The main reason you want a password manager is so that you don’t have to remember your passwords except for the one to access the password manager. In this way, you can create extremely strong passwords for your hundred plus websites you have an account with. The best part is you don’t need to know the password to any of them.
A decent Password Management tool will:
- Store your Username, Password, and URL information under names and folder structures you define
- Have the option to auto generate passwords using parameters you define (length, and then inclusion checkboxes for alpha characters, numbers, and special characters) using a randomizer
- Allows you to manually copy/paste the passwords with a timeout feature that erases password from your clipboard in 30 seconds
- Has browser extensions that will auto populate your username and password when you access a URL in the Password Manager’s database; enabling you to auto login to websites (only if your password manager tool is unlocked by you first)
- Enables cross platform sharing, so if you save user credentials on one machine, it’s available across all devices.
- Allows you to share user credentials with others (e.g., spouse) if desired
- Keeps a history of each user credentials so you can go back in time and see an old password (along with timestamp information on when the change occurred)
A Web Search can find that PC Magazine does “The Best Password Managers for 20xx) where the year changes as they update their selections.
Before going deeper, I need to address the elephant in the room. The critical thinker in you might be sounding alarm bells. You might be saying
Hey, are you nuts? You want me to put all my passwords in a single place? That sounds dangerous! What’s the risk of that getting breached?
Most applications need access to YOUR data to complete the transaction for you, or to conduct their business. Password Management tools have no such need. Only YOU need YOUR data. So, they design the application in a way that prohibits their own teams from having access to your data. Basically, each client user account (that’s YOU) has their own unique encryption key which secures their own data. In addition, it’s encrypted several more times. So, it’s like a nesting doll, except with safes. Segregation of duties only allows certain resources to access each layer… where, the bottom layer, the one where data is in a readable format, is only accessible to you.
Of course, a fly-by-night company, or an individual contributor could put something on the market inferior to such standards. This is where research such as writers at PC Magazines do. Or you can trust my own research as I will identify the top of the top here within.
When reviewing any application for security risks, we look at a whole bunch of elements. As I’ve written previously, there are Assessment Firms that assist in this effort. In addition, we look at a gambit of other risks such as how data is encrypted at rest (when it sits in the database) and in-transit (when moving about outside the database such as when it’s sent to you or other companies). Companies that invest in security will publish SOC2 compliant reports as evidence of meeting audits that review security and compliance to stringent standards. The three products I recommend publish such SOC2 compliant reports.
Alright then… so if the data is safe on the Application side, what about YOUR side? What if the single password gets out? The answer is: 2FA. Also known as Two Factor Authentication or Multi-Factor Authentication or MFA. That’s a tip for another day – which you should do too!
Okay, so let’s move beyond its safety to use and talk…
What’s this like in real life terms?
Typical Use Case
You have three devices (Phone, laptop, tablet). Password Managers can always be opened from their respective apps. They’ll have an app for the phone (e.g., from the AppStore), for the laptop or desktop (e.g., downloadable and run like a standard app), or onto a tablet (e.g., if iPad, same as phone AppStore).
When you create a record in the Password Management tool, regardless of which device it’s created on, as soon as it can sync (e.g., you’re not in airplane mode), that record exists across all your connected devices. The Password Manager is also available for direct usage via a browser (given you use the app’s Website URL address).
If you open the Password Manager app itself, you can select the record name (e.g., My Bank) and click on the associated User Credential record’s URL and it’ll open the browser and populate the login credentials on your behalf.
Within a browser session, if the extension is installed, when you reach a page that security manager contains a login for, it can (if you enable and allow it) auto login to that site for you. Or you can choose a more manual approach and click an icon it provides for login and password so you can push buttons to let it populate webpage user credential fields. This last method is helpful if you have multiple usernames for a single site.
Use case = Password sharing with family.
