When I wrote the article on Multi-Factor Authentication, I made a note of some of the issues with passwords. People are not always good at picking good passwords, and because of the number of different services people use, password re-use can be a problem. This has become a major issue as if someone is able to get access to the passwords database, some passwords are easily cracked and once this happens, it is often possible to use this password on other accounts that re-use that password.
This is why using multi-factor authentication has become a recommended security practise, as this means a guessed or cracked password is no longer sufficient to break into an account, However this is not necessarily the only thing you can do to improve the situation. This is where a password manager can also be useful.
So what is a password manager?
A password manager is essentially an encrypted database that helps you manage your passwords. You can store all the passwords for all your different services to access them, and then protect them with a single password. The password database will then allow you to simply copy-and-paste them into whatever service you’re using.
Most decent password managers will offer additional functionality as well. For instance they will frequently help you pick unique and strong passwords for each of the services that you use. This solves the problem of password re-use and picking a secure password in a way that you don’t have to worry about remembering them. In this regard, the password manager does a lot of the hard work for you.
Some might think that a single database of passwords might pose a security risk, and in some senses that is correct. To reduce the risk of these falling into the wrong hands, you need to do two things. One is you need to ensure that the password protecting the database is strong. This might seem counter productive based on what I wrote above, however it is not as complicated as it sounds. While you still have to remember a secure password, you only need to remember a single secure password.
You also need to ensure that the physical file is stored in a location that only you have access to and be backed up in a manner where only you have access to it. This reduces the risk of the database falling into the wrong hands
What features should I look for in a password manager?
There are a large number of different password managers you can choose from. There are a few things you can look at to help you make the right choice.
A mainstream program that’s under active development. Going for an obscure password manager that nobody uses or one that’s no longer maintained is a risk. An obscure password manager has a higher risk of becoming unmaintained as there is no motivation to maintain a product for a small number of users. The risk of an unmaintained product becomes as you upgrade your devices or operating system, the password manager may eventually stop working, leaving you unable to access your password database.
Strong Encryption. The stronger the encryption, the harder it will be for an attacker to decrypt the passwords should your password database fall into the wrong hands. If you see a reference to SHA-256, that’s OK, though SHA-512 would be better. Be careful though of those that use proprietary encryption. Encryption standards like AES and SHA-3 are referred to as “open source” algorithms which means that anyone can look at the source code for the algorithm. This means there are a lot more eyes on the code, increasing the chance that any bugs are found and fixed. Proprietary encryption algorithms also tend to be more closely guarded, sometimes making it harder to develop tests to make sure they’re functioning correctly. This often means open source standards are more thoroughly tested.
Multi-Platform Support. If you access your services on a wide range of devices such as a computer, phone or tablet, you’ll need a password manager that works on all these devices. The more platforms the password manager supports the better. I’d recommend Windows, Mac, Linux, Android and IOS support as a minimum to cover the major devices you are likely to use. The ability to securely sync your password database across all these devices will be a major benefit, as it will make maintaining your password database significantly easier.
Password Generator. Using a password generator will help ensure the passwords are more secure. The passwords generated are usually a long string of random letters and numbers. While these are more difficult to remember, they are more resistant to being cracked.
Copy and Paste. If you are able to copy the password to your clipboard, this will make it very easy. Most services will allow you to paste text into the password box, so you can just copy the password to the clipboard and paste it into the service you’re using. This avoids having to type a long string of random letters and numbers.
Focus on fixing security vulnerabilities. Any system has the risk of having a security vulnerability. Rather than look for a password manager that has never had a vulnerability, you want to look for a team of developers that manage vulnerabilities well. This is more for advanced users, but if you want to investigate this, you can use a service such as the CVE Details website to search for vulnerabilities in the password manager you are considering. You are looking for a developer that is quick to respond to a report of a vulnerability, and quick to release a patch for that vulnerability. This is a good way of establishing how seriously the developers take security, as a good developer will want to patch a vulnerability before it is exploited.
The use of a password manager will greatly assist you in helping to choose strong passwords and avoid password re-use. Both of these concepts will help secure your accounts should a services password database be breached. It means that a password is harder to crack should a breach occur, and if it is breached, it will help limit the damage.
We would still recommend using multi-factor authentication if available. This will add additional security again. Using both will allow you to take a “security in depth” approach. I hope the pointers I have put into this article will help you choose an appropriate password manager.