Password managers: To use or not to use?

TL;DR

Password managers require you to only remember one password(Master password)
Generate Random Passwords
Use OTP functionality

Following up on my last post about passwords, this post will covering a data security staple: Password Managers. Password managers offer really a couple of basic but very important features, the most important being the safe storage of your passowrds. No solution is fool proof, but password managers, in conjunction with randomly generated passwords as well as multi factor authentication can put you in a great position to keep everything air tight and keep bad actors at bay.

How do password managers work?

Password managers work, in a nutshell, by using one master password to access your other passwords. Depending on the manager you choose that could either be cloud based(online) or local(offline). Each have their positives and negatives. I won’t dive into them too much but here is an article going into detail about them:

Online VS Offline Password Managers: Understanding Attack Surface and Data Security

Why would I ‘need’ to use one?

Think of it like this, each time you have to enter a password you open yourself up to attacks. Whether that is someone looking over your shoulder or a having a keylogger installed so all of your keystrokes are recorded in plaintext(keyloggers *have* been known to also record pasted data as well, but we arent seeing waves of compromises from clipboar access so not too sure).

Essentially, reducing that risk also reduces the chances your password ends up in some leaked database which leaves you open to a data breach, then you’ll have to change your passwords which is always fun. I say change all because, if they were able to get one password, it would be safe to assume they’re gonna be able to get all of them (can never be too paranoid).

Password managers often come with functionality to populate the log in credential field automatically thus reducing the amount of times you need to enter in your password using the keyboard. You can also further reduce that risk by using another key feature(one of my favorites) of password managers, random password generation.

How do I get the most out of my password manager?

For security purposes I will not disclose which password manager I use, but across most articles I see online: Bitwarden, 1Password, Keeper and NordPass are often on there. There are more extreme ones (i.e. local ones which never connect to the internet etc) but this depends on how secure you want your cache of passwords to be. But, just because a password manager is only local, it does not make it more secure. There are many factors which determine the security score of anything really.

The more secure something is, odds are the less convenient it will be to use.

To get the most out of whichever password manager you decide to use, there are a couple of feautres you want to utilize. Random password generation is one of those key features. I will get into the finer points on how truly random and cryptographically secure password generation works and what it takes to get to that point in another post because that ruver runs deep. But essentially, you want to use software and math to get that job done, humans are notoriously bad at picking anything at random. Let the machine take care of that. You want each account you use to have a different, unique, and completely random password. Remember, to access this vault you only really need to remember one password, your master password. So with only needing to remember one password, that means we are free to have as many unique passwords as necessary. Aside from generating random passwords, password managers can also be set up to use TOTP(Time-Based One Time Password) along with your already secure/randomly generated passwords that will allow you to add another layer of security(MFA). These two integrations alone will increase your chances of fending off an attakcer significantly.

In conclusion

A lot of really intelligent people have worked really hard to provide software solutions to protect one’s data. These solutions are fairly easy to use, with almost little to no learning curve, even for the non-techy user. Deploying these solutions take a short amount of time but can and will pay dividends moving forward for your data security. Use these solutions to their fullest potential and you’ll almost never end up being part of a data breach ever again.** Nothing is without risk, and nothing good comes easy.

**If your attacker is highly skilled, funded and highly motivated(looking at you NSA) then you’ll need more complex tools/solutions, obviously.