Cybersecurity has been big in the news lately; it’s enough to make any internet user paranoid about the safety of their online accounts and stored data. Wishing to stay one step ahead of any would-be threats out there on the web, this blogger cast aside the excuses and committed to shoring up his digital defenses with a strong password manager. I’m here to tell you why you should as well.
1. You don’t want your identity/money stolen
The ubiquity of the internet often leads us to not put much thought into the type of data we share online. How many online storefronts hold saved payment credentials? How much personal data do we have stored in our various cloud lockers? How far and wide are sensitive items like social security numbers, bank account access codes, addresses, and telephone numbers spread across the net?
We need only look back to the recent Sony hack or any number of high profile password leaks from companies like Google and eBay to recognize the importance we should place on protecting our digital data. In fact, it is suspected the Sony hack was the result of targeted phishing attempts used to gather the passwords of lower-level employees, which in turn provided hackers with an easy means to breach the system more widely.
A breached password is the one thing worse than losing your Android phone. It only takes one compromised account for a person with malicious intent to gather enough data to give you a real headache when it comes to unauthorized purchases or identity theft. It’s even worse if you use duplicate usernames and passwords. While it might be a bit more time consuming upfront, choosing strong passwords and updating them regularly is one of the easiest steps you can take to avoid facing larger problems down the road.
2. Your pet’s name is in your password
Take a look at the most recent list of the internet’s worst passwords as compiled by SplashData. Are you guilty of using a top-10 no-no like ‘123456’ or the always strong ‘password’? We get it. A good password can be as difficult to break as it is to remember, but that’s no reason to avoid creating one.
A good password will use a variety of letters, numbers, and symbols (if allowed), as well as lower-case and upper-case letters. The best passwords are truly random, and therefore real words should be avoided. Longer passwords are also better, so if the max length is 40 characters, by all means use each and every one. You can see how things quickly become complicated. Good for protection, but, again, bad for ease of entry.
Hackers aren’t the only individuals that might want to access your accounts, however. Despite how much you trust your friends and family, there might be a bad banana in the bunch that wants to snoop around where they don’t belong. Avoid using passwords that reference the names of pets, family members or loved ones, and other personal interests.
A password manager like 1Password, LastPass, or DashLane takes the hassle out of creating truly random, near-uncrackable passwords. One click will generate a password based on a recipe modified by you (character length, types of characters to include, etc.) and use it to automatically fill in web forms. For existing passwords, management software will analyze strength and recommend when credentials could be stronger.
3. You use the same password for everything
We are far too often willing to sacrifice personal security for convenience. A single password that works like a utility knife across accounts is great if you can’t be bothered to come up with a unique password for each individual service. It’s also great for hackers who only want to waste their time figuring out one of your poorly devised passwords.
A ne’er-do-well cracking the login to your Twitter account might have limited repercussions. Unless, of course, you use the same username and password for your bank account login or PayPal. Then it’s a field day for data thieves. Again, a password manager is your friend here, making it easy to store and sort individual, unique logins for all the services you use.
A good password manager offers the ability to audit your database of stored login information to pinpoint any weak spots, particularly when it comes to using username/password combinations that are similar across sites and services you use.
4. You’ve been using that password since you were 13
Not only is your password weak, not only do you use it for every account, but you have been using the same one since you first logged on to the internet. For some, a single password has been in circulation for two decades or more. It’s always a smart idea to update your passwords at least once a year — more often for accounts holding particularly sensitive data.
Most password managers offer security monitoring that will alert you when a password is nearing its expiration date. In most cases, you’ll have to go through the additional step of logging in to the individual service and changing the password, but some services like LastPass are starting to offer the ability to automatically update and change passwords in the event a service you use is hacked or compromised. It’s worth it when it means being one step ahead of a costly security breach.
5. Memorizing 46 characters of random garble is hard
A 40-character password consisting of completely random characters is great for security, but unless you are a superhuman there is really no possible way to remember one for each and every site or service you use. You could rely on the tried and true method of jotting down passwords on a piece of paper or in a notebook. Worse? You could save a list passwords in an unencrypted text document on your computer.
