What is a Password Manager?

A password manager is an app that stores all the passwords in your life. Primarily, it will help you with web-based passwords, such as those for social media, shopping, or banking sites, but they can also be used to store any kind of private information that you deem sensitive. A good password manager will offer to help you with the sign-up to new services on the internet, and will also automatically log you into existing services, across multiple devices if necessary.

Why do you need one?

The sheer number of passwords that we have to manage in today’s connected world is mind boggling. In fact, there are so many sites that you really only have a handful of options for dealing with it:

1. Use the same password everywhere (or minor variations thereof)

This is clearly the worst solution: if one site is hacked, then all your sites are hacked. If one of those is your webmail account, then everything, including your online banking, is up for grabs.

2. Use a password “scheme” which gives you mostly unique passwords depending on the sites you visit

This involves using a procedure to generate a password that you’ll remember, but is unique to each site. So my scheme might be quite simple, something like !<nameofsite>#, or it might be more complex, but ultimately if someone recognises a scheme, then it’s little better than option 1.

3. Use unique passwords, but write them down

The drawbacks here should be apparent – if you lose the diary where you’ve stored all your information, then every site you use is compromised. And worse, it’s a list of every site you use! Additionally, if you want to log in somewhere that you can’t access your diary, you’re out of luck. Similarly, if you update or sign up to a new site while you don’t have access to your store, you’ll probably forget to update the store later.

4. Use your browser’s “remember” function

Finally, option 4 sounds like a useful solution. But since most browser-based password stores are local to the machine you’re using, you won’t get access to your sites from another computer unless you sign up for their inbuilt syncing mechanisms. If you do that, you’re uploading every password for every site you use to a third party, often in cleartext – so Mozilla (Firefox), Apple (Safari) or Google (Chrome) will now have all your passwords. Internet Explorer doesn’t offer password sync, so each computer will have to remember each password separately – something that becomes particularly painful if you change your password on a given site (or use a new computer).

Options 1, 2 and 4 also have the severe disadvantage that they only deal with passwords. If you want to remember your passport details, bank account, or driving license details, you’re out of luck with these methods.

So, let’s look at another option. Option 5 – use a password manager.

What are the advantages?

There are two primary advantages to using a password manager – convenience and security. It’s not often that you get to use those two terms together, so let’s break down each individually.

Convenience

Most password managers are just plug-ins for the most common browsers. That means that they can add functionality very easily and offer a more seamless browsing experience.

So, when you visit a site that you have a login for, the password manager can be configured to log you in automatically. Similarly, when you sign up for a new site, your password manager will auto-generate a password for you, streamlining the experience. Often, you don’t even need to know what the password was, since the manager takes care of it all for you.

Security

Once all your passwords are in a central location, many password managers will offer to analyse them and score you accordingly. Lastpass, for example, will highlight weak passwords, duplicate or similar passwords used across multiple sites or passwords that have been in use for multiple years. Some password managers will offer to take matters into their own hands – many popular sites now integrate with password managers and they can auto-rotate your passwords in the background, ensuring strong security but without the inconvenience of having to do it yourself.

All of the major passwords managers support two-factor authentication. So even if your master password falls into the wrong hands, or your password manager account is hacked, the information gleaned is useless unless the bad guys also steal your phone. If you’re using a password manager… use two factor authentication!

Finally, password managers are the ultimate tool in the fight against phishing. If you click on a phishing or malware link that takes you to, say, a phony Gmail page which then prompts you to login, your password manager will quite rightly refuse to enter your Gmail password because it can see through the illusion.

What are the risks?

The two primary risks involve putting all your eggs in one basket and then uploading those digital eggs to the cloud. However, unlike options 1 and 4, above, you’re not simply dumping all your most sensitive information in clear text. All password managers will complete multiple rounds of encryption based on a key that only you know. This is called “zero-touch” encryption. It means that even if law enforcement force the password manager provider to divulge your passwords, they can’t, as they don’t have your encryption key.

Combined with two factor authentication, since your password store is both encrypted AND useless without access to your phone, then there’s no reason not to use cloud sync to get further convenience from the service. Maintain a single password store across all your devices and login seamlessly from anywhere – any PC, any laptop, your phone, or your tablet.

Really, if you’ve combined a reasonable password with two factor auth, then the only realistic risk of using a password manager is forgetting your master password. Make no mistake – if you put your digital life into a password manager, then forget your master password, it’s all gone. Irretrievably. There are usually no backdoors to these services, although some services do offer a (slightly convoluted) mechanism to help with even this doomsday scenario – in the case of Lastpass, assuming that you still have one device logged into the service, you might be able to perform an account recovery using their One Time Password functionality.

What are the options?

There are too many to list fully. Personally, I consider the three most popular services to be Lastpass, 1Password and Dashlane. But there’s also Keepr, Keepass, Roboform, Zoho Vault, Intel True Key, Password Boss and many more. Some are open source, some are free, some are subscriptions, but they all do largely the same thing.

Aren’t password managers hacked all the time?

Yes and no! They’re often targets for hackers, but that’s not always a bad thing.

Lastpass and others frequently hit the news for being “hacked” or “vulnerable”. However, as long as the company responds quickly, the nature of zero-touch encryption and two factor authentication will usually keep you safe. For example, for the last breach to hit Lastpass, in June 2015, the company immediately locked down accounts by requiring email verification (on top of any two-factor you already had in place) and enforced a master password change (which many experts argued was overkill). All the experts agreed that despite the headlines, the hack itself was largely trivial. It shouldn’t have happened in an ideal world, of course, but crucially, the breach didn’t give hackers much useful leverage.

And if the company has the right ethos, then each “hack” makes the service stronger. After last year’s Blackhat conference unearthed a number of mathematical flaws in how Lastpass used its One Time Password mechanism, Martin Vigo noted that Lastpass updated those mechanisms within a couple of days and praised how transparent and receptive Lastpass engineers were.

So, yes, there are risks. But you’re still almost certain to be in a better place than not using a password manager.

How to get started?

The easiest way is to sign up to some of the popular services (which I mentioned above) and see which ones work for you. LastPass is a good option if you’re unsure, as their service covers both password management and syncing, all in one reasonably-easy-to-use browser plugin.