The Problem: Password Management
Passwords. The last time I counted I had around 350 usernames and passwords and I’ll admit, there are probably still a few of those, mostly ancient and probably for websites that no longer exist, that had the same email/password combination. It was a good password – but there is a very serious problem with using the same password, no matter how secure you think it is, on more than one website.
Head over to Have I Been Pwned and enter the email address you usually use to sign up for online services. Hit the “Pwned?” button and if you get a green result – well done. So far your email address hasn’t turned up in any of the known database leaks.
Chances are though, you will get the red “Oh no — pwned!” message if you’ve had the same email address for a few years because there have been a LOT of database leaks.
And therein lies the predominant problem with using the same password, no matter how secure, on multiple sites. If just one of those sites is compromised and your email address and password published, then a patient cracker (not “hacker” see Hacker vs Cracker: Main Differences Explained if you’d like to know why!) will simply run the email address and password against every online service they can until they find one that matches.
So, back to my 350 or so passwords – how to I make them all unique and actually remember them? Answer: I don’t. I let a password manager do it for me.
The Solution: Password Management!
Password Management has now become a service. There are dozens of reputable password management solutions and most web browsers (Chrome, Edge, etc) have built-in password managers.
If you have Choice membership you can see their ratings for the password management applications they have tested: Password manager reviews. Even if you aren’t a member, you have a list of applications to start your hunt.
I have not tried all, or even many, of the ones listed. For my particular needs, I need a password manager that I can access from Windows PCs at home and work, my android tablet and phone, and my Linux PC at home. PlayStation support would be nice too but I don’t think anyone offers that!
Password Management via Your Web Browser
For me, the Chrome Web Browser is almost sufficient. It’s cross platform, it has Google’s Enterprise Class security (providing your initial Google password is secure) and it can suggest and enter the passwords for you so you don’t even have to know them.
- It is free and only requires a Google sign-in. As long as you use Chrome on your PCs or mobile devices and sign in with the same account, all of your passwords will be synchronised automatically.
- Chrome will also synchronise your open tabs, history and bookmarks across all devices too.
- You have to use Chrome on all platforms and some people may not want to sign up for a Google account.
- It only works for websites. If you have passwords for other applications outside of Chrome, it can’t help you.
- It may not be secure if others can access your workstation.
Password Management Applications
I can’t review all of the applications for password management because, if you’ve looked at the Choice page, you’ll know there are a lot of them – and the Choice list is only a handful of the options.
On that list though, I can say that I’ve had good feedback from others on LastPass, 1Password and Dashlane. LastPass used to offer a free version, I’m not sure whether they do any more.
My favourite, and the one I rely on, is KeePass. It is free, cross-platform and has all of the features I need.
Unlike the browser option or online subscription models, KeePass allows you to keep control of your data. The application creates a secure, encrypted vault file that stores all of your password data.
You can also create a key file that anyone trying to unlock your vault also requires, sort of like file based multi-factor authentication. You need access to the vault, the key and the password to unlock the database.
Why? I like to keep my vault file in the cloud so that I can access it from any device but the key files are kept locally on my device.
This means if someone steals my device they have the key – but not the vault or my password. If the cloud is compromised they might get my vault file but not the key or the password and if they kidnap me, well, no password manager in the world can help me there!
The biggest problem with KeePass is that it isn’t the most user friendly application. The interface could be a little easier to use but it is a very powerful application.
KeePass has a tutorial for Getting Started with KeePass
The most important tip for any password manager is having a strong, secure password that you will be able to remember to get in to the password manager. This is the only one you have to remember!
I use this handy cartoon (below) from xkcd to teach people how to create a strong password. Unfortunately, lots of well-meaning security people are still a little behind the times and insist on you adding numbers and special characters. Newsflash: Computers don’t care. “Robert” is no harder for a computer to guess than “H2s^J2”. The only thing having special characters protects you from is dictionary attacks.
Anyway, use this guide and add a number or special character as required by the service you are creating a password for: