Should You Use a Password Manager?

John Lister's picture

Lately we've been posting a lot of articles about websites and services that have been hacked. One of the primary recommendations we have also repeated is that users should use unique and hard-to-guess passwords for each site, as this will help to prevent any further breaches.

The reasoning is that if user account data is stolen on one site (Yahoo is a good example), the same username and passwords may also be valid on other sites - but only if users are using the same account names, passwords or password hints. Unfortunately this is often the case, because using the same passwords on multiple sites is habitual and easy to remember. That said, this is a very bad security practice because any account data which is stolen on one site can be used to gain access to other websites, such as Paypal, for example.

Easily Remember Passwords with a Password Manager

So, what is a password manager? A password manager is a program or online service that generates and stores passwords for multiple websites, so that you don't have to remember them all. The idea is that because you don't have to remember lots of passwords, it's easier to have unique passwords for each site and avoid using predictable words or phrases which are easy to guess by hackers and bots.

A password manager is not the same password storage tool in your web browser. These don't usually generate passwords for you; instead only storing the ones you create. In some cases, they store an unencrypted list of your passwords on your computer, so a thief or remote hacker might be able to access the list and cause havoc.

What if I'm on a different computer?

Most password managers can work in two ways. They can be an extension or plugin for the browser on your main computer. They can also work by you visiting a dedicated website (such as "Dashlane"), logging in with a master password, and retrieving your stored site passwords.

What about mobile apps?

Some password manager services can work with mobile apps rather than a web browser on a PC, though such an option is usually a paid feature.

How does a master password work?

Usually when you use the browser extension or plugin, you are logged in to the password manager service for a specific duration of time (usually, 5 to 10 minutes providing the computer is active). To access your list of stored passwords, or to make major changes, you'll usually need to type in your master password. Depending on the settings you choose, you may need to type in your master password every time you try to login to a site using the service, or the service may timeout after 5 minutes of inactivity on the computer.

Picking the master password can be tricky as you need something memorable (particularly if you don't type it in often) but also difficult for other people to guess. You can setup a password hint that will be sent to your registered email address if you forget it. Again, the trick is to choose a hint that instantly helps you remember your password, but is no help to anyone else. Some password managers such as Roboform allow you to use a fingerprint reader as a way to access your passwords and logins, plus a master password in case your fingerprint reader isn't working.

Be aware that with most password manager services, added protection comes from the fact that the people running the service don't have access to your master password, so if you forget it, you are out of luck.

What features should I look for?

Look for a password manager that can generate passwords automatically, rather than have you create them yourselves. This will make sure they are truly random and thus harder to guess. For added convenience, some services will let you request particular characteristics (such as minimum length, including punctuation marks, including a mix of capital and lower case letters) to meet the requirements of the particular site.

Also, you will want to check how your passwords are stored by the service. Ideally you want to see that the service stores them in an encrypted form that can only be decrypted by you providing the master password. That means that the staff of the company couldn't read your passwords even if they wanted to.

Some services will perform an audit of your passwords, let you know which are too weak and easy to guess, and even change them to a new generated password for you. In some cases, services will even pay attention to any reports of hacking at an online service and automatically change your password for you.

Some, but not all password managers will also fill in forms for you - so you don't have to remember your user name, password, or any other information usually required on a page with input fields. Roboform can remember passwords and can fill in fields automatically, for example.

Should you use a password manager?

For most users, a password manager is a great solution to the dilemma of wanting to have secure unique passwords for dozens or even hundreds of sites without the hassle of remembering them.

If you're not 100% confident about whether or not someone might be able to gain access to your master password (and hence all of your other passwords) -  one good option is to use a password manager for most sites, but not use it for a few key sites where you'd have the most to lose such as online banking, your main email account, and financial services such as PayPal. If you are going to exclude some sites, it's best if they are ones where you login regularly, so you are less likely to forget the password.

Another option would be to store the most secure websites and passwords using an encrypted file that is password protected, then store that special file on a USB flash drive. If you need to access your special set of login and passwords, a master password is required to open the file, and only if the USB flash drive is attached to the computer. When it is not in use, unplug the USB flash drive with encrypted login and passwords and store it in a safe place. Roboform offers such an option - these are called "Safe Notes".

