Security experts all agree: you should use one.
A recent episode of the Random But Memorable podcast, "Another Masked Vigilante Fear with Karen Renaud", included a discussion about what keeps people from using password managers. The discussion centered on an article by the podcast's guest published in The Wall Street Journal, "What Keeps People From Using Password Managers?"
The article came down to three specific reasons.
I want to address those reasons.
Become a Patron of Ask Leo! and go ad-free!
Password Managers: Objections & Responses
- It's difficult to set up: Setting up is a side effect of just going about your day.
- A hack will expose all my passwords: Even the service itself cannot see your passwords, so neither could any hacker.
- I'll forget the master password: Make it easily memorable. Back up your vault. You can always reset passwords to rebuild.
Setup effort
The WSJ article seemed to make this about the difficulty of importing a database of pre-existing account and password information. Indeed, many password managers make import cumbersome, if it's possible at all.
Not only do people rarely have that pre-existing database (having kept everything on paper or in their head), but it's also not needed, even if they have one.
Setting up a password manager is easy. Trivial, even.
It works like this:
- Install the password manager and set it up.
- Go on about your day.
Seriously, that's about all it takes. As you log in to a site that's not yet been entered into the password manager, a good password manager will offer to save it for you right then and there. Once in, that entry's done. It's a great time to then change that account password to something stronger and unique that you no longer have to try to remember.
But simply going on about your day, signing into the sites you use, will slowly build up your password manager's database with little effort.
Trust
Trust in the service is listed as the second reason people tend to avoid password managers. Honestly, in my experience, it's number one.
And trust, in this case, really means trusting the security.
The concern I hear most often is that people don't want to "hand over" all their log-in information to any password manager. They're afraid of that password manager itself getting hacked. This is especially true for password managers that use online storage (aka "the cloud") to synchronize your passwords across all your devices. We hear about large-scale breaches all the time, right? How would this be any different?
It's different in one critical way: password manager services can't access your data even if they wanted to.
Just like other online services don't know your password, your password manager doesn't know your master password. They can only tell if it's been entered correctly. They have no other way -- no "back door" -- to access the contents of your password vault.
Even better, your actual passwords never leave your device. Encryption and decryption happen on your machine(s), not in the cloud, and only when you specify the correct master password.
Forgetting
The final concern addressed in the article is that of forgetting your master password, at which point you would lose access to your entire vault.
Yes, that master password is important, but if you're using a password manager, it's the only password you need to remember. Save that one password some other way, if you like -- securely, of course. Another approach is to make it memorable: for example, three or four random words that have meaning to you and only you. We've all seen how easy it is to remember "correct horse battery staple", so come up with your own version. That's all you need.
The article did not mention my solution to the "forgetting" anxiety: back up! Every so often, take a backup of your password manager's vault in plain text (CSV format is common) and save that somewhere safe and secure. Boom! All your password available to you should you need them, without requiring access to your password manager at all.
And you might not even need them. Remember, even if you lose your master password, you haven't lost access to anything other than the vault itself. You can always do a password recovery on the various accounts so that you can reset your password -- presumably as you fill your replacement password vault.
Just do it
People that know -- security professionals the world over -- recommend you use a good password manager. They use password managers themselves. They commonly refer to password managers as the one thing the average consumer can do to dramatically improve their personal security online.
I've been doing it for years.
I recommend you do the same.
Recommendations
Don't use just any password manager that you stumble into. This is too important. Make sure to choose one with a solid reputation and track record.
LastPass is what I've used for years. I continue to recommend it, but definitely have my eye on them since they were acquired by LogMeIn and changed their pricing model. My sense is that their focus is shifting to the enterprise customer rather than the individual. Regardless, the product remains solid.
Bitwarden would be the next I'd evaluate if I were forced to change. I've seen lots of great comments from readers and others and it seems the most seamless transition for existing LastPass users.
KeePass is one I would also investigate, specifically for those who resist using any password manager's cloud services.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Okay. You have convinced me. What two or three good password managers would you recommend?
I’ve been using LastPass for years now and recommend it highly.
I have not played with recent versions, but next on my list to evaluate would be BitWarden (mentioned by a lot of people here) and KeyPass (because it has no cloud of its own, but can use yours).
