Security experts all agree: you should use one.
A recent episode of the Random But Memorable podcast, “Another Masked Vigilante Fear with Karen Renaud“, included a discussion about what keeps people from using password managers. The discussion centered on an article by the podcast’s guest published in The Wall Street Journal, “What Keeps People From Using Password Managers?”
The article came down to three specific reasons.
I want to address those reasons.
Become a Patron of Ask Leo! and go ad-free!
Password Managers: Objections & Responses
- It’s difficult to set up: Setting up is a side effect of just going about your day.
- A hack will expose all my passwords: Even the service itself cannot see your passwords, so neither could any hacker.
- I’ll forget the master password: Make it easily memorable. Back up your vault. You can always reset passwords to rebuild.
The WSJ article seemed to make this about the difficulty of importing a database of pre-existing account and password information. Indeed, many password managers make import cumbersome, if it’s possible at all.
Not only do people rarely have that pre-existing database (having kept everything on paper or in their head), but it’s also not needed, even if they have one.
Setting up a password manager is easy. Trivial, even.
It works like this:
- Install the password manager and set it up.
- Go on about your day.
Seriously, that’s about all it takes. As you log in to a site that’s not yet been entered into the password manager, a good password manager will offer to save it for you right then and there. Once in, that entry’s done. It’s a great time to then change that account password to something stronger and unique that you no longer have to try to remember.
But simply going on about your day, signing into the sites you use, will slowly build up your password manager’s database with little effort.
Trust in the service is listed as the second reason people tend to avoid password managers. Honestly, in my experience, it’s number one.
And trust, in this case, really means trusting the security.
The concern I hear most often is that people don’t want to “hand over” all their log-in information to any password manager. They’re afraid of that password manager itself getting hacked. This is especially true for password managers that use online storage (aka “the cloud”) to synchronize your passwords across all your devices. We hear about large-scale breaches all the time, right? How would this be any different?
It’s different in one critical way: password manager services can’t access your data even if they wanted to.
Just like other online services don’t know your password, your password manager doesn’t know your master password. They can only tell if it’s been entered correctly. They have no other way — no “back door” — to access the contents of your password vault.
Even better, your actual passwords never leave your device. Encryption and decryption happen on your machine(s), not in the cloud, and only when you specify the correct master password.
The final concern addressed in the article is that of forgetting your master password, at which point you would lose access to your entire vault.
Yes, that master password is important, but if you’re using a password manager, it’s the only password you need to remember. Save that one password some other way, if you like — securely, of course. Another approach is to make it memorable: for example, three or four random words that have meaning to you and only you. We’ve all seen how easy it is to remember “correct horse battery staple”, so come up with your own version. That’s all you need.
The article did not mention my solution to the “forgetting” anxiety: back up! Every so often, take a backup of your password manager’s vault in plain text (CSV format is common) and save that somewhere safe and secure. Boom! All your password available to you should you need them, without requiring access to your password manager at all.
And you might not even need them. Remember, even if you lose your master password, you haven’t lost access to anything other than the vault itself. You can always do a password recovery on the various accounts so that you can reset your password — presumably as you fill your replacement password vault.
Just do it
People that know — security professionals the world over — recommend you use a good password manager. They use password managers themselves. They commonly refer to password managers as the one thing the average consumer can do to dramatically improve their personal security online.
I’ve been doing it for years.
I recommend you do the same.
Don’t use just any password manager that you stumble into. This is too important. Make sure to choose one with a solid reputation and track record.
LastPass is what I’ve used for years. I continue to recommend it, but definitely have my eye on them since they were acquired by LogMeIn and changed their pricing model. My sense is that their focus is shifting to the enterprise customer rather than the individual. Regardless, the product remains solid.
Bitwarden would be the next I’d evaluate if I were forced to change. I’ve seen lots of great comments from readers and others and it seems the most seamless transition for existing LastPass users.
KeePass is one I would also investigate, specifically for those who resist using any password manager’s cloud services.