You might have some extra time on your hands right now given that COVID-19 thing going around. You could watch another streaming movie -- or you could do something you've been putting off for a long time: setting up and starting to use a password manager. It's a key part of security hygiene, and a nice complement to hand-washing and elbow-coughing.
Why your passwords are so bad
You may have heard that reusing passwords is bad, but you probably don't know why and you don't know how you'd manage a unique password per account anyway. You've definitely heard about phishing but don't know how best to save yourself from it. And although you may have heard about password managers, you may not fully understand why using one is so important to your cybersecurity.
There are two main reasons, one you can see and one you can't:
- If you receive a phishing email/SMS that sends you to a web page that looks just like your bank's, and without noticing you enter your userid and password, your account may be taken over and drained – a password manager can save you from that.
- If you reuse your favorite password on a dozen websites (online services) and one of them gets hacked, resulting in a "credential spill" of users' userids and passwords, attackers will try the stolen credentials on a variety of sites, and they'll be able to break into your 11 other accounts – a password manager can save you from that too. (This attack is called credential stuffing. If you doubt how often online services get hacked, check for hacks affecting your email addresses using https://haveibeenpwned.com. And register your email addressees there too, to get notifications when hacks happen in the future.)
How to fix them
To protect you from both phishing and credential stuffing, respectively, you need the following for your passwords:
- your passwords are not in your head, so you cannot type them into login pages, and
- every account has a long, random, and unique password. (Long means, say, 20+ characters.)
Enter the password manager
So how do you manage passwords for your (hundred?) accounts if you don't know them and if every one is unique? You use a password manager: it will generate a random password for you for a new account and will store the userid, password, and URL for each account, and later will autofill the userid and password into that account's login page.
Because the password manager carefully examines the login page's URL (domain name, actually), it won't be fooled by phishing pages. And because all your passwords will be unique, any hack of an online service means that only your account on that service is at risk, not a dozen or more other accounts too.
And there are at least three other benefits of moving your accounts to a password manager:
- all the pain of remembering your passwords, and resetting them when you forget, goes away as your password manager is doing all the remembering for you;
- you can log into your accounts from any of your devices, whether you're at home or away (and you can manage your password manager's vault on all your devices); and
- you are setting yourself up nicely for moving to two-factor/two-step authentication (2FA/2SV), which will help to make you even more resistant to account takeover.
Which one to use?
Now that you know the why of a password manager, the which and how are not that complicated.
For which one, I suggest you look at one of these two well-respected password managers:
- LastPass, which has free version and a couple of paid versions; see https://www.lastpass.com/
- 1Password, which has a couple of paid versions; see https://1password.com/
And how to do it?
For the how, there are lots of tutorials on the Internet, but here is a great page to get you started: https://thewirecutter.com/blog/why-you-need-a-password-manager-yes-you/
First, some thoughts for certain types of users:
- If you are a family, check out these family tiers, which provide manageability of the individual accounts in the family:
- If you are a business:
- Look at these business tiers, which provide manageability of the individual accounts in the business:
- Don't mix personal userid/passwords in the same password manager account as business ones: use two separate accounts. Both the suggested password managers allow you to access both sets of userids/passwords all the time.
- And if you're an Apple-only user tempted by Apple's built-in password manager, I suggest you not use it for three reasons:
- if you ever decide to do something outside the Apple ecosystem -- like buy an Android phone or tablet, a Chromebook, or a Windows machine -- you won't be able get your passwords on it;
- you probably back up your Apples devices (and their keychain) to iCloud -- which is not an end-to-end encrypted service; and
- independent security researchers tend to pay more attention to the big third-party password managers (like LastPass and 1Password), which means their vulnerabilities tend to get identified quicker.
- You'll need to create a strong and memorable "master password" to unlock your password manager.
- It's much easier if you set up your password manager account using your computer and their web page (instead of starting with a mobile client).
- After you get it working, download and install the password manager's apps and browser extensions on all your computers, tablets, and phones, and log into these apps (using your master password) so they are all syncing to the password manager's online service.
- You'll need to store each of your online accounts, one by one, into your password manager.
- Your password manager will help by automatically recording the details whenever you login to an online account in a computer browser.
- Once a login (userid and password) is stored for an account, use the account's password change feature to set a new password; your password manager will general a long random string for you (choose 20+ characters) and will then record it.
- Start that recording and changing with your most important accounts.
- Your most important account is not your bank; it's the main email address that you use to create new online accounts. Why? If an attacker gets control of that one email account, they can take over most of your other accounts using their password recovery mechanisms.
- You can export the contents of your password manager as a spreadsheet file anytime you want
- But don't store this anywhere that is not encrypted!
- In particular, if you're on Windows Home (and not a Microsoft Surface or similar device), your main drive is not encrypted, and anyone who gets access to your computer can remove the drive and read its contents.
- It's a good idea to back up the contents of your password manager occasionally, say, every three months.
- If your main drive is not encrypted (see the previous bullet), you could store the export in a VeraCrypt container, protected with a strong password. (Don't reuse your password manager's master password for this -- password reuse is always bad.).
- Bonus points if you store a copy of this VeraCrypt container somewhere outside your computer, such as a USB thumb drive.
If you're (rightfully) concerned about trusting the cloud with your passwords:
- Know that high-quality password managers (like LastPass and 1Password) are end-to-end encrypted (E2EE) services (a.k.a. "zero knowledge").
- That means that all your data (userids, passwords, URLs, and associated notes) is encrypted before it leaves your device for the cloud, using an encryption key that never leaves your device (and is based on your master password).
- As a result, if an attacker manages to break into an E2EE service and steal every bit of data (including yours), they won't be able to decrypt any of it.
- You can do a web search on "end-to-end encryption" for more information.
I'll cover two-step authentication (2SV) and two-factor authentication (2FA) in my next post.