I suggest Password Safe ( pwsafe dot org ; “Designed by renowned security technologist Bruce Schneier” ) as I have been using it since about 2005-2007 without issue. just make sure to backup the password database from time to time as this way if your computer’s hard drive dies you can easily transfer the database to another computer otherwise it’s going to be a problem regaining access to the accounts you use on websites. Password Safe is entirely offline which is safer than using ones that store stuff online even though I get some people like the convenience of being able to sync passwords across devices etc. but I like to play it safe and do stuff manually.
that site takes you to the windows version but there is Linux and Android versions as the Windows/Linux version is maintained by Rony Shapiro (which I think Bruce S apparently knows) and the Android version is maintained by Jeff Harris (I never personally used the Android version but I can confirm the Windows database file works fine on Linux as I have been using Linux Mint as my OS since Jan 2019). the Linux version can be downloaded here “sourceforge dot net/projects/passwordsafe/files/Linux/” as with Linux Mint 20 series for example you would download the “passwordsafe-ubuntu20-1.13-amd64.deb” file. or if you don’t mind running a slightly older version of Password Safe you can load up the ‘Software Manager’ from within Linux Mint and type in ‘passwordsafe’ (all one word) and install it from there.
even in terms of the ‘master password’ for the Password Manager (talking password managers that are strictly offline use and store nothing online!)… some might suggest to make it super secure, and while that’s not bad advice, I think a good balance of ease-of-use/security would be to come up with a decent password paired with some padding. for example… ‘MyDecentPassword’ would become something like ‘—!!!—MyDecentPassword1’. because the way I see it the only way one would need a really secure password on their password manager itself is if someone got a hold of their database and was trying to brute force it, which probably won’t happen. because I think ones best general defense is to make sure their computer is not infected with virus and the like as if your computer is compromised in this way and you get a potential keylogger your not really going to be worrying about brute force at this point. but if one does want a secure way to make a master password for their password manager and will be easier to type, and possibly a bit easier to remember, is to use Diceware (eff dot org/dice ; a easy 5 step process using real dice as you need five dice to make generation of passphrases nice and quick) which is proven secure if your passphrase is of sufficient length as from what I read you want a minimum of six words (hell, even a little padding here would not hurt). either way, it’s always a good idea to write down your password managers master password on a piece of paper and store it in a secure location in case you forget it as you need to take measures to ensure your not going to lose the password managers database file or lose access to it.
but with Password Safe I tend to tweak the defaults on how it generates passwords for use on websites as I suggest using at least 20 characters as that should be secure for the foreseeable future and not only that I make it so that the password manager ALWAYS uses at least one upper case letter, a lower case letter, a number, and a symbol as this way if someone tries to brute force it, it’s going to take a lot longer to crack because they are pretty much going to have to try a lot more combinations. plus, the entropy of a 20 character password is quite high at 131.1 as a Diceware equivalent would be about a 10 word passphrase at that would come out to 129.2bits of entropy.
but if one is really paranoid you can use dice to generate really long complex passwords at this website “theworld dot com/~reinhold/dicewarefaq.html” under the “How do I use dice to create random character strings?” ; but using that method it’s fairly time consuming because you have to roll three dice at once a minimum of twenty times to generate a 20 character password (notice I said ‘minimum of twenty times’ because it’s possible to roll a ‘blank’ and you got to roll again). this is probably a bit overkill and you can just use your password manager since it’s almost surely secure enough. but I thought I would mention it to cover everyone ;)
My Lastpass password is a random string of characters created by using a friend’s initials plus my initials plus an old phone number for a total of 14 characters. I’m thinking of adding more to up it to 20, but for now 14 seems sufficient.
A 20-character password consisting of a phrase plus a few numbers and a punctuation mark should also be good as adding a number before or after the phrase would make it impervious to a dictionary attack and long enough to be out of the range of rainbow tables.
For example: .maryhadalittlelamb8722 would be as uncrackable as any other 22 character password. I also use a different phrase and substitute numbers for similar looking letters as in l33t for lEEt. Very easy to remember as I’ve used the 7 character base for 25 years. Hopefully, it’s impervious to brain rot as I get older.
