The use of a password manager is one of the most important changes you can make to increase your personal security.
A password manager application will allow you to use both strong and unique passwords. With a password manager, you just remember a single password that opens up your secure file or account, which in turn stores all of your other passwords.
There are three important attributes of password managers to be aware of:
- Local Application: a dedicated application that stores its passwords locally on your computer, encrypted using a master password. This is the most secure option, but can be difficult to sync your passwords between multiple devices.
- Cloud Service: a service, typically paid, that stores your passwords for you, regardless of device. You have the added benefit of having access to your passwords wherever you go, at the disadvantage of lower security.
- Browser Plug-ins: Both the application-type and the cloud-type password managers often have plug-ins for web browsers to make your password readily accessible in the web browser. This adds convenience, but is slightly less secure.
Regardless of what you choose, what really matters is that you use a password manager. Please keep in mind two important tips:
- Master Password: When using a password manager, it is vitally important that you do not lose the “master password.” Write this down if you think there is any chance you might forget it.
- Backups: It is also very important to make periodic backups of your password manager data. In the case of cloud services, this is done for you, but it is good to make a local backup of that occasionally. For local applications, a backup of the application’s data file is sufficient.
Popular password managers include:
- KeePass and KeePassX (application-type) are two versions of a highly recommended local password manager. These two tools use the same encrypted file format and can run on almost any computer.
- LastPass (cloud-type)
- 1Password (cloud-type & application-type)
Strong passwords are randomly generated. Except for the password to unlock your device, and the password to unlock your password manager, all your passwords should be randomly generated by a password manager, should be at least 12 characters, but does not need to be more than 26 characters.
Humans are very bad at coming up with secure passwords, but computers are excellent. Let the computer do it for you.
For passwords that you must remember, there are many ways to generate strong passwords, if you are using a password manager, let it generate them for you. There is a guide in Security Self-defense for Creating Strong Passwords.
Diceware is a fun and effective scheme for creating random yet memorable passwords using everyday objects and a word list. One other great way to make a strong password is to come up with a silly sentence that no one’s ever said before and use the first letter or two of each word as your password, mixing in other types of characters.
It is important to apply strong passwords to all accounts, as access to a single account can often be leveraged into access to other systems. This is especially relevant for any email accounts that can be used to reset or recover other passwords (usually via a “forgot password” link).
Following this practice is a great way to minimize the risk of using third-party technology services. If you don’t reuse passwords, someone learning your username and password for one service through a leak or break-in won’t make it easy to access the other accounts you use. Use different passwords for each service so you aren’t relying on the services you’re logging into to protect your most important secret. This will be easy to do if you use a password manager.
Even if someone claims to be from IT or technical support, do not give them your password. Nearly every system allows for administrative reset of passwords for maintenance. Any legitimate IT person can use this function instead of asking you. This system also creates an auditable trail of access to your account, and alerts you to a reset. You will need to change your password again after such admin access, but taking that extra step will ensure that you and only you have access to your digital information, and that you can know who in your organization is responsible for what changes to your account.
Organizational passwords include any passwords that grant administrative control of your organization’s information systems or online identity. These are very powerful credentials and so should be stored separately from passwords that just get staff into their personal user accounts. You can do this by making a separate login or file in your password manager application, or by choosing a completely different manager altogether.
- Security Planner / Password Managers
- Security In-a-box / Passwords
- Security Self-defense / Animated Overview: Using Password Managers to Stay Safe Online
- Security Self-defense / How to: Use KeepPassXC
- Security Self-defense / Creating Strong Passwords
- Security Education Companion / Passwords
- Security Education Companion / Password Managers