Let’s say you have a family of four and put everyone on the same brand of Password Manager. You’ll have some website accounts that are just yours (e.g., social media). You may have other website accounts you want to share with your spouse (e.g., Utilities). And, you might have other websites you want to share with the entire family (e.g., Disney Plus, Netflix, etc.). Some of the password managers allow you to share the password record with other users as you specify. And you can specify if you want them to have read only access; or ability to change the password; or you can transfer ownership of the password record to that family member.
Bottom Line: Using these apps is simple and makes implementation of Unique and complex passwords painless.
Which Password Manager?
The three Password Manager tools I believe are best on market, and they’ve been that way for many years, are these two:
- 1Password
- Keeper Security
- Bitwarden (paid version as it has two-factor authentication)
If you’re Apple based, then go with 1Password. If you have mix of Operating systems, Keeper or Bitwarden are excellent choices. If you did your own searches and saw recommendations for LastPass, then I’d ask that you pass on LastPass as they have some internal organization failures that have led to breaches. Those breaches wouldn’t actually get your passwords assuming you have a decent password to your vault, but still it was subpar procedures with multiple occurrences in a single year. So, do yourself a favor, and pass on LastPass.
- How secure are the passwords stored in their vault? This includes a review of their security architecture and encryption methods. As example
- Bitwarden: eview https://bitwarden.com/compliance/ page, scroll down to Third-party Security Audits, and read the latest Network Security Assessment report. Tests should be done annually as threats evolve over time. Their 2022 test was performed by cure53 assessment firm and Bitwarden has disclosed their findings and remediation plans to address
- Keeper: Full details of Keeper Security features can be found at https://www.keepersecurity.com/security.html. This is my Number 1 choice due to the architecture used such as data is encrypted and decrypted on the users device so Keeper never has an unencrypted variant. And they use Record Level encryption so that if you have 100 passwords, every single one uses a separate (behind the scenes) encryption key that would have to be decoded. This one is also FIPS 140-2 certified which is a struggle for many large corporations to meet due to the measures required to meet security requirements.
- 1Password: Review https://1password.com/security/ page. Also audit information can be found as a link from this page. This is a consumer grade product like Bitwarden. It is HIPAA compliant. However, it is not FIPS 140-2 certified.
- Two-Factor Authentication
Other features are convenience related and, to me, these are like the extra doodads on your car which don’t make the actual car more reliable or safe, but make it easier to use:
- Auto Generate Strong Passwords
- Browser extensions – allowing for auto-login to websites
- Ability to share passwords with other users of the same tool (read only; transfer ownership; or maintain ownership but let them modify passwords)
- Customize additional fields (e.g., Adding a PIN number, Account Number, Security Questions, or anything else you’d like)
- Ability to attach files to password record
Start small, then grow your usage of the tool
Give this tip a try in combination with Tip #1 (Complex and Unique passwords) on just the most critical websites first. This will get your feet wet. I’d start with Banking and Investments. A bad actor getting access to these areas will create the most harmful damage to your life.
Then convert your email accounts. This, especially for weaker websites, is where forgot your password confirmations go. Email is also the oldest internet-based technology where security wasn’t yet considered when it was designed. So, protect these accounts with strong passwords.
Then move on to social-media sites as this is where you have the largest social presence and where a bad actor can take on your identity to influence the people you love or are acquainted with. It’s also where they acquire information to socially engineer passwords.
Then move on to websites your credit-card information is stored. Credit Card companies have measures to protect you. But reliance on that alone has risks. Start tackling these websites after the prior 3 priorities.
Then move into any website containing your Personal Identifying Information. This is data that can identify you such as SSN, Name, Address, Account Number, Driver’s License number, Passport number, Medicare Number, etc. These are items that help bad actors steal your identity. So, if a website has this information (e.g., Airlines, Insurance), then you want to protect it.
Last, move on to the seemingly unimportant websites. Though these passwords might not matter as they provide little information about you, they have old user credentials which might open the door to a forgotten website that has information bad actors want.