@ Mark Jacobs
Yeah, I figure ‘at the very least’ your password is probably above the low-hanging-fruit standard (which seems to be the most critical). because say some shady person got a hold of your password database file and tried to brute force it, unless it’s something they can crack fairly quick, they would likely give up. because how much time/resources would a shady person who’s trying to brute force someones password managers database file spend before giving up? ; maybe a day, a week or so, maybe a month on the high end(?). because I would imagine if someone was a high value target they may spend more time/resources on it. but for us average people I would imagine if they can’t crack it quickly they would likely give up and in this regard I would imagine your password is probably good enough to resist brute forcing for longer than they would spend time trying to crack it.
but speaking of brute force… on Password Safe, while it’s secure in it’s default state, one can increase the time for someone to brute force it’s database file by going to ‘Manage > Options > Security’ and increase the ‘Unlock Difficulty’ slider bar. the only negative side effect by doing this is that it increases time to open the database once a person has entered the password (so in effect it slows down the amount of passwords they can try in the same time frame which will increase time for them to brute force it and make it that much more unlikely they will brute force it as I think this is probably mostly beneficial where someone might be using somewhat of a so-so password but nothing too easy to guess as if someone is using a very secure password then that slider is probably not going to matter much either way in the real world). but on a decent CPU the delay is only very slight (at least with my current slider position of increasing it from it’s default (which should be 0% since it’s completely to the left) to roughly 25% across the bar). on my backup computer with the slowest CPU you can see a noticeable delay before the password manager opens the database. but even here it’s not bad as it’s maybe a couple of seconds delay or so before opening after entering password.
also, in regards to that ‘unlock difficulty’ slider bar… it stores that info inside of the password database file itself. so if you move that database file to another computer on a fresh install of Password Safe for example, the unlock difficulty will still be the exact same. but it seems it has to work this way otherwise someone could easily bypass it.
and as you already know… they say password length is the single biggest factor to stop someone from cracking it. hell, I imagine even on some level say “…………………………1qaz2wsx.” (without the “) would be somewhat secure even though it does not really seem like it. because using that 1qaz2wsx is a basic keyboard pattern which is probably not a good idea to use right off the start but once someone loads it up with quite a bit of length/padding there it’s probably at least half way decent then. but personally I would not use something like that, at least not with something basic like that ‘1qaz2wsx’ sandwiched between the dots. but using something similar with a half way decent password sandwiched between is probably good enough. but I guess it comes back to that low-hanging-fruit standard mostly as all a person absolutely needs for a bare minimum is to be above the standard one could fairly easily guess and there is a good chance a person will be okay (even though using that same password across multiple sites is still a bad idea because all it takes is one slip up and it’s out in the open). but I figure why take the chance and stick to password managers since it’s a bunch of random junk no one is ever going to guess ;)
“…………………………1qaz2wsx.” is a good password. The padding and length make it completely different from 1qaz2ws so it’s safe from rainbow tables, brute force and dictionary attacks. It’s eve safer with the quotes as it’s 2 characters longer. ;-) You can even add emoticons to our password such as :-)everygoodboydeservesfudge;-). That might help you remember which special characters you used. I sometimes forget.
Sadly emoticons, and other more obscure “special characters” don’t work in all places.
When I said emoticons, I meant the ascii character emoticons as shown in my example. Most passwords allow, and many require, those punctuation characters.
I’ve been using LastPass for several years now. Before that, I was using Roboform, but I found LastPass to be preferable for what I wanted to do.
I use the premium LastPass Families. I have two factor authentication enabled using Yubikeys. As I’m getting up there in years, I’ve been able to setup a recovery plan to enable people I’ve designated to access my account. Part of the plan includes granting emergency access to another LastPass user in the family, a list of one time passwords and a spare Yubikey stored with my will and instructions on how to use them.
I’m sure other password managers have the same capabilities as well. A password manager is not only a good way to protect accounts, but with a little forethought and planning, makes a good method to alleviate issues for those who need access in an emergency or settling an estate.
This is a great comment. I’m only 50 but let’s face it, no one knows their time to pass. I’ve often wondered to myself, “When am I going to get my information together and make it easy for someone else to handle my accounts?” I’ve never considered the ease of a password manager to be used for such need. I’m rethinking my plan. Thanks for posting.
