You may have heard my soapbox speeches on security and the importance of strong passwords. If so, one of your biggest questions is probably not “should I” but, rather, “how do I?” The secret of keeping strong passwords and maintaining a different password for every service/site is a password manager. A Post-it note under your keyboard is not a password manager. A Word document on your desktop is closer but still no cigar. Let’s look at what makes a good password manager and I’ll even review a few of the leaders.
Note: If you are working for a company or government agency please consult your IT department and policies before using or installing anything on your corporate device. The information in this article can be used at home.
To be a good and effective password manager it will need 3 key qualities:
- Simple to use
First, if a software is too difficult to use people will just use something else (like cheat on password rules). Look for a software that makes it easy to generate a strong password when you are creating an account on a website. Ideally, the software should integrate with your default browser. It should also be easy to find the password you need when you need it. Again, browser integration is helpful but not always necessary.
Second, the software must be secure. All of the top names in password managers are considered secure if they are used properly but beware of poorly-written stuff you might find in an app store or elsewhere. How do you know? Read reviews and ask your friendly resident techies. The question always comes up about if it is safe to keep all your passwords in one place. What if someone breaks into your password manager. That’s a valid point but the alternative is far more risky. Why lock your house door when someone could easily break the window and climb in, but we still lock the door. So to continue that analogy do you use an old skeleton lock on your front door? Why not? It’s just too easy to pick, isn’t it. Well your password manager is the same idea. You need a deadbolt on the front door, a strong high entropy (entropy = complexity) password. The good news is that your password manager has no windows. There is no way to get in except through that front door. One strong lock and your passwords are completely secure. In fact, the file that holds your passwords in a password manager is so secure that even if a hacker has the file it could take millenia to crack your password if you use a strong enough password (and they don’t get really really really lucky).
The third key quality if ubiquity, the need to have access to your passwords from anywhere. With the right setup it is even possible to have mutiple users in a company share a password manager and all be able to access the passwords from any device (Mac, PC, Android, iPad). Think about what devices you use (or may use) and be sure the manager you choose can share the same file across all of those devices. This is usually accomplished by using a cloud drive like DropBox. Avoid products that require you to move your passwords via a removable drive such as a flash drive or thumb drive. While some settings may make this the only option, it puts your password file at risk of loss or theft and really isn’t necessary for most users.
iPassword by AgileBits
AgileBits’ 1Password is my personal favorite and has been our company password manager for several years now. It is one of the more expensive options (~$49) but earns it’s keep. It has versions for Mac, Windows, Android, or iOS and can be used across devices with DropBox. Even with hundreds of passwords I’m able to quickly search for the one that I need and either copy/paste the password or use 1Passwords Go&Fill feature to have it open the website and fill my username/password automagically. When I create a new website account I start by creating the login on 1Password. I fill in the name, URL, username, and then have 1Password create the password for me.
1Password is able to create whatever entropy (complexity) I need for a given password. Our standard here is 18+ characters with 2 digits and 2 symbols, has to be random, can’t be used anywhere else. However, some sites can’t handle such complex passwords and it is easy to tone-it-down a bit in 1Password.
What else does 1Password do for that much money? A lot. 1Password will easily manage credit cards and auto-fill your data, driver’s licence and passport (great for travel emergencies), hold secure notes, frequent flyer/rewards cards, software keys, credit cards, bank accounts, identity info, and more. 1Password downloads and stores the logo for most websites making it easier (and just prettier) to find your passwords again. You can also keep notes for each account and even upload attachments. For example, in addition to just keeping my passport number and information (I travel a lot and it’s good to have that info at hand in case of loss/theft) I also upload a scan of the document. Same for my driver’s license. I can also tag all of these to help categorize and organize. It also keeps a history of your passwords so that you can go back to see if a password has already been used which is helpful for some accounts that require you to reset your password on a schedule.
Browsers are also a good place to store your passwords securely. Chrome, for example, will store your passwords and even sync those across devices via your Google account as long as you use Chrome. It is secure and very handy. I use this across my Mac, PC, Android, and iPad devices since I use Chrome as my default (but not my only) browser. The weakness here is that I do use other browsers so if I’m in IE or Firefox I’m out of luck.
Since one shoe does not fit all here are a couple runner’s up.
LastPass is a strong contender here and for some maybe the winner. LastPass works on just about every device and can sync across them. A big plus is that most of LastPass’ products and features are free and the premium features are only about ~$12/year.
Another great product is KeePass, an open source project that handles most devices. The down side is a lack of sync capability which forces most users to put the encrypted password file on their flash drive.