A necessity in the digital age
A while back, password management was one of those things that “I suppose some people do that”. Most people had at most one or two online accounts, and it was a whole lot harder to get around the Internet and find useful things to compromise or steal.
Things have changed. My currently used password manager tracks 1,692 items, and while there are some duplicates and items that aren’t passwords, not to mention passwords for accounts that I no longer have, that’s way too many passwords for me to manage on my own.
What is a Password Manager?
A Password Manager is a computer program (and possibly a service) that helps a computer user to manage the passwords that are needed for a modern digital life. This is necessary because of a couple of very important points.
- Passwords should be secure. They should be long, complicated, and difficult for people to guess. In general, they should not contain identifying information about you (birthdate, anniversary, pet’s name, etc.) but should be as random as possible.
- You should use a different password for each service you use.
Let’s look at each of these points in turn, and then we’ll talk about how a password manager can help with them.
Passwords Should Be Secure
In the before time, computers were slow and had extremely limited memory. (This is technically true about almost all times, compared to the times that come after, although I believe Moore’s law has failed.) One of the things that this meant was that it was difficult for a computer to crack a password.
If you’ve played the game Portal 2, you’ll possibly remember the scene where Wheatley tries to guess the password to keep GLaDOS from reactivating. He starts by guessing six As, and then goes to five As followed by C. He’s not very fast, and if the password is longer than 6 characters, he’ll never get it.
Today’s computers are able to go through all of the possible combinations in a six character password (including lower case letters and numbers and symbols) in a very short amount of time.
With the larger amounts of memory (and storage) programs designed to pilfer passwords can also use a dictionary attack, using words from a word list to try to guess the password more quickly. Some of these word lists include passwords collected from online server breaches.
In short, to make it more difficult for a program to guess your password, you need to have a password that’s difficult to guess. There are two major techniques used for this.
The first technique is to make a jumble of characters. This password manager believes that this 20 character code containing UPPER and lower case letters, digits (numbers), and symbols is adequately random to be excellent. It is allowing ambiguous characters (i.e. both 0 and O — that’s a zero and a capital O). This type of password is quite secure, but very difficult to remember.
The second technique uses real words, but combines them in ways that are not normal (or grammatically sensical). Although this password is easier to remember, it is also rated excellent because it is quite long, and random enough that a program will have a hard time cracking it. Note that upper and lower case letters are used, as well as digits, to make it more secure. To a computer, E and e are completely different, and not necessarily related.
So, with this kind of password, you can have a relatively secure way to access data that is yours, and that shouldn’t be shared with other people. This includes your email, your bank account, your computer, etc. However, memorizing even one of these passwords is difficult, and I said you should have a different password for every account you use?
Passwords Should Be Unique
Every once in a while, you’ll hear that service XYZ.com got hacked, and that the hackers got away with personal information of the users of that service. If that personal information included passwords, the hackers (or those they sell the information to) will certainly try to use those passwords in other places, especially in combination with the username connected to that account.
Since usernames are often just email addresses, and since most people don’t have lots and lots of email addresses, this basically means that if you reuse your password, you’ll be reusing both password and username.
Logins are like locks that usually require two keys: your username and your password. Since most services ask for your email address, and allow you to login using that address, hackers now only need to have one of the keys, the password, to try to access your information. If your password is always the same, too, they will have both keys to every account you use.
Why Does It Matter?
I’ve heard a lot of people say, “Well, I don’t do anything important on my computer, and I don’t have very much money in my bank account, and so I won’t lose much if someone is able to break in to my account. Besides, why would they want to?”
This ignores several very real harms:
- Once a hacker has access to a server using a legitimate account, he can try to use that account to gain access to other parts of the server. By not using his own account, he’s less likely to be caught on failed attempts.
- If a hacker empties your bank account (even if there’s not much money in it) you’ll likely be faced with overdraft charges that can be expensive to clean up.
