Password managers are an exercise in trust
I’ll admit that I was late to the game on password managers. For anything relatively important, I refused to use one, instead choosing to use complex, memorized, passwords for any important site, like bank accounts. Meanwhile, for anything not important, I might have reused a few passwords, a major security no-no.
The number one advice that any security-obsessed person will give you, including me, is to never reuse a password. This creates a problem because memorizing 100 passwords is hard. The solution: use a password manager.
Why you need a password manager
You need a different password for every individual site because it is inevitable that I site you use will have a leak of usernames and passwords. At this point, it is a fact of life.
When a leak like that happens, the first thing that cybercriminals do is try to use the leaked usernames and password combinations against different popular websites.
This is why it’s a bad idea to reuse your HBO Max password for Paramount Plus. And an even worse idea to reuse your Netflix password for your online banking. If you take nothing else away from this piece, don’t reuse your low value password on a high value site.
A single setting ensures your passwords are safe
Still, if you heard the news about the LastPass, a password manager company, having a breach of their security, you are probably worried about handing your passwords to a third-party you don’t really know for storage in the cloud.
If you’re using the right type of password manager, including LastPass, though, it doesn’t matter. The password managers keep the passwords secure with information that only you know.
The first thing you do when you setup LastPass is to set a primary password (formerly known as a master password). This is the password that unlocks your other passwords and is used to encrypted the passwords when they are uploaded to the server.
The use of primary passwords means even if we later find that the people who attacked LastPass did obtain password data, without the password for each user, the information is useless because it is fully encrypted with a secret only known by its owner. This is a great reason to set a strong primary password.
Note (January 5, 2023): We found out there was a second breach of LastPass. Attackers were able to download the encrypted passwords of users, and the list of internet addresses associated with each user. LastPass seems to have made some questionable design decisions, and therefore I wouldn’t personally recommend using LastPass. I still recommend a password manager. You’re better off with Bitwarden or 1Password, or even a browser based one, as discussed below.
Most password managers, including 1Password, Bitwarden, and Dashlane, allow you to set a primary password. If you’re setting up a new password manager, stick to a well-known manager recommended by multiple websites (like one of the ones mentioned) and also make sure it allows you to enable enable two-factor authentication.
Not all password managers require a primary password, but they’re still encrypted
Password managers like 1Password usually have a monthly or yearly fee associated with them. This will cause many users to choose the built-in capabilities, of Google Chrome, Microsoft Edge, Firefox, and Apple Safari. All of these browsers sync passwords between your various computers and phones, for free.
The browsers will upload your passwords in an encrypted manner to the cloud for syncing on all your devices, just like the paid options. The main drawback is that you’re usually locked into the browser that has your passwords. So if you sync on Chrome, you generally must continue to use Chrome on all devices.
These password syncs depend on your accounts: iCloud, Microsoft, Google, or Mozilla.
On iCloud and Microsoft, you cannot enter a primary password to protect your cloud-stored passwords. The encrypted passwords are protected by access to your account. However, you don’t get to choose the encryption password directly. If someone can sign into your account on a new device, they will get the passwords. As a result, for both iCloud and Microsoft accounts, it is especially important to enable two-factor authentication.
For Google Chrome, you can optionally enter a primary sync password, which you can make different than your Google account password. Firefox also allows you to optionally set a primary password that must be entered on each browser launch and is used to store the passwords in the cloud. Both Chrome and Firefox will protect your cloud-stored passwords just as services LastPass would, if you set the primary sync password.
Using the password manager requires trusting the company that makes it
With any password manager there is a definite element of trust. We are trusting, without any real verification, that the programs are sending passwords encrypted using your secret password to their servers.
However, it makes good business sense for these companies to ensure your passwords remain protected. A major breach of millions of individuals’ usernames and passwords would be determental to their business.
Password managers are a good tradeoff
Even though I previously distrusted password managers, I now find them useful to keep track of the hundreds of accounts I have.
I still have my trust issues with these servicesm though. I don’t use them for financial sites, like banking, but do use them for just about everything else. But remember that everyone has their own tolerance for risk. You might feel it is worthwhile to store a complex password for your most important sites like banks.
That’s the other great thing about password managers: You can use them as much or as little as you want.
Jerry Galvin has over 16 years of experience in engineering and cybersecurity operations. He currently specializes in vulnerability management.