At the very minimum a good password manager will solve this problem, storing detailed account information in a sortable, searchable list protected with some of the strongest encryption out there. You will only need to remember one master password in most cases (make it a good one) to grant access to your locker of stored login credentials.
6. You have numerous devices
We live in a multi-device world, so having your uber-strong passwords stored locally on your computer or mobile phone won’t do you much good when you need to access services on a different device. Once again, a password manager has you covered. With numerous cloud connectivity and wireless sync options you will never be without easy access to your master list of passwords.
SafeInCloud is one manager that utilizes cloud storage via the service of your choosing (Google Drive, DropBox, and OneDrive are all supported) to store passwords remotely for access from a mobile device or remote computer. We recommend protecting your cloud storage with two-step authentication in combination with the strongest of passwords if you plan on storing such sensitive data there, but we don’t need to tell you that again.
If the idea of uploading your database of passwords to the cloud is a bit unnerving, 1Password offers the ability to perform a local sync over your WiFi network. Your data is only briefly transmitted across your local network, never reaching the internet at large, and is then stored directly in the memory of your devices. 1Password also offers the ability to share a password “vault” with a family member or coworker in order to share login information in a safe and secure manner.
7. You have a lot of other data that needs safekeeping
As password managers have matured they have become bastions for plenty of other sensitive data worth protecting. 1Password is especially good here, allowing you to safely store everything from your address and credit card info to social security and passport numbers. The data can be used to quickly fill out web forms or be kept for quick reference offline.
8. The benefits far outweigh the hassle
The biggest hurdle to using a password manager is initial setup. LastPass makes things easy by scraping your stored passwords from your browser, but this only takes care of half the issue. At a minimum you’ll need to do some cleaning up, but you should really plan on taking an afternoon to completely overhaul your password game. It will take some time up front, but after you are done the convenience of a password manager shines through with features like browser plugins for one-click login to your commonly used services.
If it seems intimidating, start by updating passwords for sites and services that store your most sensitive data. You can then slowly add the rest of your passwords over time, using security auditing tools to decide which ones need to be updated and when.
The other thing that keeps many folks away from password manager is cost. Most offer some version of a free service, but these often leave out must-have features like cloud sync. In nearly every case shelling out some cash for the premium or pro version is well worth it. Some password management services charge a yearly fee as low $12, while others ask for a one-time upfront payment (ranging from $10-50 for a single-use license). Free, open source options also exist such as Bruce Schneier’s Password Safe.
Take action now
It should now be totally clear why you need a password manager, so which one do you choose? All share plenty of common features (the most important being strong security), but we’ve narrowed it down to a few of our favorites. Below are our recommendations for wrangling that out of control herd of passwords now.
Do you use a password manager to protect your login credentials? What’s your favorite? Let us know in the poll below.
FYI: SafeInCloud is currently on sale for 30% off ($5.99) at Google Play.
Misnomer. Nothing is safe in the cloud. http://i.imgur.com/eyxcpZv.jpg
KeePass? It’s what I use. It’s pretty common too. How’d it get left out?
I use KeePass and have for years. Love it.
Open source is the right source.
Because it’s free. No kickback for the author.
LastPass for me, great security and options, 2-Step and YuBi , works on all my devices and great value for money.
2-factor. Relying on password alone is so 5 years ago.
I wish 1password wasn’t so damn expensive for their desktop versions.
Have you tried LastPass. It’s free for desktop and they have a browser plugin for all the main web browsers. If you want it on a mobile devices too then you have to be a premium member but it’s only $12 a year.
Yea that’s what I have now it’s nice I can’t complain. But 1Password has a better interface and you can store your vault where you’d like. Both are good options though. $12 you can’t beat it.
I just have a really hard time storing ALL my personal information in one place. These things aren’t for me. Encryption or no encryption. I’ll stick with 2-step auth when I can and random pw’s when I can’t.
That came across my mind as well. What happens when these password services get hacked? I would think that hackers would be targetting these password protection services. Seems like an identy theif’s gold mine.
