“Eat your vegetables!”

Having a strong password on your online accounts is like eating your vegetables; everyone knows that you should do it, but using that same old password that has worked for so many years is like the familiar pasta dish you order instead of a salad or broccoli. It is certainly not easy for most people to remember a strong* password for each one of their online accounts: a password that is at least twelve or more characters long and has a pattern-less mix of upper- and lower-case letters, numbers, and special characters, such as ! @ # $ % ^ & – + ? ; : )(.

Therefore, what is the salad dressing that makes our password vegetables easier to eat? A password manager. Password managers act as a vault that encrypts your different passwords and then automatically types those passwords into websites for you when you need them. Some password managers are usable offline, without an internet connection; however, most require you to open an account and connect to the password manager company’s computer systems. Many password managers can even enable you to share passwords with family members or coworkers. 

Skeptical?

You might ask, “what keeps unauthorized people out of my password manager?” That is a good question. Another one is, “is it really wise to store all my valuable information in one place?” 

The answer to the first question depends on how secure your manager is. You can use a single main password, or you can use multi-factor authentication (MFA). Examples of MFA range from entering a security code (called a “one-time password” or OTP) from your cellphone after you have entered the password, to needing to plug in a USB flash drive (containing a key file), to letting your computer or phone scan your fingerprint (biometric). 

The answer to the second question (storing all your passwords in one place) depends on a few elements. The first element to consider is how secure your password manager is when it is locked. If you only have a six-letter word that can be found within the dictionary (literally used in dictionary attacks), and that password is reused for other websites, then you should be worried. However, if your password manager not only has a strong password (as described within paragraph one) and has multi-factor authentication such as an OTP, a USB key file, or a Yubikey**, then your manager is much, much less at risk. 

The second element to consider is what kind of backup options you have in case you accidentally delete or otherwise lose the password manager database file. However you decide to backup your file, just make sure to not store the lock and the key together. That is, if you store a copy of the file as backup, just make sure that you do not store a copy of the password and/or MFA files together. Some people store a copy of their password manager database file on a USB flash drive and then keep that drive in a fire-resistant safe at home or in safety deposit box at the bank. Some people have online, “cloud-based” backups of all their files. 

The third element to consider is how convenient you need the password manager to be. The manager cannot be too complicated for you to open or too inaccessible to you. For example, if your password manager is “cloud-based,” on the internet, but you do not always have cellular data or a Wi-Fi signal available. Another scenario is if you are forced to use a device that is incompatible with your password manager. (Once, I had to unlock the password manager on my phone so I could then see and type on the keyboard of a PC the thirty-nine random characters of one of my passwords.)

Why not let your browser remember passwords?

Why use a separate password manager when your favorite web browser asks you to remember your passwords? The answer to that question depends on your answers to the following questions: Does your browser encrypt the passwords that it remembers? Can the browser customize passwords based on the criteria of the website (for example, it accepts only specific characters)? What if you are traveling or working and cannot use the web browser that you normally use? What if you need to share your Netflix or other password with someone? What if you want to encrypt other information such as scans of your passport, credit card numbers, or a secure note? Do you trust Google, Apple, Microsoft, or another tech company with your passwords? What if you want to switch to a different browser in the future? Can your browser run security/audit reports on your hundreds of passwords (a report card on your passwords, identify duplicates, etc.)? 

Now that you know the basics of password managers, which one is best for you? Continuing on with the vegetable analogy, if password managers are like salad dressings, the dressing you choose depends on your personal taste. Below are three types of password managers and types of salad dressings that not only have unique features, but are also available by way of different business models: 

The first type of password manager: free & open

The first business model is open source software, which is free to use as long as you provide the infrastructure and troubleshooting for it. This is do-it-yourself. If this were a salad dressing, it would be made from extra virgin olive oil or whatever type of oil you chose along with other ingredients you personally grabbed from your cupboards. You also choose the proportion of ingredients in the dressing because it is customizable. Some pros about these salad dressings is that they taste delicious and come with much gratification, but some of the cons are that you must prepare the dressing yourself and you have to pack it up if you want to take it with you to use it away from home. 

Open source means that there are many more eyes that can look for vulnerabilities and many more people who can write software patches to counteract those vulnerabilities than most software companies can provide. Password managers that utilize the open source, KeePass-based database files include KeePass (many features and active community support on Windows), KeePassXC (Linux, Mac, and Windows), KeePass2Android (Android devices), and KeePassium (iOS/Apple®). 

