A password manager is an app that stores all the passwords in your life. Primarily, it will help you with web-based passwords, such as those for social media, shopping, or banking sites, but they can also be used to store any kind of private information that you deem sensitive. A good password manager will offer to help you with the sign-up to new services on the internet, and will also automatically log you into existing services, across multiple devices if necessary.<\/p>\n
The sheer number of passwords that we have to manage in today\u2019s connected world is mind boggling. In fact, there are so many sites that you really only have a handful of options for dealing with it:<\/p>\n
Use the same password everywhere (or minor variations thereof)<\/i><\/p>\n<\/li>\n<\/ol>\n
This is clearly the worst solution:\u00a0if one site is hacked, then all your sites are hacked. If one of those is your webmail account, then everything, including your online banking, is up for grabs.<\/p>\n
Use a password \u201cscheme\u201d which gives you mostly unique passwords depending on the sites you visit<\/i><\/p>\n<\/li>\n<\/ol>\n
This involves using a procedure to generate a password that you\u2019ll remember, but is unique to each site. So my scheme might be quite simple, something like !<nameofsite>#, or it might be more complex, but ultimately if someone recognises a scheme, then it\u2019s little better than option 1.<\/p>\n
Use unique passwords, but write them down<\/i><\/p>\n<\/li>\n<\/ol>\n
The drawbacks here should be apparent \u2013 if you lose the diary where you\u2019ve stored all your information, then every site you use is compromised. And worse, it\u2019s a list of every site you use! Additionally, if you want to log in somewhere that you can\u2019t access your diary, you\u2019re out of luck. Similarly, if you update or sign up to a new site while you don\u2019t have access to your store, you\u2019ll probably forget to update the store later.<\/p>\n
Use your browser\u2019s \u201cremember\u201d function<\/i><\/p>\n<\/li>\n<\/ol>\n
Finally, option 4 sounds like a useful solution. But since most browser-based password stores are local to the machine you\u2019re using, you won\u2019t get access to your sites from another computer unless you sign up for their inbuilt syncing mechanisms. If you do that, you\u2019re uploading every password for every site you use to a third party, often in cleartext \u2013 so Mozilla (Firefox), Apple (Safari) or Google (Chrome) will now have all your passwords. Internet Explorer doesn\u2019t offer password sync, so each computer will have to remember each password separately \u2013 something that becomes particularly painful if you change your password on a given site (or use a new computer).<\/p>\n
Options 1, 2 and 4 also have the severe disadvantage that they only deal with passwords. If you want to remember your passport details, bank account, or driving license details, you\u2019re out of luck with these methods.<\/p>\n
So, let\u2019s look at another option. Option 5 \u2013 use a password manager.<\/p>\n
There are two primary advantages to using a password manager \u2013 convenience and security. It\u2019s not often that you get to use those two terms together, so let\u2019s break down each individually.<\/p>\n
Most password managers are just plug-ins for the most common browsers. That means that they can add functionality very easily and offer a more seamless browsing experience.<\/p>\n
So, when you visit a site that you have a login for, the password manager can be configured to log you in automatically. Similarly, when you sign up for a new site, your password manager will auto-generate a password for you, streamlining the experience. Often, you don\u2019t even need to know what the password was, since the manager takes care of it all for you.<\/p>\n
Once all your passwords are in a central location, many password managers will offer to analyse them and score you accordingly. Lastpass, for example, will highlight weak passwords, duplicate or similar passwords used across multiple sites or passwords that have been in use for multiple years. Some password managers will offer to take matters into their own hands \u2013 many popular sites now integrate with password managers and they can auto-rotate your passwords in the background, ensuring strong security but without the inconvenience of having to do it yourself.<\/p>\n
All of the major passwords managers support two-factor authentication. So even if your master password falls into the wrong hands, or your password manager account is hacked, the information gleaned is useless unless the bad guys also steal your phone. If you\u2019re using a password manager\u2026 use two factor authentication!<\/p>\n
Finally, password managers are the ultimate tool in the fight against phishing. If you click on a phishing or malware link that takes you to, say, a phony Gmail page which then prompts you to login, your password manager will quite rightly refuse to enter your Gmail password because it can see through the illusion.<\/p>\n
The two primary risks involve putting all your eggs in one basket and then uploading those digital eggs to the cloud. However, unlike options 1 and 4, above, you\u2019re not simply dumping all your most sensitive information in clear text. All password managers will complete multiple rounds of encryption based on a key that only you know. This is called \u201czero-touch\u201d encryption. It means that even if law enforcement force the password manager provider to divulge your passwords, they can\u2019t, as they don\u2019t have your encryption key.<\/p>\n
Combined with two factor authentication, since your password store is both encrypted AND useless without access to your phone, then there\u2019s no reason not to use cloud sync to get further convenience from the service. Maintain a single password store across all your devices and login seamlessly from anywhere \u2013 any PC, any laptop, your phone, or your tablet.<\/p>\n
Really, if you\u2019ve combined a reasonable password<\/a><\/u><\/span> with two factor auth, then the only realistic\u00a0risk of\u00a0using a password manager is forgetting your master password. Make no mistake \u2013 if you put your digital life into a password manager, then forget your master password, it\u2019s all gone. Irretrievably. There are usually no backdoors to these services, although some services do offer a (slightly convoluted) mechanism to help with even this doomsday scenario \u2013 in the case of Lastpass, assuming that you still have one device logged into the service, you might be able to perform an account recovery using their One Time Password functionality.<\/p>\n There are too many to list fully. Personally, I consider the three most popular services to be Lastpass, 1Password and Dashlane. But there\u2019s also Keepr, Keepass, Roboform, Zoho Vault, Intel True Key, Password Boss and many more. Some are open source, some are free, some are subscriptions, but they all do largely the same thing.<\/p>\n Yes and no! They\u2019re often targets<\/i> for hackers, but that\u2019s not always a bad thing.<\/p>\n Lastpass and others frequently hit the news for being \u201chacked\u201d or \u201cvulnerable\u201d. However, as long as the company responds quickly, the nature of zero-touch encryption and two factor authentication will usually keep you safe. For example, for the last breach to hit Lastpass, in June 2015<\/a><\/u><\/span>, the company immediately locked down accounts by requiring email verification (on top of any two-factor you already had in place) and enforced a master password change (which many experts argued was overkill). All the experts agreed that despite the headlines, the hack itself was largely trivial. It shouldn\u2019t have happened in an ideal world, of course, but crucially, the breach didn\u2019t give hackers much useful leverage.<\/p>\n And if the company has the right ethos, then each \u201chack\u201d makes the service stronger. After last year\u2019s Blackhat conference unearthed a number of mathematical flaws in how Lastpass used its One Time Password mechanism, Martin Vigo noted that Lastpass updated those mechanisms within a couple of days<\/a><\/u><\/span> and praised how transparent and receptive Lastpass engineers were.<\/p>\n So, yes, there are risks. But you\u2019re still almost certain to be in a better place than not<\/i> using a password manager.<\/p>\nWhat are the options?<\/h2>\n
Aren\u2019t password managers hacked all the time?<\/h2>\n
How to get started?<\/h2>\n