Even if the data is stolen on their end, it would still be useless.
I’m not tech savvy enough to completely understand that. Sound like a frequently changing algorithm is used to encrypt/decrypt your passwords before transmitting them across the internet to the password service where it is stored as unintelligible data?
I doubt they’re changing the algorithm, but the important part is that the encryption/decryption keys are stored on your device(s), not on Lastpass’s servers, so they have no way of decrypting the database.
The encryption algorithm doesn’t change but a different salt is used every time something is encrypted. Salt is basically some random data that is used when something is encrypted. Without salt, encrypting the same data twice would give the same encrypted data which is not good. The salt is an important part of the encryption and this is what is used with LastPass. LastPass have nothing but encrypted passwords which is as useful as random data. I know what you mean about being uncomfortable about your passwords being all in one place but it’s only encrypted data. If you’ve enabled two factor authentication then you’re about as secure as you can get. You’re likely in a much worse position if you’re trying to store your own random passwords because they probably aren’t that random if you’re trying to remember them OR you’re likely to forget them OR if you’ve written them down on paper then they are unhackable in the computer sense but they are vulnerable to a physical attack (e.g. burglery) but more crucially if you are relying on passwords written on paper then you’re kinda stuck if you need a password when you don’t have your paper note. All scenarios feel worse than something like LastPass.
Yes. If these services are used with 2 step verification, it’s virtually impossible to breach.
Kind of, 2 step is amazing but a lot of places don’t use it. Storing your password with say LastPass is just as secure as amazon storing your password. Password managers might be even more secure for passwords you don’t use often, say keepass.
It stores your passwords in a encrypted file ( 256bit I think ) then you can even take it a step further by putting it in a TrueCrypt volume and then even further by zipping it with 7zip’s AES encryption container. Yea it’s one hell of a inconvenience but perfect for the passwords you use once a year like Turbotax or something.
I see your point and noone is hacking 256bit or even 128bit encryption just for my password, but it just doesn’t sit well with me having all my stuff in one place.
Yea very true I mean I can see why anyone would feel that way.
I use Keepass. It creates an encrypted file that I can sync using Dropbox between my PC, Android phone, and iPad.
KeePass is my choice too. The primary reason is that the Android app doesn’t require internet access. I may be a bit paranoid, but giving an app access to your plain text passwords (which any password manager would have) *AND* access to the internet (allowing it to send the data God knows where) seems like a really bad idea.
Oh, and the price is right. ;-)
Doesn’t that make it a bit of a nightmare keeping all the passwords in sync? What if you’re on another device or PC and you create a new account for something or you have to change your password? You’ve then got to go to all the other devices and areas that have the password keystore and update them all. I prefer how LastPass does it. All encryption/decryption is done on the client so the encrypted passwords is what is sent to LastPass and that is what is used.
I keep the encrypted file on DropBox, making it accessible to all of my devices. So the only app that can decrypt the file has no internet access, and the app that has internet access has no access to the unencrypted data. At least that’s the intent – obviously nothing is 100% secure.
If you use a keyfile (which KeePass can generate) in addition to your master password, AND you store that keyfile ONLY on devices–that is, NOT on Dropbox–then it will be safe, even if your Dropbox is hacked and your master password is discovered or guessed. I guess that’s what is meant by 2-step authentication.
Better yet, use a yubikey instead of that key file.
I use OI Safe.
I’ll continue keeping my passwords that have absolutely nothing to do with my real life in my head. And password hints that are frustratingly irrelevant to the passwords with 2-step auth.
You sir are super human lol
The GREATEST part of my security? Forgetting the password and not knowing the damn security question, and having to spend 30 minutes trying to figure out what the hell I could’ve put as a password. Especially to sites I only use once per month.
It urked me so much when I worked in IT at my school and students would forget their security questions. Okay, so yea I understand some can be forgotten (mainly “your favorite…”), but how do you forget your first child’s middle name? Or the city you married? Or your mother’s maiden name? Like, they just sound like they’re trying to hack into someone else’s account. LoL!!
