How to Use a Password Manager
The original password manager was probably a piece of paper with your password on it. It progressed into a password spreadsheet which became your “vault.” The recommendation to create a different password for every website makes remembering passwords nigh impossible.
Today’s password managers evolved from this concept: How do you keep all your passwords behind one master key and still access them from several devices? The answer is a software-based, password manager.
Almost all password managers will help generate a unique password for each site, auto-fill the information in your web browser, and store additional pieces of information required by the site (like password reset question answers). To utilize them, you will have to get comfortable with the idea that all of your eggs are in one basket.
Here are some things to consider when choosing a password manager (security-wise).
- Encrypted usernames and passwords
- Master key is irretrievable
- Two factor authentication (2FA)
- Suspicious activity notifications
- Review past performance after data breaches
Let’s break these down.
Encrypted usernames and passwords
Like other software, password managers are vulnerable to being hacked and are a rich target. However, if the company encrypts your usernames and passwords, it’s unlikely that the thief will be able to access the encrypted data. Instead, recent attacks on password managers include trying to get the password manager to cough up DECRYPTED passwords when it’s auto-filling a web form.
Master key is irretrievable
Should you lose your master key, your information is irretrievable, even for the password manager company’s employees. This means your master key is stored in such a manner that even the company’s employees can’t view it, a hallmark of good security. It eliminates the possibility that someone working on the inside can access your highly sensitive information.
But remember, if the master key is lost, you can’t get into your vault either. If you need guidance on how to create your memorable master password, check our Four Steps to a Stronger Password.
Two factor authentication (2FA)
The password manager should support an additional login step AKA two-step login AKA two factor authentication (2FA). This is another layer of protection for your password vault and any important accounts. Even with the strongest password in the world, if someone can socially engineer it from you, all is lost! Or at least, all the passwords in your vault are lost if you are not using two factor authentication. The additional login step is a synchronized code that exists on a token or app in your possession. (Note: Text message codes are no longer a good option for two step login.)
Suspicious activity notifications
Offering suspicious activity notifications is another sign of best security practices. You may have seen suspicious activity notifications from your bank. Similarly, if you get a new phone and try to login to your account, an e-mail or text message alerts you that your account is being accessed from an unrecognized device and asks for a one-time special code in order to get in. If the password manager is monitoring for suspicious login attempts (wrong device, different IP, different part of the country/world), it means they are practicing good security.
Past performance after data breaches
Consider the company’s performance after a data breach. If they have had a data breach previously, did they communicate clearly with their users? Research their view of happened, what they asked of their users, and how they learned from it and improved. Data breaches sound awful, but they are a fact of internet life. Data breaches happen, but if the proper precautions are taken, they are recognized quickly and triaged. With password managers, the hope is their strong encryption methods make your stored passwords impossible to break (at least in your lifetime!). They may still ask that you update your passwords, just in case. But at least with a password manager you know which accounts you have, right?
Should you store everything in your password manager? It’s up to you to determine how much risk you can handle. With the addition of 2FA enabled on an account, you may feel better about keeping the password in your password manager. If you absolutely don’t want to store your primary e-mail, bank, or something else very important, commit those passwords to memory or, at least, place them under lock and key. Weigh the risks and benefits to be comfortable with your decision.