Password Managers, and Why You Should be Using One
Are you still reusing the same password for everything? The best time to stop doing that was 10 years ago. The second-best time is right now.
It rarely fails. When people ask what I’m writing about these days, and I tell them I’m working on bringing cybersecurity concepts to a non-technical audience, they ask me for an example of what non-techies should be doing to improve their digital safety.
I always ask the same question: How often do you reuse the same password for multiple accounts?
And far more often than not, they laugh, nervously, like they’ve just been caught, and admit they do it pretty often. In some cases, people have admitted to me that they still use the same password for literally everything, and have for years.
And, I mean, I get it. Strong passwords are, by design, difficult to memorize. Who has the mental capacity to memorize dozens – perhaps hundreds – of different passwords for different online services?
The good news is, you don’t have to. You can harden your password hygiene to near-unhackability, and still only memorize a single password. The important part is what that single password unlocks.
What is a password manager?
A password manager is an application or browser extension that securely stores all of your various online account logins and passwords. On your phone, it runs in the background, automatically monitoring for login forms on the screen, and asking if you want it to autofill your credentials when it sees one. On your desktop PC, it does something similar, usually in the form of a browser extension. It requires some form of authentication (usually a password of its own, a biometric, or a PIN, depending on the platform) which prevents threat actors from stealing all your passwords, even if they’re able to physically access your devices.
But that one password is the only password you’ll need to memorize, ever again.
Password managers are ubiquitous among cybersecurity professionals and enthusiasts – no one in that world would even dream of managing their logins any other way. But it surprises and astounds me how many people outside the cybersecurity sphere have never even heard of password managers. Or maybe they’ve heard of them, but think they’re too difficult and technical for laypeople to use (they’re not). In some cases, people have told me that they feel nervous storing all their passwords in one cloud-based location (it’s quite safe). Or perhaps they already use their web browser’s built-in password manager feature (which is certainly better than no password manager at all, but it still falls short of a good third-party manager).
Why is it important to never reuse passwords?
Three words: Credential stuffing attacks. If you’ve ever had your access to a social media account stolen, or know someone who has, there’s a pretty good chance it was a case of a credential stuffing attack.
Password leaks have happened many times in the history of the internet. Websites are compromised, and hackers run away with lists of users’ email addresses and passwords. And if you know where to look, those lists aren’t hard to find online.
(No, I’m not going to tell you how to find them. I know where to find them, but our job here is not to make threat actors’ jobs easier. If they don’t already know, they’re not going to learn it from me.)
Any given password leak reveals the email address and login for just one website. Even if your credentials didn’t leak from Instagram, for example, a hacker can still try to use them on Instagram. And if you reuse the same credentials everywhere, guess what? They have a pretty good chance of working on Instagram.
And if your personal digital security is that bad, you’re probably not using two-factor authentication either, but that’s a topic for another article. The point is, you just lost your Instagram account to a credential stuffing attack.
A password manager prevents this by randomly generating unique passwords for every online account you have. You don’t have to think of new passwords yourself. The manager itself generates a string of incomprehensible, unmemorizable, virtually uncrackable gibberish, as many characters long as the website will allow. No password is ever reused. If any one password ever leaks in a website breach, none of the others are compromised. You’ll still have to change that password ASAP, but that’s a lot easier than changing all of them at once.
What if the password manager itself is compromised?
Nothing is impossible, but it’s pretty unlikely, and it’s not something that you need to worry about. While many password managers store your data in a cloud, the good ones are end-to-end encrypted, meaning your passwords are never visible to anyone but you. If the cloud server is compromised, or a man-in-the-middle attack attempts to intercept your data, the threat actor will only ever see useless, encrypted gibberish.
And if you’re really worried about the cloud, it’s possible – though more technically difficult – to self-host your password manager data on a server you control. But that’s a whole other topic. We’ll talk about self-hosting someday.
What if I lose my password manager password, and can’t access any of my other passwords as a result?
Don’t do that. Because of the strong encryption protecting your data, most password managers don’t have a “forgot password” button to get back in. It’s a feature, not a bug, and it’s there to protect your credentials. If you lose your master key, your password vault is gone forever.
Which password manager should I use?
Any reputable password manager is better than no password manager, and while some have their own bells and whistles, they all work more or less the same way as described above.
Personally, I recommend Bitwarden, because it’s open source (I always prefer open source security and privacy tools, although my reasons why are a topic for another article) and because it has a very functional free tier. However, other great options certainly exist. I’ve used Keeper in the past, and was generally happy with it. I’ve heard people say good things about DashLane and ProtonPass, but I’ve never used them, so I can’t personally speak about them. At the end of the day, just pick one. It’ll be lightyears better than not using one at all.
What about my web browser’s built-in password manager feature?
It’s certainly better than nothing, but it tends to lack one major advantage of third-party password managers: Cross-platform portability. If you’re entirely in the Apple ecosystem, maybe using Apple’s password manager feature works for you, and that’s great. But if you’re like me, and frequently switch between a mix of Microsoft, Linux, Android, and Apple devices, you’re going to have better, more seamless coverage with a third-party solution.
But at the end of the day, what works for you works for you. As long as you’re not reusing passwords, you’re doing better than most.
How hard is it to set up a password manager?
This is the only bit of bad news: First-time setup is a bit of a pain. The applications and browser extensions are easy enough to install – just go to your phone’s app store or your web browser’s extension page. The hard part is updating all your passwords to new, randomly-generated passwords. Most of us have dozens of online accounts. Some of us may have hundreds. And they all need to be updated, as quickly as possible.
I find the easiest way to do this is with an as-you-go approach: When you find yourself logging into a new website for the first time post-password-manager-installation, take a moment to update the password with a new, randomly generated one, and save it to the manager. The websites you use most often will naturally get updated first, and they’re likely the most important anyway. Before long, you’ll have updated all the websites you actively use.
The bottom line is: You really have no excuse. If you’re not already using a password manager, there’s no better time to start. Are you reading this on your phone? Download a password manager app (again, I recommend Bitwarden). Are you on your laptop? Install the browser extension. You can start right now.
So, are we done? Are my accounts secure now?
Well, they’re in much better shape than they were before, but we still need to talk about two-factor authentication on accounts that offer it. We’re going to make your accounts even more secure, and pretty close to unhackable. Check back soon!
Thanks for this clear guide! I've been using the auto - save password feature of Google Chrome. It's really convenient. Now I'll go and learn about bitwarden :)