Because if I can’t remember my bogus answers, how can anybody else guess them? :D
Security questions is another vector for a targeted attack. E.g. someone who has malicious intentions but who knows you quite well may be able to answer your security questions to gain access to your accounts. Most websites don’t make it quite that easy but having real answers for security questions can be an issue. However, with a password manager such as LastPass, you can create a secure note lists the security question and an answer that is just a random jumble of characters. No one will be able to guess that and so it removes that attack vector. And if you’re using a password manager, you won’t ever need to worry forgetting your password so the security questions become a bit redundant.
This is why I stopped doing things this way. I was regularly having to reset passwords to services that I used less often. And the reset process was never easy since I couldn’t remember any of that.
It’s not hard to make good passwords that are unique and memorable. But it does get hard when you have too many to remember and you don’t use them all every week.
LastPass for me. It’s completely awesome that my passwords are 20 characters of random lower, upper, numbers and symbols lol.
Fairly pointless statement when pretty much everything is hackable. There’s just varying degrees of difficulty for hacking different methods. However, your statement implies that you think the method you use is unhackable so please do share.
I don’t know about other password managers but LastPass does all the encryption/decryption client side so LastPass don’t have anything other than encrypted passwords (which is as good as garbage even for those who have access to LastPass’s backing store. On the wire, things are over encrypted. LastPass also has a number of 2 factor authentication methods to gain access to the password vault. LastPass is not unhackable but it is about as good as you can get. And any attack would have to be a concentrated and direct attack on just my account. That’s pretty low gains for any hackers. Hackers are more likely to go after the low hanging fruit such as users who use the same password and/or weak passwords.
If someone took the time to hack that, they are really trying to get into that person’s information. LoL!!
Exactly. I agree everything is hackable if one really wanted a specific person’s info. Most hackers are going to target high volume-low complexity passwords. All we can do is make it more difficult. Each additional character increases the time and complexity of a brute-force hack exponentially, especially when lower, upper, numbers and symbols (of which each character can have at least 100 values) are used. A 10 char password like this has 100^10 or 100,000 Trillion if my math is right. It can be hacked, it would just take a long time via brute-force methods and probably would not be worth the hacker’s effort when they can get far more weaker passwords in less time.
Also, as much as it is primarily our own responsibility to keep secure passwords, account providers (whether it be Google, AndroidForums, a random blog, or even a small 5 man company) should require longer, more complex passwords. I have seen companies and websites only require alphas (not case dependent) and numerics AND only 8-12 chars (which in itself is a minimum of 36^8 or 2.8 Trillion combinations if any character can be any value – less if you limit the first and last characters to alphas) and clearly those have been hacked.
I use KeyPass. Any reason it should not be used? Any reason it was not mentioned?
I also use two factor authentication where I can.
I use KeePass with a ubikey neo. I love it.
It’s great until you forget the password that you originally used to encrypt the file. Not that it happened to me or anything… -_-
Almost last access to an external hard drive I’d encrypted with a password years ago in a moment of paranoia. Luckily I remembered it had spaces in it.
I did that years ago with an encrypted Notepad. HORRIBLE experience.
I’m of the nothing is unhackable mindset. IF they do, it’s all over. But I might be persuaded eventually
No mention of Google Chrome auto-saving passwords?
Come’on, we’re Android users. Of course we use Chrome on our phones and Windows PCs.
I let Google store all my passwords, backed by 2 factor authentication (anything I truly care about I use Keepass).
I was thinking the same. I wonder how secure Google’s Chrome autosave is compaired to these password manager companies?
Probably as secure as Gmail, or more.
Which I saw some video on their data centers. Their algorithms split the data across many data centers / server racks and encrypt it. No single server rack has all your data.
And the larger question is how solvent these password manager companies will be in 1-2 years.
Nothing like having your password manager start-up go belly-up and being locked out of all your accounts.
Can someone explain to me why a 40 character password is better than a 10 character one. There is a service out there that will not lock you out after a few attempts? Or what is wrong with using the same password for life if it has never been compromised. And why exactly it is a good idea to create a single point of entry for all your passwords that can be compromised with a simple keyboard scanner, or someone taping you as you type it.
