For quite some time now I had been hesitant to use a password manager. Even though I knew that it is a security best practice, I feel that entrusting all your passwords to one program or organization is scary. This feeling changed recently amid increasing occurrence of data breaches and the amount of data that is being divulged. These events and reflecting how I actually use passwords finally drove me to install and use a password manager.

Password managers are programs that store your passwords in a secure and encrypted format. They also provide tools such as random password generators to make it easier for you to generate secure passwords. These programs can be installed locally in your computer or in the cloud and accessed through the internet.

Using a password manager allows you to “forget” your passwords for websites that you use by making the program handle filling up the login form. This solves the problem of reusing passwords for different websites, which is a big security risk.

I would like to illustrate the risk that you face when you do not use different passwords for different websites. The table below shows a sample user account and the passwords for some commonly-used websites:

Facebook
Username: [email protected]
Password: mySeCurePWD123!

LinkedIn
Username: [email protected]
Password: mySeCurePWD123!

SSS.gov.ph
Username: [email protected]
Password: mySeCurePWD123!

The password appears to be secure as it satisfies most of the password requirements today: 8 characters or more, a mixture of uppercase and lowercase, and uses numbers and special symbols. The user also has an easy time remembering the password as they are the same for everything.

However, since the user used the same password for all of the websites, then the risk that an account is going to be compromised depends on the least secure website. For example, let’s say SSS.gov.ph (a government website) stores its passwords in plain text and it suffered a data breach. Attackers now have your actual password based on the data that is divulged. They can try and use the same username/password combination in Facebook and LinkedIn and they will be able to gain access to your accounts in there as well.

As another example, let’s say that the user’s passwords are not the same but it uses some kind of service identifier. This provides an illusion for the user thinking that the passwords are different, but it is really easy to guess provided that one of those passwords gets hacked.

Facebook
Username: [email protected]
Password: mySeCurePWD123!_fb

LinkedIn
Username: [email protected]
Password: mySeCurePWD123!_linkedin

SSS.gov.ph
Username: [email protected]
Password: mySeCurePWD123!_sss

Again in the event that the SSS.gov.ph website gets hacked, the attacker will be able to determine that the user is using an identifier to differentiate the passwords. In the example above, they can guess your password in Facebook using possible identifiers such as mySeCurePWD123!_facebookmySeCurePWD123!_fbook, and mySeCurePWD123!_fb. They can use the same method for determining your LinkedIn password.

As a final illustration, consider the case where the passwords are totally random and is not based on any information about the user or the service.

Facebook
Username: [email protected]
Password: RxgrXvczlaGlG0w!5TQoQ

LinkedIn
Username: [email protected]
Password: Uv8E&9bGCgj%$9%GSV6BA

SSS.gov.ph
Username: [email protected]
Password: *$76217wlZcC2C9nP8i$W

As you can see, even if the least secure website (let’s say SSS.gov.ph) gets hacked, then your passwords in Facebook and LinkedIn will remain un-guessable. Another way to add even more security is to use different usernames or emails in different accounts, so hackers will need to guess both username and password. Implementing this may not be practical for most users though.

This is one of the main benefits of using a password manager. By making it easy to generate and fill up random passwords for different websites and services, you no longer need to manually track and remember each individual password and so the overall security of your accounts increase.

For my previous concern about putting all your passwords in one program: in my opinion the benefits of using a password manager definitely outweighs the risks. Having non-random passwords make all of my accounts insecure and an attacker only needs to hack the weakest link in the chain for the whole thing to get compromised.

Password managers have a single mission compared to other web companies. While other companies can have sufficient security features, this is not the primary aim of their company and business. Password managers on the other hand only have this single focus of making sure that the entire system is secure. They are aware that one critical vulnerability or a data breach in their systems will immediately destroy their business.

Types of Password Managers

We can categorize password managers into two types:

  • local installation – these are password managers that you install directly into your computer. They save your encrypted passwords locally which means within the computer itself. This is a secure setup as all files relating to your password is directly tied to your local device and thus an attacker needs to obtain your device first before they can access your encrypted passwords. Even though they can obtain those files though, they will not be able to decrypt them without your secret key.
  • web-based – these are password managers that handle your data in remote servers instead of saving them locally. This is a setup that is very easy to use and convenient as you can access your passwords on any device that you use as long as you know your secret key (also known as the master password). However, your password information (while itself encrypted) is being transmitted through the internet into the remote servers which pose a small risk of an attacker intercepting those information.

A probably simple (but not entirely accurate) analogy is like having a physical vault that contains money. A local installation is like hiding that vault inside your house. No one will have access to that vault unless the person is inside your house, and they cannot unlock it unless the person knows your secret combination. Thus the security of the vault is dependent on the security of your house and the security of your secret combination.

A web-based password manager is like giving your vault to a bank and letting them handle it. In this case the security of the vault is going to be dependent on the security of the bank itself and the security of your secret combination. While we can assume that the security measures in a bank is tighter than that of your house, we do not have control on how the bank handles its business and the people that can gain access to your vault.

Things to Consider

There is an important consideration when looking for a password manager. Security may need to be balanced with ease of use and convenience.

Web-based password managers such as LastPass offer a very convenient way to handle your password through browser integration. This means that it pre-populates your username and passwords on websites that you use, and also have a built-in way of generating secure passwords every time you sign up for a service. It will also prompt you to add a website into the LastPass vault automatically and it saves your username and password without you manually providing that information to the program.

Locally-installed password managers such as KeePass do not have the same ease of use and convenience compared to web-based programs. However, locally-installed programs can be more secure as long as properly set up and maintained. KeePass also has plugins that can sync your encrypted password database into other remote file storage (like an FTP server or Dropbox) which can be useful to make sure that you do not lose your data in the event of a computer malfunction or erasure. However, syncing your data outside your local machine now introduces the same risk as a web-based service as your files are no longer exclusively present locally.

Protect your Password Manager

This should not be a reason to be complacent though and just delegate your account security into password managers. We still have a personal obligation to keep our information secure. Here are some tips on making sure you maximize the benefits you get from using a password manager:

  • Make sure that your secret key or master password is kept safe and is truly random.
  • Implement an auto-lock/screensaver in your computer when you are away.
  • Always log out of websites afterwards. Using a browser-integrated password manager automatically fills up the login form so anyone with access to your computer can log in to your account.
  • Remember to log out of the password manager after you are done browsing and before you close your computer.
  • Use Two-Factor Authentication (2FA) for all websites that you use if they offer the capability. This greatly increases the security of your account. If the password manager also supports 2FA, then it is important that you enable it as well. This provides an additional layer of security on top of your master password.

After discussing the rationale and benefits of using a password manager, I hope that you also consider using it yourself. In today’s age where a large number of services we use and transactions we do are now done using the Internet, it is more and more important that we keep our data secure.

Attacks are becoming more sophisticated, most often linking information from various sources to gain more information about you. Not following data security practices not only has a negative effect in our digital lives, but in other aspects of our life as well. Having secure passwords reduce that risk by making it harder for attackers to gain information about us even though an insecure website gets compromised.

Photo by MILKOVÍ on Unsplash

One thought on “Why I finally decided to use a Password Manager

Leave a Reply

Your email address will not be published. Required fields are marked *