- Why you NEED a password manager
- How to actually use good passwords
- What password managers do
- What I use: Bitwarden
Why you NEED a password manager
Over the last year, I’ve become increasingly interested in digital security.
I’m obsessed with things like the podcast Darknet Diaries and other cyber security stories. To me, hacking stories are the perfect combination of true crime, intrigue and nerdiness.
The more I learn, the more frightened I am.
Also, it pisses me off. So many breaches are the result of people exploiting known vulnerabilities and not following security best practices. They are often the result of pure carelessness.
Counter-intuitively, the barrage of security breeches in the media can kind of make people just pay less attention to the issue. It feels like something out of our control.
We think things like:
“I don’t have any secrets anyway. I don’t care who knows my entire digital life.”
“What are they even going to do with my social security number?”
“There’s nothing I can do to stop it.”
A frightening number of cyber security issues ARE completely beyond our control.
Take for example the massive Equifax data breach. Nobody opted-in to them being able to track our intimate financial details (and them storing them on a public-facing server with the well-known username/password combo admin/admin).
Read the news article: Equifax used ‘admin’ as username and password for sensitive data: lawsuit.
Just because some things are beyond our control doesn’t mean that we should ignore the ones that we DO control.
We should actively do what we CAN to be more secure
One of those things is picking good passwords and not reusing passwords.
So let’s talk about a couple of password stories.
Examples of bad password habits gone wrong
Hacking Microsoft AND Google AND all the major game companies
Darknet Diaries has a couple of episodes on this long and fascinating story about this group that was super interested in video games. Among other things, they ended up hacking into basically every major gaming company out there – including Microsoft and Google – due to the simple fact that developers reused passwords.
They started out just hacking into this gaming forum and getting the usernames and passwords for members. Then they used those usernames and passwords to try to login to other sites and networks… and it worked.
This is an extremely well-known technique and is one of the issues with data breaches. Similar, but related is the technique of just using lists of the most common passwords and trying to log in to accounts with those.
Now most of us aren’t developers with access to the networks of major tech companies (if you are though, this applies like 100x to you). So what happens if this technique is applied to a more average person?
Spying on an eight-year-old via Ring camera
A recent story to make headlines is this one of a ‘hacker’ talking to a young girl over the Ring camera in her bedroom.
It sounds appalling and headline-worthy. The family makes sure to talk about it like it is Ring’s fault.
When you read all the way through the story though, it makes it clear that the login credentials for the account had been compromised. Either the same login was used as that for another service (that had been hacked) or it was just a weak password.
How to actually use good passwords
We all sort of know that reusing passwords is a bad idea, but we like to not think about it because it’s impossible to remember different passwords for every site.
This is what password managers are for. They make it so you can use a different, randomly generated password for every account. You don’t have to worry about forgetting your password.
People that use password managers know how essential they are. But there are actually a lot of reasons why people don’t use password managers, some of which are sort of legit.
Why people don’t use password managers
After I started getting more into hacker stories, I knew I needed a password manager, but it still took me a while to find a service I trusted.
Figuring out if a password manager is secure
It is hard, maybe impossible, for the average person to know if a password manager is secure. Putting your login information for EVERY account you have in one place is a HUGE leap of faith.
Do you just trust the claims on a company’s website that they will keep your data secure? I certainly hope not.
For most password managers, it is impossible for even a technically savvy person to know if it’s secure. Most password managers are run by companies looking to make money off of them and it’s impossible to know what their security procedures actually are.
Solution: Use an open-source password manager.
I actually don’t know enough about programming and encryption to know if a password manager is secure even if I can see the code for it. With a widely used open-source option I know that people who are smarter than me have vetted it.
Deciding which password manager to use
There are a lot of password managers out there and it can be really hard to figure out which one to use.
Many of them offer affiliate programs so that if somebody signs up using somebody’s special link, that person is paid a little. So it can be hard to trust recommendations online.
Most of them also require a subscription and I hate getting trapped in situations where I pay recurring fees. Once on a service, it can be hard to switch off due to the difficulty of exporting data, setting up a new service, etc.
Again: Use an open-source password manager.
It’s free. Nobody who leaves good reviews for it is doing so to make money.
The time to switch over and set everything up
Sadly, there is no easy solution to this. It takes a little time to setup a password manager and more time to get all your passwords entered in.
The thing here is just realizing that it is worth it. In the long run, it will save you so much time not having to reset passwords all the time because you forgot them or have them stored on a different device.
