Modern field guide to security and privacy
A Yahoo messenger logo is displayed on a monitor in this photo illustration shot April 16, 2013. REUTERS/Mike Blake/File Photo
REUTERS/Mike Blake/File | Caption

How to pick a password manager

After the Yahoo breach exposed personal data about 500 million users, many people are looking for ways to protect themselves online. That's where password managers come in. 

If you've ever forgotten a password, reused one for multiple accounts, or chosen "12345" as your login credentials, you're not alone.

In fact, a number of polls have proven that millions of people still rely on insecure passwords such as "default." And the issue is more pressing than ever after Yahoo confirmed last week that hackers accessed "data associated with at least 500 million users accounts," including passwords (though the passwords were not in plain text). 

The problem isn't going away soon, though, because almost every major site forces users to input a username and password to access their account. Many security experts recommend password managers as a secure way for users to store their credentials easily without sacrificing password complexity.

People typically download password managers as either a browser plug-in or standalone app. From there, the password manager (sometimes known as a "password vault") encrypts and stores hundreds of password while automatically logging in to each account. All you have to do is remember the password to your password manager.

It's valid to be nervous about keeping all your passwords in one place, experts say, but that's nothing compared to the risk of reusing passwords. After all, hackers have repeatedly proved that once they can access one account, it's easier to breach others.

"You’re expected by security people to have these long, strong, random passwords that are unhackable," said Jessy Irwin, an independent security researcher who previously worked at the password manager 1Password, adding that expectation is unrealistic. "Overall, you’re more likely to have more damage done to you by using one password all over the internet than you are by using a password manager."

Where to begin

Consider which of your various accounts are most sensitive. Start with your banking accounts, social media, or primary email address, which is especially important because so many password resets occur via email. One way to determine an account’s sensitivity? Think about what would happen if someone stole the password – could they use it to access another account or a linked account?

You'll have to decide whether you prefer a password manager with cloud storage or local storage .

Cloud storage can be helpful if you use your password manager with multiple devices. By syncing your manager to the cloud, you'll have an up-to-date list of your passwords on all of your devices without having to manually transfer them.

"For most people, that's probably the best solution because most people are not going to have the ability to secure their own desktop and laptop at their home from an attacker," said Cris Thomas, a strategist at Tenable Network Security also know by his hacker name Space Rogue.

With cloud storage, however, you're putting your faith in the company to keep your data safe. But cloud storage can provide another avenue for attackers to get your information when the passwords are synced if the connection isn’t properly encrypted. By hacking your internet connection, or taking control of your device, hackers can intercept your data on its way to the cloud.

That’s where local storage comes in. It might be preferable for anyone willing to trade some convenience for the added security. If you have a good handle on your device’s physical security, you might prefer keeping your passwords on your device.

Experts say that more popular password managers are more likely to maintain and update security measures. But don’t forget about usability. Extra layers of security on a manager aren’t going to help if you don’t ever use it.

Beware common password manager mistakes

One of the biggest mistakes is choosing a weak master password. Think of your master password as the keys to your password kingdom. With it, you can access all of your other passwords.

But so can someone else if they guess it, which is why you should make it as complicated as you can. A word of warning: If you forget your master password, most managers don’t have a mechanism to let you reset it. That means if you forget your password, you will not be able to get back into your password manager, and will have to recreate it from scratch.

Like your other passwords, this should be complex – a combination of lowercase letters, uppercase letters, symbols, and numbers.

If you're worried about forgetting it, Ms. Irwin suggests committing it to memory. Log into your manager several times after creating it to help build up your memory, she said. "If you’re able to practice passwords that way, you’re not going to forget a master password quickly."

Some popular password managers:

KeePassX

KeePassX is an open source password manager. It lets you store passwords, usernames, URLs, and attachments. It also offers a field for comments. This can be helpful to record fake answers to security questions for a site, as the typical questions ("What is your mother’s maiden name?") are often not too difficult to find out. Its interface does come with a bit of a learning curve, which can deter some people.

Systems supported: Mac OS X, Windows, iPhone, Android

Storage: Local

Code: Open source

Price: Free

1Password

1Password is a paid password manager, with prices ranging from a $5 per month family plan to a $64.99 flat fee for one license. This is considered one of the more user-friendly options because of its cloud storage, browser extension, and interface. It offers end-to-end encryption for your passwords, meaning the company has no way to ever see your passwords. If you prefer, 1Password can also be unlocked with a fingerprint if your phone supports it.

Systems supported: Mac OS X, Windows, iPhone, Android

Storage: Cloud

Code: Proprietary

Price: Varies per plan

LastPass

LastPass is one of the more popular free options. It can generate passwords for you, has a notes function for information such as insurance cards, and inputs your passwords for you on websites. Its interface is also fairly easy to use.

Caveat: LastPass was breached last year, exposing user e-mail addresses, master password hints, and hashed master passwords. Most of its users were not affected, and the company addressed the issue fully within a month.

Systems supported: Mac OS X, Windows, iPhone, Android

Storage: Cloud

Code: Proprietary

Price: Free, with paid premium and enterprise options

Security Culture

This journalism empowers people to understand the bigger picture of cybersecurity as it connects to some of the most personal parts of their lives: their job, their education, the evolving digital culture around them, and the technology they use on a day-to-day basis. As part of the Monitor’s overarching commitment to chronicling human progress, we see these very human issues within cybersecurity to be critical and overlooked parts of the conversation.

This initiative is generously supported by

  • Northrop Grumman
  • ISC