I’ve written about what I consider the best current password advice for websites and services you need to keep secure. In a nutshell, here’s the advice again:
- Use multi-factor authentication (MFA).
- Where MFA is not an option, use password managers, creating unique, long-as-possible, random passwords for each website or security domain.
- Where password managers aren’t possible, use long, simple passphrases.
- In all cases, don’t use common passwords (e.g., “password” or “qwerty”) and never reuse any password between different sites.
This advice might appear to go against my simultaneous support of NIST Special Publication 800-63 Digital Identity Guides. NIST SP 800-63 recommends using non-password methods where possible, and although the recommendations are definitely against forcing users to use very long and complex passwords, they don’t limit password length or complexity.
When people are forced to create and use long, complex, and frequently changing passwords, they do a poor job at it. They reuse the same passwords among different websites or use only slightly different passwords, which create an easy-to-decipher pattern.
If those same humans use MFA or other non-memorization authentication methods, then the overall risk of repeated passwords and patterns can be broken. If a person can use a password manager, which creates and uses long and complex passwords that the person doesn’t have to remember, then perhaps you can get the best of both worlds.
Why I moved to a password manager
I’ve been testing and recommending password managers for many years. Early on I was rightly suspicious of their quality and the security of their code and operations. Early versions often ended up in the press because of successful exploits and compromises. These days, most of the popular choices are feature-rich and secure enough that I feel good about using them.
Until recently, I had never completely depended on them, throwing all my memorized passwords away. I felt bad about recommending them without “living” with them. So, I decided to solely use a password manager as much as I could for all password security logons, where it would work. I’m not going to reveal what password manager I’m using because I haven’t tested them all and I don’t want to give an unknowledgeable review.
One of the key threats that led me to deciding to go to a password manager full-time is the sheer number of websites and services that get compromised. Visit any of the “haveIbeenpwnd”-type websites and you’ll probably be amazed to see which of your logons and passwords have ended up on the internet. If you, like me, use a common password root that has a discernable pattern, you probably want to change all your passwords. Don’t be like the average person who uses just seven different passwords across all websites they authenticate to.
The pros of my password manager experience
I downloaded and bought a commercial password manager. I then spent several days changing my existing passwords on hundreds of websites, letting the password manager take over creating and using passwords. I downloaded the password manager for each device I wanted to include, including the related additional add-ons for the two most popular browsers I use. After a few months of use, here are my pros of using a password manager:
Works as advertised: First and foremost, password managers allow you create, record and reuse passwords among different websites. It worked as advertised in most cases. I cover the edge cases where it did not work below.
Easy to create and use long, random, complex passwords: However, about 10 percent to 15 percent of my websites would either not allow a long password (some stopped at 10-characters) or I couldn’t use symbols. This means quickly adjusting the auto-generated random passwords to meet a particular website’s password policy. The password manager I used made changing the policies used to generate a new random password very easy.
Password manager can auto-logon: The password manager can auto-fill in passwords and it’s easy to call up the password manager to fill in the password on an ad-hoc basis. When using a password manager, tell your browser not to remember any password. This takes away a potential attacker password vault target. Within a week or two I was calling up my password manager to quickly fill in logons without even thinking about it.
Securely stores password recovery questions: I loved that I could record my recovery question answers in my password manager. I recommend never giving accurate answers to recovery questions, but instead treat them just like additional password fields. You can record recovery question answers, but my password manager didn’t automatically fill them back in when they were needed.
Securely stores more than passwords: I saved my credit cards, membership cards, notes and other important information to the password manager--one place to store all secrets.
Works across multiple devices: I love that I could easily share my password manager and all the secrets it stored among multiple devices, and it worked well across all devices. If I updated a password, within a few seconds that update was already saved and stored on the other devices.
Can share with family members: I’m growing older. My wife is worried about me unexpectedly dying and leaving her without the appropriate access to my critical financial accounts. I installed another instance of the password manager on her computer, told her the master password, and showed her how easy it is to logon to any website I have. Not only does it store the passwords, but simply seeing a list of all my websites, gave my wife a feeling of relief. If something happens to me, she can logon and visit each website to see if there is something crucial to know and do. If you’d rather your spouse not see all your websites and logons, you can choose which logons to share or give another trusted (legal) third party your password manager information to be shared with your spouse in the advent of your untimely demise. This may sound depressing, but it actually gave me and my wife more peace of mind.
The cons of my password manager experience
As much as I liked using the password manager, it has cons. Here are the top ones I noticed:
It might not support all your devices and browsers: You have to install the password manager on all devices you will be using. My password manager had versions for all the devices and browsers I use. Most password managers only support two or three browsers, usually Google Chrome, Microsoft Edge and Microsoft Explorer. If you like another browser, you may want to see if a particular password manager supports it, or you may have to fall back to another browser you like less.
Most work only with web-based browser logons: Most password managers only work with web sites. They won’t log you onto your computer, device, or corporate network.
A single point of failure: If you lose your master password or other identifying information, you could lose access to all your passwords all at once.
It didn’t work with all websites: My password manager did not work with some websites. The problem was usually that the password manager didn’t automatically recognize that I was logging onto a new website, and I had to call it manually. Sometimes it would not auto-fill a website. Other times even the copying passwords from the password manager to the logon fields would not work. When that happened, I had to type in long and complex passwords manually. It was a painful, I rarely had to do it.
Unauthorized changes: For unknown reasons, when I installed my password manager on my smartphone, the installation disabled my smartphone’s storage encryption and boot-up PIN. When I realized that it was disabled and re-enabled it, my password manager indicated that it would not be able to log onto my phone for me. I’m fine with that. I’m not fine with the software disabling my boot-up encryption software setting, especially without clearly communicating that it was doing so.
Unexplainable crashes: There were a few unexplainable crashes where the password manager just quit. I could easily restart it in a few seconds, but there are apparently still bugs to be worked out. I have read of cases where the password manager program got so corrupted from a crash that it became unusable, meaning the users might be out of luck for all those long and complex passwords they just created. I didn’t experience that, and most password managers will let you make an encrypted backup of your data so that if the program manager crashes that badly you can recover after a re-install. My guess is that these sorts of big programming corruptions will lessen over time.
Trusting single sign-on: The single biggest con is the risk of any single sign-on (SSO) method, where a hacker can compromise the mechanism that contains all your passwords. This is a very real risk. I don’t get regularly compromised (once in over 30 years), but if your computer is regularly compromised by hackers or malware, you probably shouldn’t use an SSO method. If the local password manager password vault is stolen, without the attacker also getting the master password, the password database would be worthless. I’m assuming if they can get the password vault, they can record your master password as well. If a hacker gets onto your computer and can access your password manager, they are going to get the passwords they want to get anyway (although the password manager or any other compromised SSO method might make it easier).
Overall, I’m very happy using a password manager, small warts and all. It works as advertised and I feel more secure for having made the switch. I no longer have easily crackable passwords or passwords that fit a particular pattern. My biggest fear is that if everyone started to use password managers, it is likely that more hackers and malware would target them more frequently and aggressively and make the SSO-risks appear more often.