There are a number of problems:
10 characters is exponentially easier to crack than 40.
If you use the same password for everything, individual lockouts are useless: hacker can move onto the next system.
If a system is compromised (think Anthem or Sony), they have your password for everything.
“Everything” is a scary world. At least it should be.
I would just like to point out that I never said to use one password for everything. 10 characters may be exponentially easier than 40, but it is also exponentially harder that a 4 digit pin code most use to protect their bank accounts.
Brute force, it doesn’t take that long to crack a 10 digit password. Longer than a 4 character, but still not very long.
I said 10 characters, not digits, and it woudl take a long time, and all this assuming access to the hashed password.
Sorry, I meant characters. Length is the most important attribute of a password. 10 characters isn’t THAT long. Longer than most. But I have a 16 character minimum for myself. Anything important gets 20 characters. And they’re randomly generated.
Given that you have no control how your password is stored and protected on the other end, it may be futile. Plus if a hacker has already compromised a system, I do not find it that much more disturbing if he can crack the passwords, provided that one has kept them unique. So I would not say that length is the most important attribute, and not even the most important one you have control over . Security of devices that you are using to send your password is a lot more important.
You said it yourself, there’s parts of my security that I have little control over. So I don’t try to. I just do the best I can with the parts I do control.
Device security is a separate issue from password/credential strength. They both matter and are linked. But don’t refute good password practices with a separate topic.
You start off with a bait comment that appears ignorant. Then all of your responses seem to reveal a better understanding of the topic than you first showed. Quit trolling.
Except bank cards do not rely simply on that 4 digit pin. The card itself is chipped making it 2-factor: something you have and something you know. Unless your bank hasn’t issued one of those yet in which case you simply watch that exploit hit the news every 6 months (Anthem, Sony, Target…). Is that the security you are talking about?
There are tools included with KeePass to mitigate the risk associated with keyboard scanners and such.
Which is better than having no choice but to manually type passwords normally and being vulnerable to keystroke logs.
mSecure for me
Ditto, it was free or cheap via Amazon a while ago and I’ve not looked back since.
It doesn’t have the fancy features like lastpass, but it has dropbox sync so it works across multiple devices.
No way in hell will I ever store my passwords in the cloud. That’s just asking for it. Now all someone needs is that 1 password and they get everything. And no 2 step verification still isn’t enough to convince me. Mainly because my passwords would still be stored on someone else’s server and could still be stolen. So, I use a password manager but don’t sync it with anything and make my own regular backups.
If you use 2-factor you don’t need a password manager. No one is logging into your account without your softtoken on your phone. Doesn’t protect that site from being compromised… So just be smart and don’t let the website store your credit card for “easy future purchases”. My wife deliberately cancels our Credit cards annually. I force 2-factor… Between us we are pretty safe except from traditional identity theft.
Yeah, this is a great idea. Store passwords online so someone can hack it and then they have all the passwords I can’t remember because I’ve made them all 40 characters of random noise.
1. Store it in Dropbox
2. Turn on 2factor (which Dropbox supports)
3. Turn on 2factor for other apps…
4. Start removing passwords from Dropbox…..
Random passwords is really just for sites that don’t support 2 factor yet. At this point I practically avoid said sites.
I agree with the few that don’t want anything in the cloud. Anything can be hacked eventually.. Right now I use SplashID which can be synced over wifi from PC to mobile device. No use of cloud what so ever..
Sticky Password – it’s promising
exactly! I use Sticky Password too! :)
Once I stumbled onto lastpass, all of my passwords are different and difficult to remember. They’re like this now, #~2a@#DFS34@!. Works great on my pc and Note 4 with the fingerprint sensor. I think im paying like a buck a month for it but it definitely worth it.
I know one guy who has the most complicated passwords stored in his password manager but his password manager password is “.” because it’s easy to type when he needs to find out which $k[#1-0d3V:>2 password he needs to punch in.
