According to password-management software developer NordPass, the favorite password of 2020 was 123456, and it was exposed almost 24 million times that year alone. Other popular password choices included ‘123456789’ and ‘password’. Although no reputable company will ever allow users to provide such hopelessly insecure passwords to protect sensitive accounts, studies like this do illustrate the fact that many people have developed lax password habits.
Most people use very weak passwords wherever they can and reuse them across dozens of different online accounts. This is perhaps hardly surprising either, given that the same study also found that the average internet user has about 100 sets of login credentials to remember. Password fatigue is a serious problem, and it encourages people to reuse passwords, even if those would otherwise be secure on their own.
Reusing passwords is a common problem and one that is beyond the control of individual websites. For example, while an online bank might force you to provide a complex alphanumeric password, they cannot stop you from reusing the same password as you have been using for dozens of other websites and services. The obvious issue here is that, if an attacker manages to get their hands on the password, they may be able to gain access to every other online account you use with the same password.
It may be tempting to think of a complex password as foolproof. However, while a sufficiently long password consisting of letters, numbers, and symbols, is practically impossible to crack with a brute-force attack, there are still significant risks of reusing them. A social engineering attack, for example, may dupe an unsuspecting victim into giving away a password, regardless of its complexity. In other cases, unencrypted passwords are frequently exposed in bulk during password leaks as attackers hack into databases containing login credentials.
Those who are more aware of the risks have typically developed the habit of using unique and complex passwords for accounts holding highly sensitive information, such as online banks or payment processors. At the same time, they might use a simple password for other accounts that do not hold a lot of sensitive data, such as news sites or subscriptions for free software trials. Again, however, this is far from an ideal solution, since users still have to remember the passwords for their more important accounts.
You have probably already noticed that a lot of online accounts let you log in using the same credentials you use for a popular email or social media service. For example, many websites let you log in using a Facebook or Google account. This process is known as single sign-on (SSO), which is popular in businesses due to the productivity benefits it brings. In other words, people do not have to spend nearly as much time resetting forgotten passwords or trying to enter an account multiple times only to get locked out after several failed attempts.
A password manager follows the same concept, albeit on a greater scale. Instead of entering your login credentials each time you visit a website, you just use one master password to enter all of them. At the same time, each individual website has a unique set of login credentials, but you do not need to remember them all off by heart since they will be stored in the password manager’s database. A good password manager goes even further by creating highly secure random passwords for you, whenever you create a new account. That way, you do not even need to remember them, which also makes them safe from phishing attacks. Many solutions can also be configured to automatically fill out other information, like names and addresses in online order forms.
In the end, using a reputable password manager can greatly increase your online safety while also helping you boost your productivity by not having to remember dozens or even hundreds of passwords. In other words, a good password manager can offer an optimal blend of security and convenience.
All of the major web browsers already have password managers built-in. Google Chrome, for example, can remember all login information. That said, none of these integrated password managers can compete with the popular standalone products. For one thing, a lot of browsers store your passwords locally on your computer in unencrypted form, which means they could be compromised unless you are using a full disk encryption solution like Bitlocker. While using full disk encryption is highly recommended, it is not supported on all devices.
Mozilla Firefox is the better choice when it comes to browser-based password managers since it does at least give you the option to encrypt your password database. However, it lacks important features like random password generation, and it does not synchronize across all platforms.
A dedicated password manager potentially offers a far more powerful solution. Here are some important features to look out for:
It is important to remember that, like any other software, not all password managers are made equal. While a password manager can make it much easier to use strong passwords that are practically impossible to guess or brute-force hack, it can also be a single point of failure. For example, if you forget your master password, then you can end up losing all your passwords at once. Or, even more worryingly, an attacker might be able to steal all your login credentials in one hit.
To mitigate these concerns, you need to do two things: Firstly, you need to have a very strong master password that you have never used before and do not intend to use for other accounts. Secondly, you need to factor in a recovery option just in case you forget your master password.
When it comes to password recovery, different password managers provide different options. For example, popular solutions LastPass and Dashlane let you pre-authorize an emergency contact to access your account with their own set of login credentials, allowing you to reset your own. These solutions, among others, also offer recovery options using biometrics or other authentication factors.
However, if none of these recovery solutions work, then you will probably need to reset your master password which usually means losing all login and form data stored in the account. If that happens, you will need to manually reset your passwords for all the accounts you have been using the password manager for, which can be very time-consuming.
While using a reputable password manager can be enormously beneficial for productivity and security, they should not be taken for granted. For example, synchronizing passwords across more devices adds risk, especially in the case of mobile devices, which carry a higher risk of loss or theft. It is also a good idea to avoid using a password manager for your highest-value accounts, such as online bank accounts or payment processors. Instead, a password manager is ideal for everyday use, for things like social media accounts and other subscription-based websites. That said, a good password manager should still be safe for protecting high-value accounts too since they will keep you informed about password hygiene and let you know if your passwords should be updated.
A good password manager is an extremely useful tool to have for bolstering your online safety and productivity. They provide excellent protection against the risks of reusing passwords and since even you will not know the random passwords generated for each account, they are all but immune from social engineering attacks that target login credentials. However, that does not apply to the master password which, of course, you should be extremely careful to protect – a social engineering attacker might, after all, target your master password.
Ultimately, a password manager is an important security tool to have, but that does not mean you can afford to ignore other factors concerning your online security, such as virtual private networking and network firewalls.