Yet another option is to store all your passwords and logins onto external USB media (such as a flash drive), then unplug the media when not in use. This is similar to the above suggestion; however, the downside is that you will need to plug and unplug the USB media constantly throughout the day. One major caveat in this practice is that you run the risk of corrupting the external USB media if the media is not ejected properly using the "Safely Remove hardware and USB media" option (via the Windows tray bar). If the media goes corrupt, then you would lose all your passwords. As such, backing up the passwords onto another external media would be a very good idea.

What's Your Opinion?

Do you use a password manager? What are the most important features that you use? If you don't use a password manager, how do you manage your passwords?

Rate this article: 
Average: 5 (8 votes)

Comments

Dennis Faas's picture

I have personally been using Roboform for over 10 years and could not live without it. I store my passwords on a network shared drive, which then makes all my website logins accessible on any computer in my home which has Roboform installed. I also store very important login and passwords in a Safe Note as mentioned in the article. This file is encrypted and cannot be read in a text editor and is only accessible through Roboform using a master password. I also use a fingerprint reader for logging into Windows and when using Roboform to input my login details (username, password) for any site I visit that requires a login. Highly recommended and very reasonably priced if you get the "Roboform for Desktop"! The price is $29.95 and it is a 1 time fee. Click here to download and give it a try - proceeds support our site.

read.tom_5843's picture

I use Lastpass with Google authenticator on my phone as the second login step. Works well most of the time; occasionally has trouble with some login forms, so may have to enter the PW manually from the Lastpass form.

RButts_5424's picture

I, too, am a long time user of the "paid" Roboform PW manager! There is a "free" version with a limited number of entries for one to try. Recently, the "autofill" feature has not worked on some sites using Chrome. Not sure what the problem is.

CMDD's picture

I have used Ascendo's DataValut for over 10 years and I love it!

I started using it on my Blackberry and synced to windows.
I now have a Win Desktop, Win Laptop, Galaxy S3, iPhone and a iPad all syncing together and it is great. I currently have over 570 entries.

Because of the way it is designed I have several types of data. Passwords, Memberships, Software keys, WiFi keys and prescription data and so on.

DataVault uses a database type structure that allows me to have templates (field sets) for all the different types of data I keep and at the same time add Field names on the fly to meet my one-up needs.

DataValut supports 10 separate fields plus a Notes field. From time to time I wish it did have a few more.

I have tried several of the other manager (LastPass, etc.) but found they did not work the way I work.
It is not Cloud based persay (you can't log into a web site and get your passwords) but works with the cloud (iCloud, DropBox, WiFi and Webdav)

alan.cameron_4852's picture

I use LastPass on all my Windows machines and on my Kindle Fire.
I find it very simple to use and secure since all the data sent to the server is encrypted before being sent.
I would like to think that we can do away with asking the website to keep our data secure, all these hacks worry me. We can do if SQRL becomes a reality. It is currently at the last stage of development and can be examined by visiting GRC.COM/sqrl/sqrl.html.

nate04pa's picture

I have been using KeyPass 2 for quite a while now. It's donation-ware but AFAIK there are no restrictions on the downloaded versions. It's available for Windows, Linux, and Android, and maybe some other OSs.

It installs on your device and stores all passwords in an encrypted file. A master password gives you access to all the stored passwords. Passwords can be automatically generated using several different schemes or patterns. It is also available in a portable version so you could store your passwords on a removable drive and use them on any compatible device.

sunshinecomputerdoctor's picture

The only problem with RoboForm is it's not compatible with Edge. LastPass is available as an Edge extension RoboForm is not.

kspearrin's picture

The problem with the mentioned password managers is that they all require you to pay for the features that make them useful. I'll recommend one called "bitwarden". It's 1) free (completely free), 2) open source on GitHub, 3) cross platform with unlimited devices. I've been using it on my iPhone, iPad, and in Chrome on my laptop. The wife uses the Android version too. Check it out https://bitwarden.com