Screenshot of KeePassXC listing some of the many entries in this password database
Screenshot of KeePassXC listing some of the many entries in this password database.
Detail page of one of the password entries in KeePassXC
Detail page of one of the password entries in KeePassXC.

The password managers mentioned in the preceding paragraph store passwords and sensitive information in an encrypted kdbx database file (based on the KeePass file type). That file must be saved locally to your PC, MAC, smartphone, etc. This means that the database file is not saved “in the cloud” unless you save it on a file synchronization platform such as NextCloud, Dropbox, Google Drive, or Microsoft OneDrive. 

Another way to host the database file “in the cloud” is to store it in a networked location. Storing the file “in the cloud” is probably just fine as long as you do NOT store both the kdbx file and the credentials (password and/or key file) in the cloud. You do not want threat actors to have access to the lock and key because they are stored together in the same location. 

The second type of password manager: online & thrifty

While the password manager of the second business model is not free, it is very close to free. These managers are like the packages of salad dressings for sale at a fast food restaurant. The variety of dressings is somewhat limited; however, you can usually get them wherever you find a fast food joint. You trade the ability to select the ingredients and recipe for convenience. 

BitWarden has a free plan option, but you can level-up to a premium plan for only $0.83 per month ($10.00 per year) which brings additional features. Their family plan is $3.33 per month ($40.00 per year) which allows you to share access with family members or coworkers. Here is a link to their 2021 security audit report. BitWarden has plugins/addons/extensions for Firefox, Google Chrome, Edge, and other browsers, as well as a downloadable client for your computer, an app for your Android or Apple® smartphone, and even a web interface in case you need or want that. 

Screenshot of BitWarden password manager listing three password entries.
Screenshot of BitWarden password manager listing three password entries.
 Screenshot showing one of the BitWarden web browser extension in action in a web browser.
Screenshot showing one of the BitWarden web browser extension in action in a web browser.

The third type of password manager: click & forget it

The third business model is full of features and is easy to use, but comes at a premium price. These types of password managers are like the dressings and toppings found at a salad buffet. (Remember those from before the days of the coronavirus pandemic?) There is a wide selection, but all are more expensive. The trade-off is monetary cost. 

The main selling point of the Dashlane password manager is that their product is easy to use and is designed to make filling out information on the internet easy. One of the features their password manager boasts is a tool that changes all your old, weak, or reused passwords on several select websites to stronger ones with a single click of the mouse. Just like some salad buffets offer “bonus” foods such as soups and desserts, two of Dashlane’s subscription plans include extra services. Two “bonuses” available are a) access to a secure virtual private network (VPN) service to increase your anonymity on the internet, and b) encrypted file storage for digital artifacts such as scans of your passport.

Screenshot of the Dashlane password manager web browser extension in action
Screenshot of the Dashlane password manager web browser extension in action.

Dashlane does have a feature that will automatically log you into a website when you visit that site’s login page. You would need to remember to manually logout of those websites afterwards. You can even configure Dashlane to automatically fill website forms with your information.

Screenshot of the autofill options of one of the password entries within the Dashlane password manager.
Screenshot of the autofill options of one of the password entries within the Dashlane password manager.

Until we no longer need passwords

So, what is the future of password security? I recently listened to an executive at a startup company that specializes in a computer authentication system designed to eliminate the need for passwords. This system authenticates your session with “magic links” sent to your email address. That company is stytch.com and they believe that passwords are obsolete and even a security risk because many people reuse their passwords on more than one website and/or app. 

Email “magic links” would work well assuming two things: you have a really strong password on your email account, and you are okay with linking from, or copying and pasting from, your email account. Since most people access their email via a mobile device or stay logged into their email account(s) while visiting other websites in the web browser (a practice to which I am opposed), most of the time, the greatest issue is having a strong password protecting your email account. 

Summary

Just like a good dressing and toppings can make vegetables much more palatable, password managers make using unique strong passwords on your different internet accounts well within reach. Password managers protect your sensitive information with heavy-duty encryption and authentication and replace the risky practice of reusing passwords on multiple websites and/or apps, all while saving you from having to memorize complicated passwords for all those websites and apps.

End notes

* = alternatives to strong passwords are strong passphrases constructed of seven or more words which are not used in common conversation, are strung together in an unpredictable order, and have a special character thrown into one or more of those words. Good example: “paralyses postnasal cust&omary neatly saline luste^r upcoming” (https://youtu.be/3NjQ9b3pgIg?t=425).

** = Yubikey “…allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords” (https://en.wikipedia.org/wiki/YubiKey).