One option is to just save different logins as you actually use them. A password manager makes this easy by offering to save them for you when you login to a new site.
What password managers do
All good password managers share certain features and others have extra features. Here are some of the common ones.
- Cross-platform options. You should be able to use it on all of your devices and browsers. This means plugins/extensions for all major browsers (Firefox, Chrome, Microsoft Edge, etc). This way the password manager can auto-fill login pages. Also, Apple, Linux, Windows, Android and iPhone apps. Plus a website where you can login.
- The ability to generate random passwords for you. This way it is easy to use a strong password when you are signing up for a new service or changing your password for an existing account.
- The ability to store credit card info. This information is encrypted and stored securely. It’s really just about the convenience of having that information at your finger tips when you’re shopping online. I also like it because if I lost a credit card or something I’d have a record of the numbers.
- Password security features. Many password managers provide features like comparing your passwords to lists of known breaches or keeping track of the last time you changed a password or how many times you’ve reused the same password.
- Encrypted storage for important notes. This lets you save information you want to keep secure like back-up security codes for two-factor authentication or the answers to your security questions. (TIP: You can actually use randomly generated ‘passwords’ for your security question answers instead of just answering the questions. The problem is that questions like ‘What color was your first car?’ really just aren’t that secure.)
How password managers keep your information secure
Password managers require a master password that ‘unlocks’ your other passwords.
This master password is more than just a password. It’s used as an encryption key which basically means feeding your data through some weird math that uses that password to turn your data into a random meaningless combination of characters.
That password or encryption key is also needed in order to decode the random meaningless combination of characters.
One of the very important features of a good password manager is that the master password never leaves your computer.
The password manager company NEVER sees your master password. Even though they sync your encrypted file across your devices, they have no way of decoding it.
Your data is decrypted on your device using your master password.
What about logging in to the service? Don’t they see the password then?
If it’s a good password manager then the answer is actually ‘No’.
Before your password is sent to them, it is passed through an algorithm on your computer. This is a one way algorithm. So it takes your password and turns it into a ‘hashed’ password.
A specific password will always return the same value when passed through the hashing algorithm so they can check if the input matches the last time you signed up.
BUT, there is no way for them to go from the hashed password back to the original password. That means that even if a rogue employee or a hacker has access to all of the data the password manager company has, they can’t see what passwords a person has stored using the service.
They can see the hashed password but they can’t figure out the original password from it so they can’t decrypt the file that stores all of a person’s other passwords.
Again, the caveat here is with a good password manager. This is how services should work. It doesn’t mean that all companies set things up how they should.
Red flags: Things you don’t want in a password manager
Some password managers offer a feature where if you die or something else happens, you can provide access to your passwords to somebody you trust.
They send a request to access your passwords and the service emails you. If you don’t respond in a certain period of time, then the request is granted.
To me, this is a huge red flag. If your data is really encrypted so that even the company (or a hacker on their network) can’t view your passwords, how are they able to provide them to a third party?
Now maybe they have some system worked out that is actually secure, but the ones I checked out did not provide enough documentation to make me feel at all comfortable with that feature.
If you forget your master password you’re screwed
One thing to note about all of this is that if you forget your master password, there is no way to recover it or reset it and keep your existing data.
The company providing your service would have the ability to change the hashed password that is stored for being able to log in, but they would be unable to decrypt your existing data.
Picking a good master password
On that note, a few tips for picking a good master password:
- Pick something fairly long – this makes it a stronger encryption key
- Use a sentence that will be easy for you to remember. It’s very important that you remember this one password.
- Consider using uncommon words – things that won’t appear in the dictionary or commonly online
- Mix in some capitol letters, numbers, symbols, etc.
Think along the lines of I<3April20ththeMOSTEST!! or PythonIsTheVeryGR8TESTEver.
What I use: Bitwarden
I spent quite a while researching password manager options to figure out which one was best. I finally settled on Bitwarden. (Definitely not an affiliate link. I don’t think they even have an affiliate program. Just what I actually use and recommend.)
- It’s open source so I feel confident that people smarter than me have reviewed the code.
- It has a clean design and is easy-to-use.
- It is available on basically all devices and browsers
- The free version is ‘really free, not a fake “free trial free” ‘
- Provides all of the features you might want
It does have a paid option that unlocks some cool extra features. It is not at all necessary. Plus the paid option is only $10 per year which is far less than any of the other options out there.
I do have the paid option mostly just because I like to support things that I think are important in the world.
Do you use a password manager? Let me know why or why not in the comments.