Should you use a password manager?

Posted bythereadyistPosted inInformation SecurityTags:, , , , , , , ,

The answer is yes. That is all. No need to read any further.

Ok, fine. There is actually a bit more to talk about here. First, a little background. A password manager is software that will generate unique, secure passwords for every website and then store them for you so that you don’t have to remember them all. Easier than a pile of sticky notes on your desk, and way way WAY more secure than just using the same password for every site.

Benefits include:

  • Generating unique passwords for every website. This is critical to protect yourself from data breaches. If you use the same password for Neopets as you do for your bank, then if Neopets ever gets hacked, the hackers get your bank password too. Now multiply that risk by every site you have an account with (not just Neopets), and that’s scary.
  • Generating strong passwords. These will generally be random combinations of uppercase letters, lowercase letters, numbers, and symbols, usually at least 16–32 characters long. They’re practically impossible to guess, which is what makes them strong. And their main weakness of also being impossible to remember isn’t a problem if they’re stored in a password manager!
    • For example, this is considered a very strong password: 67HrBhZr2s&VZ%#K
  • Locking up your passwords with a master password. This makes it so that you only have to remember one single password in order to get access to all the others. This is way more secure than just keeping a notebook or text file for passwords. Just make sure that the master password is a strong and unique one, too!
  • Automatically entering your credentials when logging in or creating accounts (e.g. via a browser plugin). This one is mostly just for convenience, but it also comes in handy if someone tries to phish you (trick you into putting your password into a fake version of a website) because the password manager won’t autofill it for you. If autofill isn’t working, double check the URL!

Common password managers include Bitwarden, KeePassDashlane, and 1Password. The one you choose doesn’t matter much; the most important thing is that you actually use it.

The best option for most people is probably Bitwarden since it’s free and automatically syncs your passwords across all your devices via the cloud. Plus, it’s what the tech nerds use! If you don’t want your passwords in the cloud (even in encrypted form), then I recommend KeePass, which is also free (though you’ll have to manually sync the password database between all of your devices).

Both Bitwarden and KeePass are also open-source software, which is a big plus because it means you have more control over it. You may have heard about how Lastpass recently started charging 3$ per month. That’s a crappy situation because you either have to pay it, or figure out how to transfer all of your passwords over to a different password manager. But open source software is very unlikely to do this, and if it does, there are usually tools that make it easy to switch to something else.

Anyway, for a more comprehensive comparison between some password managers, here are some external articles:

Still not convinced that using a password manager makes sense? Then read this article from Mozilla: Five myths about password managers.

But why can’t I just use the one built into my browser?

You can… but it’s not as good.

For one, browsers don’t necessarily encrypt all your passwords with a master password like a real password manager would, so if your device is compromised (e.g. hacked or stolen), your passwords are at risk. A full password manager will regularly lock your “vault” to keep it safe. It’s a little bit more annoying, but it’s worth it if you care about the security of your accounts!

For two, browser-based password managers often can’t store extra data that you might need, such as extra PINs and security question responses (which by the way, you really need to stop giving!).

But why do I have to do all of this? I’ve never been hacked!

Well then count yourself extremely lucky! If you use weak passwords and share passwords between sites, it’s only a matter of time until your accounts are hacked. That’s just the world we live in.

Going through life without decent passwords is like neglecting to look both ways when crossing the street. You WILL get run over eventually. Sure, maybe you were able to stay unscathed for a while, maybe even for years. But that doesn’t mean you were doing the safe thing. And one of these days, you WILL regret it.

So to prevent that regret, all you need to do is use strong, unique passwords. And the easiest way to do that is simply to use a password manager.

I know it’s annoying to suddenly have to switch over to a more complicated system when your previous system was working fine, but let me assure of this:

It’s a LOT easier to set up a password manager than it is to deal with your accounts getting hacked, losing all of your money, and having your identity stolen.

Seriously, your future self will thank you. Can you imagine what would happen if a criminal took over your email account? Or if you lost access to that cloud service where all your family photos were saved? Or if all of your money was drained from your bank and retirement accounts?

You might be able to get some of that stuff back. But maybe not. And even if you do, it can mean years of headaches and worry, especially if you’re dealing with identity theft.

So seriously, today, right now: Just get a password manager and at least change out the passwords on your most important accounts (e.g. email, finances, social media) with unique, secure ones. You don’t even have to do it all at once. Just do one per day for a few days, and you’ll be way better off. Here’s how to do it:

What to actually do

1. Set up Bitwarden

Create a Bitwarden account. That includes setting a master password. This password grants access to all of your other passwords, so it needs to be really secure. Do NOT use the same password here as on any other site/account!

I recommend generating a new password on this website:

Remember to write down the password, preferably in multiple locations. Hide the papers somewhere, and don’t write down that it’s for Bitwarden, just in case someone finds it.

You’ll need to keep the written versions until you have it memorized. Only destroy the written versions once you’re SURE you have the password memorized. There is no “forgot password” button for password managers (for security reasons).

2. Get the Bitwarden app/extension

On your phone, I recommend using the Bitwarden app. For computers, I recommend the browser extension, e.g. for Chrome, Safari, Firefox, etc. You can download everything here:

The browser extension will let you fill in password fields with the click of a button; just click the Bitwarden icon in your extensions area (upper right of browser), then click the credential you want to use (if you only have one account, only one credential will appear). You can also enable automatically filling in user/password fields under “Settings”, then “Options”, then “Auto-fill on page load”.