Use a long pass phrase to access your vault. If the password is too short, the hackers may be able to crack it using Rainbow Tables. Currently 14 – 20 characters is reasonable and if 14 is good, 20 is better.
And make sure that the password manager company doesn’t store the login credentials unencrypted. One way to be sure is to use LastPass or research for another which has a reputation for doing security right. Read the reviews
Thanks Mark! Two great tips. I’ve been coming here so long I think of you as “the other Leo” and revere your advice equally as much.
I procrastinated on this for a long time. The thing that finally got me to start using one is the number of accounts that all used the same password and since most want my email address as the username, it really wasn’t secure. I wanted to use crazy random strong passwords.
Finally took the plunge about 6 months ago. Yep, I did just what you said. Just went about my day, doing what I always do and every time I entered a password on a website, LastPass offered to save it for me. I didn’t bother with the password changes because I didn’t have time, but about 4 months later I had a little time and thought I could make a start. I was surprised how quick it actually was. I think it just took me one evening to work through my vault and change the passwords. LastPass even helped by giving me a list of the duplicate and weak passwords.
Thanks for sharing. I like hearing from n00bs since I’ll be one when I get started with this. :)
Leo, I’m a big fan of you and have been following up your work ever since my college days. I’m very much convinced to try (and use) a password vault for myself (which I was hesitant before due to privacy & security risks).
I’ve a question: Why not the integrated password vault in Google Chrome? Sure, it’s only cloud-based and your data is stored on to Google’s server while a standalone password vault lets you store passwords offline, backup them conveniently. Apart from these two, are there other benefits of choosing a standalone password vault over Google’s Password Manager?
Thanks in advance!
That would be this article: Is It Safe to Let Your Browser Remember Passwords?
Leo,
I’ve been a reader of your site for years, and I’ve always enjoyed your insights. Would you please provide your take on Tavis Ormandy’s critiques of LastPass and using password managers:
https://lock.cmpxchg8b.com/passmgrs.html
I read your post and did not see that it addressed Ormandy’s concerns.
Also in this Wall St. Journal article:
https://www.wsj.com/articles/how-google-and-apples-free-password-managers-compare-with-1password-dashlane-and-others-11626012003
Thank you
Without taking the time to dive deeply in to all the hairy details, I’ll say this:
If you’ve got specific issues that he raises that concern you, drop ’em here and I’ll try to respond.
One thing I DO agree with totally is that you shouldn’t get just any password manager (which the advice to “use a password manager” often leaves out). If you’re going to use one, make sure to choose one with a good reputation. I’ll add my current thinking to the article above.
Leo, thanks for your reply.
I think I’m most concerned with the two issues he raises about extensions: blurring the distinction between the browser’s interface and potentially hostile content, and vulnerable interprocess communication in potentially hostile environments.
He suggests using the online password manager already built into your browser to avoid those two problems. I read your 2009 article you linked above about this (https://askleo.com/browser-remember-passwords), but I wonder whether you could provide an update and any other thoughts you have on this.
I’m actively considering a password manager (I’m pulling my hair out trying to remember different passwords on different sites), but I’m torn based on what I’m reading.
Thanks again!
Whether the feature is built in to your browser, or provided by an add-on, the line is already kinda blurred, isn’t it? It seems the issue is the same whether the browser has the password feature, or an extension does.
Anyway, the key word there is “hostile environment” or “content”. Yup, if you go to a malicious website and malware on your machine, then all your bets are off no matter what solution you use. Malware can do anything. I don’t believe that’s something that should prevent anyone from using a tool to manage their security. Again, password managers enable more security than they invite more risk — I see them as a net positive. As always, they need to be used in conjunction with security best practices and good habits. Hope that helps a little.
Thanks for your further remarks. I’m considering KeePass as a consensus choice, as it’s recommended by you, and also by Tavis Ormandy as a simple password manager without the risk of the line-blurring integration features that a hostile website could spoof.
I was one of those who was hesitant to use a password manager. I just didn’t understand how it worked.
I started using LastPass a little over a year ago as an experiment and I haven’t looked back. It was far easier to set up and use than I had imagined. When signing up for a new account and needing a password, I just let LastPass suggest one for me. It works beautifully every time.
