theft service. And it certainly takes less time to set up than dealing any of that would.

If you’re ready to make the leap, first you need to pick a password manager. There are plenty to choose from, but we have a guide to the best password managers here. Our favorite is 1Password, both for its solid reputation as a password manager and its ability to provide two-factor authentication, which you should absolutely turn on for every service that supports it. 1Password also integrates well with apps on mobile devices, and it even has a “travel mode,” where you can delete sensitive information from the database in case your devices are stolen or confiscated, and then restore it when you—and your devices—are safe again.

If 1Password isn’t your jam, there are plenty of other options in our guide, including Bitwarden, which is free, and Dashlane, which bundles a virtual private network and made that Super Bowl ad you may remember from earlier this year.

In many ways, choosing a password manager is the hard part. “Most of the top password managers can import passwords that you may have saved in your web browser. So if you’ve done that, it makes getting started with a password manager pretty easy,” Cranor says. “If you haven’t, then a good option is to start using the password manager with just a few of your most frequently used passwords and then add passwords to it as you use them. There is no reason that you have to add them all at once.” Pick one that works for you, set up an account, and just use your devices the way you always do; let the password manager to the rest for you. If you use a password manager that can sync across devices, every time you use a password or generate a new, secure one on one device, your others will be updated automatically.

Reused passwords are a little trickier; you’ll have to change those manually for the most part. Be patient and take your time. Make it a weekend project, or just spend a few minutes here and there changing bad passwords to more secure ones when you have a moment. Once they’re all done, you’ll feel better about all of them, and you’ll know all of those accounts are more secure. (While you’re changing passwords, see if the service supports two-factor authentication as well, and turn it on!)

One thing to note: Your web browser probably already offers to save your passwords and log in to websites for you, but you’re better off with a stand-alone password manager. The convenience may be tempting, but your web browser has a lot of tasks; managing passwords may be one of them, but it’s certainly not the most important. While in-browser password management has improved over the years, they still lag behind all of the tools that password managers give you to make sure your entire digital life is secure, including reminding you when you’ve reused a password, offering different levels of password complexity, and the option to sync across multiple devices and browsers.

Of course, password managers themselves aren’t flawless—nothing is, when it comes to security—and the literal treasure trove of private information they have make them an attractive target for hackers. However, the best ones, even if there are bugs and vulnerabilities, keep your data secure and encrypted and have a singular focus. They don’t have to make sure a website loads properly; they just have to make sure your data is safe.

“The major password manager companies have a good track record of fixing problems quickly and before their users actually suffer any negative consequences,” Cranor says. “If you are currently reusing your passwords or using weak passwords, you are much better off with a password manager than without one, despite the fact that password managers cannot guarantee security.”

As with most things, the hardest part of getting started with a password manager is getting started. Since we’re all sitting in front of our computers and on our mobile phones more now than ever, why not build a little security into your regular routine? After all, once it’s done, it’s done, and you won’t have to worry about it—or losing access to a dozen accounts just because one got hacked—ever again.