The app can do the same: you’ll want to enable the autofill features by going to “Settings”, then “Auto-fill services”, and enabling “Auto-fill service”, “Use inline autofill”, and “Use accessibility”. Grant the permissions it asks for. Then a Bitwarden button will appear above your keyboard when you’re at a user/password field. Just click on it, and it will fill in your credentials!

3. Start putting all your passwords into it

If you have an existing password manager, or if some of your passwords are saved in your browser, you can import those passwords into Bitwarden. Just Google for “import passwords from <service> to bitwarden”. For example, here’s how to import from Google Chrome.

If you don’t have any passwords to import, then you’ll have to enter them one-by-one. All you have to do is open Bitwarden (either the browser extension or the app) to make sure you’re logged in (i.e. the “vault” is unlocked), then just log into the website. Bitwarden should offer to save the password for you; just click “yes”! After a while, you’ll eventually get most of your important accounts saved.

4. Check your existing passwords to make sure they are strong and unique

If any of your existing passwords are weak or are reused across sites, make sure to generate better ones! For example, a weak password might look like “123qwerty”, “snoopy1982”, “p@ssword!”, or anything else short or containing words/names. A strong password might look like “Ocean-Govern-Extreme-Tree-15” or “9U7UCr3%NrC&ig5mPZRe”.

Remember, unique is important. If you use the same password across multiple sites, then hackers who break into any of those sites get your password for every site. What happens if Netflix gets hacked? Wouldn’t it suck to have all of your money stolen because your bank password was the same as your Netflix password?

And when it comes to strength, Bitwarden can do that for you! When a website wants to fill in a new password, open the Bitwarden app or extension and select “Generator”. I recommend allowing all letters, numbers, and symbols, and making the password 20 characters long. It will be impossible to remember, but who cares? Bitwarden will remember it for you! And it should be plenty secure. After the first time, it should remember your password settings. Then you can just click the “copy” button next to the generated password and paste it into the “new password” field.

Usually, when you set or update a password, Bitwarden will ask if you want to save/update it. Select yes! If the popup doesn’t appear though, then open Bitwarden again and click the “view” icon for your credential, then “Edit”, then paste in your new password over the old one. You can also edit notes here as well, which is a great places to store the answers to security questions (which should basically just be extra passwords!)

5. Done! You’ve never felt so secure!

If you need a more step-by-step guide, see this post. Steps 3-4 talk about how to export from LastPass and import into Bitwarden, but you can always

What happens if I forget my password manager’s password?

I’m sure you’ve heard the advice to “never write down a password”. And that’s partially true; you certainly don’t want your password written on a sticky note stuck to your screen (especially in an office or public space). But if it’s a strong password that you’ve never used before, it can be really hard to remember it at first. And if you forget your password manager’s master password, you lose access to ALL of your other passwords—there’s no “forgot your password” feature to help you. It’s going to be a real pain to reset all of your accounts. Compared to that, just writing your password down doesn’t seem that bad. After all, your biggest threat is usually attackers on the Internet, and they won’t have access to your sticky notes. The only people who can read those are real people in the real world, but even they won’t be much of a problem if you’re smart about it!

Tips for storing an important password that you can’t forget

The safest place for a password is in your head, so you should still try to memorize it if possible. Repetition is key in remembering, and you can also try using a mnemonic device if need be. But until then, you may need to keep a password written down for a few weeks. If you must do this, read on.

Remember that the main threat here is someone who has physical access to wherever you wrote down the password, e.g. a burglar, a family member, a party guest, a cleaner/mover/plumber, etc. You’re not going to be dealing with sophisticated attackers here. You basically just need enough security to prevent a crime of opportunity, whereby an unsavory individual happens to see a password and figures they might as well swipe it. So here’s what to do:

  • Don’t write down what the password is for—no username, no website URL, etc. (except maybe a hint that only you will understand). Anyone who finds it won’t even know how to use it!
  • Don’t leave it lying around in plain view. Hide it or lock it up.
  • Destroy it after you memorize it.

If you’re a little more paranoid, you might even consider the following:

  • Store the password in pieces. Anyone who finds one piece won’t know about the other pieces.
  • Use steganography—the art of hiding data within other data. For example, if you made a correct-horse-battery-staple-style password from a list of household goods, you could perhaps disguise it in a “shopping list”. Or if you need to remember a number (e.g. a PIN or SSN), consider writing it down like a phone number and labeling it “Alex’s cell” (adding extra digits if need be). Use your imagination here!

But what if the password manager gets hacked?

That can happen, though it’s usually rare… much rarer than regular websites/accounts getting hacked. As long as you’re using a secure password manager like Bitwarden, along with a secure, unique master password for it, then you’re most likely pretty safe! Just make sure you take some precautions against malware or getting your device physically stolen.

Conclusion

If you do nothing else, please at least remember to use strong, unique passwords for your most important accounts (e.g. email, banks). Write them down if you must, but you should really really consider trying out a password manager. They’re really not that bad once you get used to them, and in fact they make your life easier! And the only thing better than security is easiness. 🙂

2023-01-25: Removed LastPass as a recommendation due to the amount of security issues they’ve been having.

4 thoughts on “Should you use a password manager?

  1. Pingback: Stop using security questions! – The Readyist
  2. Pingback: “How to not get hacked” 101: 4 simple tips to protect yourself – The Readyist
  3. Pingback: How to Not Lose All of Your Data: Backups for Beginners – The Readyist
  4. Pingback: “How to not get hacked” 102: Even more simple tips to protect yourself – The Readyist

Leave a comment