Major actors are pushing for passwordless authentication in supporting FIDO2. Web browsers starts supporting WebAuthn, an API to support device authentication. Instead of using a username/password, you just need to connect a device such as a YubiKey. However, this authentication method is not very popular at the moment. So, you still have to deal with passwords for at least a few years 😦 And good passwords are not easy as mentioned by xkcd:
It's not uncommon to be registered on more than 100 websites. This means you have lots of usernames/emails/passwords to remember. The easy way is to always use the same password, but this is not very safe. That's why password managers are helpful. But they do more than just storing your passwords. Let's see the 5 reasons to use a password manager!
#5 reasons to use a password manager
##1. List all your accounts
I currently have 150+ registered account in my password manager. There are some services I use multiple times a day and others that I use only once a year. I sometimes don't remember that I already have an account on these websites. A password manager prevents me from spending time reseting passwords.
##2. Improve security by using unique passwords
Password managers come with a password generator feature. So, you know your passwords are unique and match the security requirements for passwords.
##3. Check your security health: password reuse, vulnerable passwords, 2FA not enabled, etc.
Many password managers check that your security is ok. They will ensure your passwords are strong enough, unique, and are not part of a leak using Have I Been Pwned?. Some of them can also change your password automatically, so it's a one-click fix. Some of them will also advise you to enable 2FA when the website supports it. This is surely the best way to increase the security of your account.
##4. Avoid fishing attacks
The password manager fills passwords on the sites where they were saved. So, if someone tries to fool you with a fake website the password manager will not recognize the website URL and won't fill your authentication data.
##5. Simplify the registration process
A password manager will fill registration forms automatically and generate a unique password. This is very convenient!
#How to choose a password manager?
There are many password managers to choose from. When trying to find the one that's best for you, keep the following mind:
- The password manager should be simple to use
- The password manager should work on all devices you need to use passwords on. It should be easy to keep your passwords synchronized across all your devices.
- Use only well-known and trusted password managers. Be wary of products that have not been around for along time or have little or no community feedback. Cyber criminals can create fake password managers to steal your information. Also, be very suspicious of vendors that promote they developed their own encryption solution.
- Avoid any password manager that claims to be able to recover your master password for you. This means they know your master password, which exposes you to too much risk.
- Make sure whatever solution you choose, the vendor continues to actively update and patch the password manager, and be especially sure you are always using the most recent version.
- The password manager should give you the option of storing other sensitive data, such as the answers to your secret security questions, credit card information, and passport information.
- Consider writing your master passphrase in a sealed envelope and store it in a locked cabinet, physical safe, or lockbox.
#Which password manager is the best?
I clearly won't recommend a specific password manager. I use 1Password because it works on the devices I use, the UI is ok, it stores everything online, and it provides a functionality to share passwords with other people. There are many choices depending on your needs. Here's a non-exhaustive list (ordered by name):
I'm aware that it can be scary to save all your passwords in one place, but they all explain how they store your password and why you and only you can read the passwords. Also protecting your passwords is part of their business model, so doing it wrong could just ruin their companies. If you want to have an idea of how password managers work you can read the 1Password documentation: About the 1Password security model. They almost all do the same. Also, the 1Password client for Windows is written in .NET, so you can decompile it to check the source code.
Also, wired made a good review of many password managers: https://www.wired.com/story/best-password-managers/
Do you have a question or a suggestion about this post? Contact me!