Thanks Leo for having suggesting LastPass in the past.
Just want to throw my nickel’s worth in here.
I have been using RoboForm for about six or seven years. As far as I am aware, it has not been hacked and I have never had an issue with either the product or the company.
In addition to being a password manger, it also keeps “Identities” so that you can shortcut filling in the same info in on-line forms (name, address, phone, etc.) time after time.
Since it generates random strings of characters for all new password requests, the only thing I have to remember is the Master Password. Therefore, I have based that on a phrase and a few numbers that only have deep meaning for me.
I have recommended RoboForm to several other people and the feedback I get it very positive.
Roboform is also a good choice. I used it for years until I switched to LastPass because it had a couple of features I preferred, for example, it integrates with most Android Apps.
Another issue I’ve heard raised frequently is the fear that if the password manager company goes out of business, you will lose access to your vault. I suppose it would be possible in principle to lose access to a vault stored exclusively on a password manager’s servers, but the software would still function, and as long as the database is backed-up, you could still access it.
Personally, I would trust any reputable password manager with my data, but for those concerned, KeePass is open-source, so it is vetted by outside programmers – probably the best guarantee that you can get for no back doors or other security concerns. You can keep it either locally or in the cloud (or both, of course!). It is the one that I have used and recommended for years.
That’s why Leo says to periodically take a backup of the vault in CSV format. If they went out of business, at least you’d have a list of all your login info for all your accounts. And if your new password manager can import that CSV, then you’re back in business pretty quickly.
True, but Karena was saying that even if LastPass goes out of business, the app will still keep on working. So, if LastPass folds and you have unbackedup passwords, it’s still not too late to back them up.
Yes, this was my point, thanks!
Do you have any advice regarding DropboxPasswords, which I have been trying and have found at least equal to LastPass in operation and flexibility (even though I use the paid version of LastPass)?
DropboxPaswords is very new and not available to most users. It’s only available to people with certain business accounts., so there’s no way to try it out without an account. My guess is that being a serious company with a reputation to uphold, they are doing a good job of security, but in the meantime, I’d stick with something tried and proven like LastPass, KeePass, BitWarden, or Roboform.
I don’t other than since it’s an add-on feature to an existing product, I’d be concerned it doesn’t get enough, or the right, attention in the grander scheme of Dropbox’s business. It may, but that would be my concern for any tool that comes along and says “oh, we also have a password manger now”.
I’ve been using LastPass for awhile and find it easy and useful. I can’t figure out how to back it up as you recommend. Can you give me some instructions?
See this article for instructions:
How Do I Back Up LastPass?
I use NordVPN and find it very good. It has a Password Manager but not sure if it has any issues. Can anybody comment on its viability.
I’m wondering if you have anything to say about 1Password? That’s what I’ve been using for years.
I’ve not used it myself, but it has a good reputation.
“And you might not even need them. Remember, even if you lose your master password, you haven’t lost access to anything other than the vault itself. You can always do a password recovery on the various accounts so that you can reset your password — presumably as you fill your replacement password vault.”
I agree with a lot of this, but people are also lazy, sloppy and (if too easy) might forget to provide needed account recovery information. And that information (whether e-mail accounts, mobile number, or something else) needs to be kept both updated and safe. What good is a recovery e-mail address for the super secure stock trading account, if the recovery mail goes to an unsecured mailbox that can easily be accessed by any nosy hacker. Etc.
I’m curious as to if any logging is compiled and can be downloaded from the major PW managers; i.e. can I see when I accessed or used a password to access a site, when it was changed, etc? Stuff that I do keep track of today.
And do these (three recommended) PW managers also allow for extra information fields for each account? You might want to type in some account specific information with each account (examples can be; what credit card is on file with the service, when did you start using 2FA and what type is used (app or SMS), when did you change PW, etc. You might also want to log the answers to the (often three) security questions that you have provided (as you did not answer them “truthfully”, did you? – if mama’s maiden name is Peterson, log it as Moose, if your first car was a Chevy, log it as Oatmeal, etc).
