Using a password manager solves multiple problems:

• Not using the same password for every account
• Using strong passwords for every account
• Reducing the number of passwords you need to remember
• Allows family members to access your accounts in the event something happens

A password manager can be a vital part in keeping your accounts safe and secure, but it is important to implement strong security protocols so your password manager remains protected.  We will discuss why using a password manager may be the best advice we could give, the options to look for when choosing a password manager as well as what steps to take to keep your password vault secure. You might be thinking to yourself, “This sounds expensive” or even “This has to be complicated.” Well, I have some great news. There are free password manager options available that are trusted and recommended by security professionals, so this is another “Security 101” option that doesn’t cost a dime. Plus, a lot of the password managers are pretty simple to use.

If after reading through this you would rather not use a piece of software or web
application as your password manager, we discuss a paper only option at the end of this post.

How does this help me? Let’s briefly talk about the importance of passwords.  With the rate at which companies, websites, etc. are breached, it is extremely important to have a different password for every website. Even if you had a complex/complicated password that was unbreakable, which by the way is impossible, having a different password for each account is still a must. You may be asking, “Why is having a different password important if I have a complicated one?” Well, there have been countless examples of how one breached (“hacked”) website has led to other accounts also being hacked. One of the more well-known cases is when the founder of Facebook, Mark Zuckerberg, had some of his social network accounts hacked, because he used the same password on Twitter, Pinterest and LinkedIn.  When LinkedIn was hacked, the login credentials (username and password) for a lot of LinkedIn users were posted online for the world to see. When Mark Zuckerberg’s LinkedIn password was found in the list, hackers used the same information to see what other accounts they could log in to. Turns out, Mr. Zuckerberg used the same password on Twitter and Pinterest and the hackers defaced those accounts to prove a point. The LinkedIn breach was not the first time, nor will it be the last, where a company was hacked and customer usernames and passwords ended up in the hands of hackers. Hackers will take these compromised usernames and passwords and perform something known as “credential stuffing” to see what other accounts they can access. For a brief explanation, credential stuffing is where hackers take a list of compromised login credentials (usernames and passwords) and run them against other well-known websites.

To provide a real-world example, let’s say you had a Yahoo email account when Yahoo was hacked. In the Yahoo breach, login credentials (username/email address and passwords) were stolen and released to the public. If you used the same login information (username/email address and password) for your bank, medical provider, income tax software, etc. that you used on Yahoo, such as youremail@yahoo.com and P@ssw0rd (not a good password by the way), hackers would now also know the login information (youremail@yahoo.com and P@ssw0rd) for your bank, tax software, and medical records.

Back to the importance of why having a different password for each account is important. Let’s stick with the Yahoo email example above. You would get a notice from Yahoo stating they were breached and you need to change your Yahoo password immediately. The biggest problem with that notice is it would never say…oh, by the way, if you ever used the same password on any of your other accounts, you must change your password there too as that account is also compromised as a result of the breach.  That is even more true if you happened to use the same email address (youremail@yahoo.com) along with the same password on all of those accounts. If you used a password manager and had a different password for each account, the breach notice of change your password at Yahoo would be valid and would be all you need to do. Talk about easy. One account gets hacked and all you have to do is change the password for that one account and not 25 other accounts where you used the same password. Plus, how often do we forget which accounts we have since we haven’t used them in a while? 

You may be asking, “How does using a password manager make it to where I only have to change my Yahoo password and not all other passwords?” If you were using a password manager and using it correctly, you would have had a different password for your bank, tax software, doctor’s website, Yahoo account, etc. Having a different password for each account protects you from breaches when they occur, because only the password for that hacked account needs to be changed. This not only saves you time from not having to change 50 passwords when a breach occurs, but also dramatically increases the security of your accounts. The security of your accounts are increased, because you will be able to use long and complex passwords for each account due to not having to remember each one separately.  Breaches will most certainly continue to happen, so having unique (different) passwords for each account is a must.

Please Note: Having a “system” for your passwords, such as using the same 8-10 characters for each password but then using the name of the website for the final few characters, is NOT a good solution. Thus having a “system” for your passwords is not the same as using a password manager.

***To learn more about how to determine if your username and password has ever been in a breach, read our post on “Determine if your email address or password has ever been hacked.”

What can I do? Now that we established how important having a different password for each account is and you are on board with using a password manager, you may be asking, “Well, which ones are the best?” or “What should I use?” That of course is hard to answer, because your requirements (wants and needs) may be different than someone else’s. Your lifestyle may dictate that you use a password manager with online access, where as someone else may strictly want a password manager that runs on their computer. Knowing everyone has different needs and wants, it’s hard for us to say what you should be using. What we can say is what we would look for in a password manager.