- Sometimes, the hacker just wants access to your computer. He can use it to attack other computers around the world without leaving a trail back to him. This slows your computer down (and if he uses your computer for bitcoin mining, will cost you in electricity and failed computer parts) and makes you a participant in, for example, an attack on the Bank of Scotland.
- Some people just want to see the world burn. They may not care about your 1,700 pictures of your dog, but they get pleasure from the thought that by deleting or defacing them, they have exercised power over you.
- If you use any kind of account to work with someone else’s data, that person can be harmed through the access to your account. Malicious reviews can be posted under your name, or false information can be inserted into online accounts.
In short, it’s more important than you may realize.
It Sounds Complicated
To be fair, it is complicated, but Password Managers make it somewhat less complicated.
Most password managers share two characteristics: they let you generate secure passwords (as shown in the pictures above) and they store username-password pairs for later use. Most of them also use a single password to unlock this store of information, and many of them allow you to synchronize your passwords between your phone and your computer, for example.
How Does it Work, Then?
- You go to a website that you use for some purpose (maybe it’s your email).
- If the password manager is locked, you will need to type your one password that unlocks it. Many web browsers provide basic password management, and most of them don’t lock the manager when you’re not using it.
- The password manager will either let you copy and paste the username and password into the webpage, or will do it for you.
That’s it!
The nice thing is that, for most password managers, the one password never leaves your computer — rather it’s used to unlock the password database/password store.
Most of them will also allow you to generate a secure password, will update the stored password when you change it, etc.
Extra features include checking that the website is the same as the one where you previously used the password. https://microsoft.com and https://microsoft-us.com are not the same place, and one of them might be owned by a hacker trying to get your password.
Some password managers let you store your credit card information securely so it’s available, but not stored in some stranger’s database. Identification information (driver’s license, passport) and software keys can also be stored, and some managers provide special formats for these.
Warnings!
Not all password managers are created equal. In my opinion, there are several things to watch out for when selecting a password manager:
- Where are the passwords stored?
- If the passwords are stored only on your computer, that’s more secure than if they’re stored on someone’s server. The server is not only a bigger target (millions of users’ passwords) but also easier for a hacker to get to.
- How are the passwords stored?
- If they are encrypted, that’s better protection. However, if they’re just in a text file, that’s not very secure, even if it’s on your own hard drive.
- Where is the decryption done?
- If the password is decrypted at a remote server, so just the password is sent back to you, that’s not very secure. However, if the service can’t decrypt your password file, that’s more secure. (Sometimes this is called zero knowledge. The company can’t share your information because they don’t know it. It also means you’ll lose all your passwords if you forget your one password to decrypt them all.
- What does it cost?
- Password managers all cost something. Sometimes it’s just the inconvenience of using one, instead of using the same username and password everywhere on the Internet. However,
- Some password managers have a price to buy. This seems to be less common now because
- Some password managers have a monthly fee. This means that not only do you have an on-going expense, you may lose access to your passwords if your subscription lapses.
- Some password managers have a special format that can’t be exported to a different manager easily. If you decide to change to a different password manager, you could have some problems. (I ran into this when I stopped using the Mac — my password manager was 1Password, which isn’t available off the Mac, and several of the password managers I tried couldn’t make sense of the 1Password export format.)
- Some password managers give the serving company access to the password store. This means that if they are hacked, hackers could gain access to all of your passwords.
- Some password managers are just plain hard to use.
- Password managers all cost something. Sometimes it’s just the inconvenience of using one, instead of using the same username and password everywhere on the Internet. However,
- Does it synchronize with multiple devices?
- This one bit me with a couple of solutions. If Dropbox (for example) is the only option for synchronizing, a free account will limit you to five devices. Sometimes, the manager itself will require a license for every x devices it’s installed on. It’s best to find that out before you have gotten committed to using a particular password manager.
This is a lot of information to process. I will plan to write a second post comparing some password managers.