No matter what I say in response to this question, someone’s going to say I’m wrong. But I’ll bite. Are password managers a good idea? I’ll hedge and say they solve more problems than they cause. We need a better idea, but no one has found it yet.
The problem with password managers is there’s always the danger they’ll get breached. But the alternatives are people using weak passwords, reusing passwords, or both–and that’s worse.
The problem with passwords
The problem with passwords is any password you can remember is too easy for a computer to guess. The solutions are people reusing passwords across sites, which means any breach leads to multiple breaches, or people writing down passwords. Some people go for the trifecta.
Due to these problems, computer security professionals have been trying for years to replace passwords with something else. With varying degrees of success. From a purely technical standpoint, an ideal solution would be a government-issued ID with a chip like your credit card has that matches up with a card reader on your computer and a PIN of your choosing. The military has been handling its logins exactly that way for well over a decade. But such a solution would be a political nightmare.
Many of the major websites allow you to do two-factor authentication, where you log in with a username and password, but then they also send a message to your phone for a second factor. This works, if you have a phone. But it can be annoying too. I may have to put a PIN in my phone before I can see the code, which turns it into three- or four-factor authentication.
And when you can’t use two-factor authentication with a phone, you still need a solution. Just not using those websites isn’t realistic. Some security pros will tell you that, but I know you don’t always have that choice. That means a password manager is pretty much the least-bad choice we have left.
How password managers solve these problems
If you use a password manager, you can create completely random passwords the full length that any web site will accept. It’s no big deal because you don’t have to remember them. This solves the problem of password guessing and password reuse. They’re all random, so they’re all unique. And if any of your passwords turns up in a breach, the password manager can warn you and help you change that password right away, before something bad happens.
And your passwords aren’t written down on paper somewhere.
They’re written down in a computer somewhere. And that’s the objection. If that list ever gets stolen, then someone’s got everything.
That’s a risk, but a manageable one. Encrypt the passwords sufficiently, and you’ve managed the risk.
Which password manager should you use?
The debate, of course, is what password manager to use. The path of least resistance is the password manager built into your web browser. That’s also the one most security professionals object to the loudest. There was a time when Google Chrome saved the passwords in plaintext. That’s no longer the case. The major browsers do encrypt the passwords and require you to enter your operating system password to view them.
It’s not a perfect solution, but it’s a solution you have, and you may very well be using it already. I’m a realist. I’m not going to tell you to stop using it.
But there are alternatives.
There’s an open source program called Keepass that’s not bad. It exists outside your browser, uses strong encryption, and stores your passwords locally. And the price is right: Free. I know a number of security professionals who use it. And sometimes I use it myself. The problem with it is when you have multiple devices. You can get unofficial builds for your phones and tablets, but it won’t sync between them.
That leaves cloud-based solutions like 1password and Lastpass. The downside with those is they cost money. And you’re storing your passwords in the cloud, outside your control. If the provider ever gets breached, you’re in a world of hurt. The upside is, they sync across devices and across browsers. So they provide a good balance of security and convenience.
Am I going to convince you they’re so much better than your browser that they’re worth paying for? No I’m not. What do I use? A combination of all three, depending on my situation. You’re probably going to pick one and go with it, and that’s perfectly OK.
No really, which password manager should I use?
I’m a realist. I know not everyone can afford a cloud-based password manager. If saving passwords in your browser is what it takes to use strong, random, unique passwords, that’s a big improvement over the status quo. If everyone did that, we’d be a more secure world than we are right now.
If you use the password manager built into your browser, go into your browser’s security settings and set a master password. That encrypts your stored passwords so another program can’t steal them.
Now, if you can afford to use a cloud-based password manager, there are some advantages to that approach. But you’re going to have to decide if the additional convenience and features are worth paying for.
One thing to remember: There is no such thing as perfect security. Even the ID cards the military uses can, at least in theory, be breached. There’s only acceptable risk. There is a nonzero chance you’ll die falling out of bed. That risk is low enough that people sleep on beds. You need to manage your password risk too. Using a password manager is a good idea until someone comes up with a better one. It could happen, but I’ve been waiting more than 10 years and it hasn’t yet. So in the meantime, use a password manager and change all your passwords to something random. Please.