Some of this “auxiliary” information is needed to keep track of for many reasons. If your credit card gets hacked and a new number is issued; do you know all sites where you have provided your number?. If you are issued a new mobile number, do you have a list of all the sites/services where that number is regged and you might need to change it BEFORE you lose access to said number. Etc. Many are the accounts that has been forced to be abandoned just because recovery information has not been kept up to date.
Also curious as to have many log-ins an average user has these days? My guess is that most people never keep track of it, but it would not surprise me if number of individual “accounts” online are in the 200-400 range for most people. And those accounts have a lot of passwords and User ID reused.
“And do these (three recommended) PW managers also allow for extra information fields for each account?”
Frank: I can’t speak for the first two password managers (LastPass and Bitwarden); but I can definitely confirm that KeePass includes an extra field called “Notes”, where you can enter any additional details you want for each entry in a free-form text format. KeePass also allows you to include attachments with each database entry (e.g., a PDF file, or a .PNG screenshot, etc.) Finally, KeePass also has a “History” tab for each entry, where it keeps a log of the creation date and time of the entry, as well as a record of each and every change you make to the entry. So if, for example, you wanted to know what the password for a website used to be back in July of 2019, you can view the entry in KeePass exactly as it appeared back then.
Lastpass also has notes. And history.
My recommendation is KeePass (v2.x). It’s open source, doesn’t depend on any corporation or private company, doesn’t require uploading your password database to cloud servers (although you can if you want to), and best of all, there’s no monthly subscription cost. It’s completely FREE.
The way I use KeePass at home is to open the database with my master password. I select the entry in KeePass for the website I want. Press Ctrl-U, and KeePass opens my browser to the login page. Press Alt-Tab to return to KeePass. Then press Ctrl-V which returns me to the browser where KeePass enters my username and password into the appropriate fields, which logs me in to the website.
My master password is over 20 characters long; but I only need to enter it once, when I open my KeePass database. After that, no matter how many websites I need to login to, I’m only pressing Ctrl-U and Ctrl-V. I haven’t had to manually type in a username or password in ages. I can’t imagine using a computer without KeePass.
Thanks for these tips. I’m considering KeePass. How do you access your websites from mobile? Do you have an iphone?
Michael: My mobile device is an Android phone; and I do 90% of any serious work on my Windows PC. I basically use my phone for texting, navigation, and travel-related apps (e.g., GasBuddy). So I don’t even bother with a password manager for my phone; since it’s so seldom that I have a need to enter login info there.
However, I have setup KeePass for a client who happens to use an iPhone. Like me, he mostly works on a PC; but he also wanted KeePass for his iPhone “just in case”. My recommendation to him was “KeePassium” by Andrei Popleteev. There is both a free version and a Pro paid version. Both are highly rated by reviewers on the App Store. So you might want to consider KeePassium for your iPhone.
Great, thanks very much!
For those who use Android, there are a couple of versions for that, as well.
My concern with using a password manager is I sometimes use different computers and how would I use the password manager on that computer, especially when I am away from my home office?
LastPass, Bitwarden, and others keep a copy of your password vault encrypted on their servers and work on any device that is logged into their app. What I like about LastPass is that it can be used to log into many Android apps.
Michael: The first two password managers listed here (LastPass and Bitwarden) are subscription-based, and would be accessed via their respective companies’ servers. So, as long as you have an Internet connection, you’d have access to those password managers from any computer.
On the other hand, if you don’t want to trust a third-party company with your passwords, my personal recommendation is KeePass. It’s open source and completely free — no subscription needed. You can keep your KeePass database file on a flash drive that you can carry with you; so that it’s available regardless of what computer you’re using. Or, if you’re willing to use Google Drive, you can store the database file there — “in the cloud” — and it would also be accessible from any computer. Regardless of where you store your database file (local drive, flash drive, or cloud drive) it’s highly secure — or at least as secure as your master password. All KeePass database files are encrypted using the most secure encryption algorithms currently known (AES-256, ChaCha20 and Twofish). So as long as your master password is long enough and/or complex enough, there should be zero chance of anyone breaking the encryption.
I used LastPass for years but then after the second sale of the product, I noticed there were hiccups every once in a while so when it came time to renew my subscription I switched to Bitwarden and am now a happy camper once again. Bitwarden has everything LastPass has, except for automatically changing passwords, which I never used anyway. A subscription is only $10/year.