Major players are pushing for passwordless authentication by supporting FIDO2. Web browsers are starting to support WebAuthn, an API for device-based authentication. Instead of using a username and password, you just need to connect a device such as a YubiKey. However, this authentication method is not yet widely adopted. So, you still have to deal with passwords for at least a few more years. As xkcd points out, creating good passwords is not easy:
It is not uncommon to have accounts on more than 100 websites. This means you have many usernames, emails, and passwords to remember. The easiest approach is to reuse the same password everywhere, but this is a significant security risk. That is where password managers come in. They do more than just store your passwords. Here are 5 reasons to use a password manager!
#5 reasons to use a password manager
##1. List all your accounts
I currently have 150+ registered accounts in my password manager. There are some services I use multiple times a day and others I use only once a year. I sometimes forget that I already have an account on some of these websites. A password manager prevents me from wasting time resetting passwords.
##2. Improve security by using unique passwords
Password managers include a built-in password generator, ensuring every password is unique and meets site security requirements.
##3. Check your security health: password reuse, vulnerable passwords, 2FA not enabled, etc.
Many password managers audit your security health. They verify that your passwords are strong, unique, and not exposed in a known data breach using Have I Been Pwned?. Some can also change your password automatically, making it a one-click fix. Some will also advise you to enable 2FA when a website supports it. This is one of the best ways to improve the security of your accounts.
##4. Avoid phishing attacks
The password manager fills in credentials only on the sites where they were saved. So, if someone tries to trick you with a fake website, the password manager will not recognize the URL and will not fill in your credentials.
##5. Simplify the registration process
A password manager automatically fills in registration forms and generates a unique password, making sign-up quick and effortless.
#How to choose a password manager?
There are many password managers to choose from. When selecting the one that best fits your needs, keep the following in mind:
- The password manager should be simple to use
- The password manager should work on all your devices and keep your passwords synchronized with ease.
- Use only well-known and trusted password managers. Be wary of products with little history or community feedback. Cybercriminals can create fake password managers to steal your data. Be especially suspicious of vendors that claim to have developed their own encryption solution.
- Avoid any password manager that claims to be able to recover your master password for you. This means they know your master password, which exposes you to too much risk.
- Ensure the vendor actively updates and patches the password manager, and always use the most recent version.
- The password manager should give you the option of storing other sensitive data, such as the answers to your secret security questions, credit card information, and passport information.
- Consider writing your master passphrase in a sealed envelope and storing it in a locked cabinet, safe, or lockbox.
#Which password manager is the best?
I will not recommend a specific password manager. I use 1Password because it works on my devices, has a solid UI, stores everything online, and lets me share passwords with others. There are many options available. Choose the one that fits your needs. Here is a non-exhaustive list (ordered by name):
Storing all your passwords in one place can feel risky, but reputable managers clearly explain how they store your data and why only you can read it. Protecting your passwords is core to their business model, so a breach would be catastrophic for them. If you want to understand how password managers work, read the 1Password documentation: About the 1Password security model. Most managers follow a similar approach. The 1Password client for Windows is written in .NET, so you can decompile it to verify the source code.
Wired has also published a good review of many password managers: https://www.wired.com/story/best-password-managers/
Do you have a question or a suggestion about this post? Contact me!