I use LastPass because nothing leaves my computer without being encrypted— every transaction using LastPass is hashed using hashing security enhancements. The company itself has no access to my passwords. They could not even comply with a legal warrant asking them for my passwords, even if they wanted to. With LastPass’s multiple 2-factor choices (I think there are 7, at least 2 of which are hardware-based) I currently have no concerns about using the cloud… at least until Quantum computers come along.
How can this be a good article without any mention to keepass ? Come on
Your 20% of “other” is probably 19.9% keepass
Yeah. That’s all I’ve used for years. No reason to go with anything else.
Yep, I don’t know why I’d trust a non open source alternative.
Id rather keep all my passwords in my head. I never even changed them when it was recommended last year. If they didnt have everyones password, when you changed it after THEY said to change it, they likely have it now. Good job everyone.
depends on how many passwords you have to remember, mayber it’s also related to your job. My keepass file currentlt contains 1093 entries
With caveats, though. ID federations (single-sign-on services and password managers) create a
single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for
high-security business which should desirably be protected by all different strong passwords unique to each account.
By the way, some people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password.
Something belonging to the password（PIN, passphrase, etc）and something dependent on the
password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).
It is too obvious, anyway, that the conventional alphanumeric password alone can no longer sustain the demand and we urgently need a successor to it, which should be found from among the broader family of the passwords and the likes.
9. Because you love the thought of “One password to rule the all”.
Been using LastPass for probably 5 years now. Haven’t experienced a single problem. Safe and secure. Also good for storing pin numbers, lock combinations, and other sensitive info.
I use Lastpass for some websites, but for the most part, I have been using aWallet Cloud for at least the last 4 years. I have different passwords for so many different sites, and aWallet Cloud keeps me in check. It also has a password generator in the Pro edition. Not to mention, since it syncs to the cloud (I use Google Drive) I can easly transfer my passwords when upgrading my device.
I don’t use a password manager, because they just present another layer of threat potential.You have a very nice site here, but I hope you wont go the way of the marketing tactic. Just keep it real!
Hey Justin, I thought that too, but having so many unique passwords was unbearable for me. How do you handle it?
I do things differently. I have “one” password I change every three days. My passwords are from 10 to 32 characters. Also see this: http://youtu.be/0bvOcktNpQE
Hmmm.. you have a heck of a brain Justin :) I wouldn’t remember a new password every 3 days and furthermore, change all my 200 accounts will took a long time.But I’m glad it works for you.
200 accounts? holy crap. I have like, 23, tops. ya, maybe a password manager is in order for you. I just don’t trust the things.
Yes, pretty crazy. All the forums, blogs, emails, social profiles, online shopping sites etc. – but still, changing 23 passwords every 3 days is like min. 23 minutes and if you make it 121 times in a year (365/3) that makes 46 hours = almost 2 days. I’m productivity addict, so I always try to automate :)
RoboForm all the way, been using it for Years now.
Great article Kevin. I’ve started using a password manager couple years ago and frankly can’t imagine my life without it now. Since that time I use Sticky Password (www.stickypassword.com) and even when I’ve tried others, I somehow was “sticked” to the first one I’ve used and they keep introducing nice features over the time.
What surprises me is the poll results – most of the voters don’t use any password manager. Pretty strange! I though it is standard these days. Hope articles like these will make the awareness about the necessity of a good password hygiene.
I have been using Lastpass for quite a while now, with 2 factor auth. If you don’t have 2 factor auth then it is actually probably less secure than not storing them centrally.
Because I (or the NSA) can install a keylogger on your computer and easily get your Lastpass password, now I have easy access to everything, no need to wait to log them or do other stuff to get ALL your passwords.
So, the only way to use Lastpass is with 2 factor auth, and now it is a bit of a pain in the ass but much more secure. The reason for this is you still have to enter a Lastpass reprompt all the time. However, it appears Yubikey has an insertable USB (flush mounted) in your computer that you literaly just touch and it fills your Lastpass password store in for you.
They also have NFC integration for your Android NFC enabled smartphone (Nexus 4 for me).
I just ordered one for the keyring and one for the computer. I hope it make my life easier…