• First and foremost, it must have multi-factor, or two-factor, authentication options such as a Yubikey, authenticator app support, physical paper grid, etc. You can read our post on multi-factor authentication to learn more.
• While many of the trusted password managers have free options, we would suggest looking for password managers that have premium options/paid services. We aren’t saying you have to use or upgrade to the paid version. It’s just our feeling that services with paid options often means there is money being put into the product. Keep in mind having paid options doesn’t mean it’s secure or better than others, but hopefully the fact money is being put into it means they will fix security issues (patch security vulnerabilities) when they happen.
• Most password managers will use encryption. Look for words like “AES-256 bit encryption”. If you don’t see any mention of encryption, we would strongly suggest avoiding the product.

It’s probably best to perform an internet search for something like “Top rated password managers” or “Most secure password managers”. Find a reputable source, such as PC Magazine, and see what they suggest. As of this writing, some of the most recommended are: LastPass, Dashlane, KeePass, 1Password, and Roboform 8. Keep in mind the free option for a lot of password managers is more than enough for a lot of users. Read our post on performing safe internet searching for tips.

What can I do? Once you have a password manager in mind or have signed up for one already, here are a few steps we would recommend:

• First, make a strong master password. Our suggestion is to make it at least 18-20 characters (more is better). The most important thing is to make it long, but making it complex doesn’t hurt (such as using at least 2 UPPER case letters, 2 lower case letters, 2 numbers, and 2 special characters). You could also use a long sentence such as W@tchMySi11yD0gRunVERYF@st!
• Turn on multi-factor authentication. Multi-factor authentication is a MUST!!!  If you pick a password manager that doesn’t have this option, we would suggest choosing a different one without question.  This is something you cannot compromise on. Multi-factor authentication may single-handedly be the only reason your password manager account doesn’t get hacked. For multi-factor authentication information, read our blog post on mult-factor authentication in this Security 101 series.
• We would keep your master password in a secure location such as a safe or locked drawer.  We would also use a sealed envelope or another method to detect if someone has tampered with your master password.  If you detect tampering, you should change your master password and passwords for your other important accounts (your bank, email, retirement, etc.) as soon as possible and find a new location to store your master password.
• We would write up instructions to your family members on where the master password is stored and how to use it in case of an emergency.  We wouldn’t provide the master password to them.  We would just provide instructions on where it is stored. When writing the instructions, don’t forget to include how they would access the account using the multi-factor authentication method(s) you choose.  Being able to get into a loved one’s accounts in the event of an emergency is a huge benefit, especially with everything going on. Probably goes without saying, but make sure you trust whomever you are providing the instructions to. If the relationship with that person ever changes, make sure you change the location of the password, update your instructions/procedures and provide an updated copy to anyone that had one.

Please Note: If you ever change your master password either due to it being compromised, you detected someone attempting to hack your account, you had a device lost or stolen, etc., remember to update the master password in your secreted location (as outlined above).

What if I don’t want to use a password manager? If you are one of those “tin foil hat” type people that don’t want to use a password manager either stored locally on your computer or in “the cloud” to be ultra-secure, consider using a paper password method such as the one offered by Steve Gibson of the Gibson Research Corporation at: https://www.grc.com/ppp.htm. His system is a great alternative to having to remember numerous complex passwords and/or for making the password for your password manager secure and easy to recall when needed. Once you generate a grid, you would just need to know the password for your bank is A1, B5, E7, G2, and C6. Remember to make a couple of copies and store them in several locations in such a way to detect if tampering has occurred. This probably goes without saying, but don’t store the grid in the same place, same envelope, or on the same piece of paper as the password key for your websites (A1, B5, E7, etc.) or logins (usernames such as your email address) for each site.

We know, sounds confusing, so here’s an example. In an envelope in your safe or in your wallet/purse, store your password grid. In a desk drawer in your office or in your phone, store the key to your websites (email A1, B5, E7, Q1) with the login (username) if needed. This way if you lost your wallet or someone broke in to your safe, all they would have is the password grid. It wouldn’t mean anything unless they also stole your phone and knew what <bank, first.last, A1, B5, E7, Q1> means. If you want to make a soft copy, create a password protected zip file with a complex password you can remember and store it on a removable drive (USB, SD card, etc.). We would not store the file directly on your computer, phone, tablet, etc. To be somewhat sneaky, you can list the website (such as Best Buy) then put the names of people and numbers such as John.Doe53, Jane.Doe34, Sally.Fields47, and Bob.Williams21. To someone else it doesn’t make sense, but to you it’s the website with your login (firstname.lastname) and your key for that site of J5, J3, S4 and B2.

Just like the password manager, don’t forget to provide instructions to a trusted family member/friend in the event something happens to you on where they can find everything and how to use the information to access your accounts.