If there’s one problem we all experience, it’s having too many online accounts and passwords to remember. To solve this problem, we’ve developed a very bad habit: using the same passwords all the time. But there’s a much better solution: using a kind of software called a password manager.
By Marc-André Gagnon, information security specialist.
The way a password manager works is that you enter all your passwords into a database that itself is highly secure—a kind of digital vault. There are two kinds of password managers: local and cloud-based.
Local password managers
Local password managers save your passwords in a local database on your own computer. Your information never leaves your computer, and you are responsible for backing up your database manually at regular intervals. The two big players in this category are KeePass and Password Safe. Both of these software packages are open-source and free.
KeePass for Windows was audited by the European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA) in 2016, and no critical vulnerabilities were found in it. This represents a good guarantee that the source code is free of any major flaws or “back doors”.
Because both KeePass and Password Safe are open-source, there are dozens of clones and derived versions of them, for all platforms (Windows, Linux, iOS, Android). But you have to be careful, because these clones do not provide any guarantees against vulnerabilities. If you’re concerned about security, use only the official versions.
Cloud-based password managers save your database of passwords in the cloud. They represent an interesting compromise, in terms of ease of use and security. If well implemented, cloud-based password managers are considered secure and offer some additional benefits:
they support all browsers;
they let you access your passwords on all your devices at any time;
they let you share certain passwords with other users, such as your spouse or your children;
they let you monitor attempts to access your account, define trusted devices, and so on;
some of them let you define an emergency contact who will be able to access your password database if anything happens to you.
Like all other cloud-based services, cloud-based password managers charge an annual fee (although LastPass does offer a worthwhile free version).
Can the software provider (or a hacker) access my passwords?
The provider cannot read your database, because it is encrypted with your master password. All of the encryption and decryption operations are performed locally on your own computer, and your master password is never transmitted to the provider in any way. If this complex technology is properly implemented in accordance with best practices, it is considered impossible for the provider or potential hackers to decrypt your passwords without your master password.
Choose a master password that is complex and unique. Try to have 15 characters or more, including letters, numbers, and special characters. This password is going to protect all your others, so you can’t afford to be lazy! One good method is to use the first letter of each word in a sentence that will be easy for you to remember. For example, you could set your master password as “ta12aitb, ok?” and remember it with the sentence “There are 12 apples in this bag, OK?” For more details on this method, I recommend an article by Bruce Schneier.
You’ll have to remember your master password, because there is no way to recover it. Some cloud-based password managers may offer options to make it easier to recover, but these options are still limited, because the provider can’t decrypt your information and doesn’t know your master password.
Activate two-factor authentication For cloud-based password managers, two-factor authentication involves associating your account with your smart phone or other smart device (there are other options as well). Once you activate two-factor authentication, you will be allowed to access your database only if you enter your master password AND you demonstrate that you have physical access to the smart device that you have associated with your account. Thus, even if your password is compromised (by a virus, for example), the attack will be blocked by a second factor.
I think this is the best way to make your account secure with the least effort. By the way, that’s true not just for your cloud-based password manager but for all your other cloud-based accounts—Google, Apple, Facebook, Microsoft, Amazon, etc.!