Editor’s Note: This article was published in 2017 and has been updated for accuracy and comprehensiveness as of October 2020.
If you’ve been following along with our advice on how to keep yourself safe online and improve your cybersecurity, you have reduced your risks and are less susceptible to a brute force attack. This means you are using unique and complex passwords for all applications and websites, and you have enabled multi-factor authentication so if those passwords do get out, there is another layer of security.
By following these practices, you now have a lot of passwords to remember. How are you managing them? My bet is that you are saving them in your browser and/or in a spreadsheet. These are the worst places to put them. Hackers can easily strip browser data, and Excel spreadsheets barely slow them down. So, how do you remember your new, secure passwords?
The old fashioned way
Some cybersecurity researchers suggest writing down your usernames and passwords in a notebook and then storing it in a physical safe. The theory is that if someone gets into your office/safe then you have bigger problems than passwords in a notebook. Also, the likelihood of that happening is much lower than an attacker gaining access to your digital cache.
My guess is that you are reading this and saying, “Are you kidding me?!” No, I’m not. This is a valid way to document and safeguard your usernames and passwords. Some security experts even recommend two notebooks, one for usernames and the other for passwords, then storing them separately. That’s two safes with two different combinations, and heck let’s throw some biometrics in there with a fingerprint reader.
If this all sounds very James Bond to you, don’t worry. Throwing your hands up in frustration won’t protect your passwords, but there is a modern solution that will. A more flexible digital equivalent to a safe is out there and has been gaining popularity as cybersecurity becomes more of a concern. A password manager is a modern solution to your password storage woes, and there are many options on the market.
Password managers
A password manager is a digital vault for your usernames and passwords. This is an encrypted database on your local machine that is synced and backed up to the cloud so its available on all your devices. Most password managers use AES-256 encryption (government-level) unlocked only by using a master password. This master password should meet all the complexity requirements talked about in previous articles, and if anything, be even longer and more complex. Because this one secure login is the gateway to all your saved information, ensuring it is not compromised is critical. Think of the master password as the combination of your digital safe.
Most of these programs have seamlessly integrated browser plugins that will enter the saved credential information for your different websites and applications. The program will even give you a score on your overall password health. If you happen to use a password on multiple sites or you have a weak password, the software will let you know and walk you through changing your password. Some password managers can both encrypt information and fill forms. Your basic information will also be safe in the vault, and you can adjust what the program auto-fills in the settings.
Characteristics of the best password managers:
- Encrypted database (AES-256 encryption, government-level)
- Browser plugins
- Usernames and passwords should not be saved in the browser
- Password security assessment based on collective data from all sites and applications
- Password complexity
- Unique passwords (across all sites and applications)
- Password change reminder
- Auto password change
- Mobile device support
- Multi-factor authentication
- Notifications of compromise
- Alerts if one of your accounts has been part of a recent data breach
- Scans your accounts to check if they have been a part of past breaches
Some cybersecurity professionals don’t like password managers. They argue that storing your passwords in the cloud with a single point of failure is risky. If your password manager account is compromised, the attacker will get the keys to the kingdom.
I’m a firm believer that if you are following good password policies, you’re going to need a realistic way to keep track of them. Professionals who challenge the use of password managers have a point, but not using a password manager breeds bad password behavior. Using a program with a risk alarm and that you check regularly can negate most of the concerns that are voiced about even the best password managers. Overall, the benefits greatly outweigh the risks.