For years, I've been reading predictions about new technologies that will render passwords obsolete. Then I click through and inspect the details and I wind up shaking my head. There are plenty of clever identity technologies working their way into the mainstream, but passwords will remain a necessary evil for many years to come.
And unless you want to be a sitting duck on the Internet, you need a strategy for managing those passwords. Large organizations can create sensible password policies and use single-sign-on software, but small businesses and individuals are on their own.
As best practices go, the rules for creating passwords are simple: Use a random combination of numbers, symbols, and mixed-case letters; never reuse passwords; turn on two-factor authentication if it's available.
The dumbest passwords people still use
There's some disagreement on whether you should change passwords regularly. I think there's a valid case to be made for changing passwords every year or so for sites that contain important data, if only to avoid being innocently caught up in a database breach.
And, as far as I am concerned, the most important rule of all is use a password manager.
I have used several software-based password managers over the years and can't imagine trying to get through the day without one.
I know people who keep password lists in an encrypted file of some sort. That's exactly what a software-based password manager does. But that's where the resemblance stops.
In this article, I explain why I consider a password manager essential. I also tackle some of the arguments I routinely hear from skeptics.
The case for password managers
You can choose from dozens of third-party password manager apps and services, both commercial and open source. Despite some differences in user experience, they are all similar in their core features. On a PC running Windows or Linux, on a Mac running MacOS, or on a mobile device, you install an app that manages a database containing sets of credentials (usernames, passwords, and other required details). The contents of the database are protected with AES-256 encryption. To unlock the password database, you enter a decryption key (your master password) that only you know, and then allow the program to fill in the saved credentials so you can sign in on a webpage or app.
As an alternative, you can use the built-in password management tools built into your browser. (For a full discussion, see Password managers: Is it OK to use your browser's built-in password management tools?) Architecturally, these designs are similar to third-party tools, except that they're designed to work in a single browser ecosystem. They're an adequate choice (and certainly better than nothing!), but third-party solutions are more robust.
Password managers that sync your password database to the cloud use end-to-end encryption. The data is encrypted before it leaves your device, and it stays encrypted as it's transferred to the remote server. When you sign in to the app on your local device, the program sends a one-way hash of the password that identifies you but can't be used to unlock the file itself.
Also: Why nearly 50% of organizations are failing at password security TechRepublic
The companies that manage and sync those saved files don't have access to the decryption keys. In fact, if the developers have done their job properly, your master password isn't stored anywhere. It's your job to safeguard that secret, and if you forget the decryption key, you're out of luck. Even with the most powerful computing resources, there's no practical way to crack an AES-256 encrypted file that's protected with a strong personal key.
That architecture offers five distinct advantages over a DIY solution.
1) Browser Integration
Most password managers include browser extensions that automatically prompt you to save credentials when you create a new account or sign in using those credentials for the first time on a device. That browser integration also allows you to automatically enter credentials when you visit a matching website and to update the saved credentials when you change your password.
Contrast that approach with the inevitable friction of a manual list. You don't need to find a file and add a password to it to save a new or changed set of credentials, and you don't need to find and open that same file to copy and paste your password.
2) Password Generation
Every password manager worth its salted hash includes a password generator capable of instantly producing a truly random, never-before-used-by-you password. If you don't like that password, you can click to generate another. You can then use that random password when creating a new account or changing credentials for an existing one.
Most password managers also allow you to customize the length and complexity of a generated password so you can deal with sites that have peculiar password rules.
With the possible exceptions of John Forbes Nash, Jr., and Raymond Babbitt, mere mortals are not capable of such feats of randomization.
3) Phishing Protection
Integrating a password manager with a browser is superb protection against phishing sites. If you visit a site that has managed to perfectly duplicate your bank's login page and even mess with the URL display to make it look legit, you might be fooled. Your password manager, on the other hand, won't enter your saved credentials, because the URL of the fake site doesn't match the legitimate domain associated with them.
Also: Google releases Chrome extension to check for leaked usernames and passwords
That phishing protection is probably the most underrated feature of all. If you manage passwords manually, by copying and pasting from an encrypted personal file, you will paste your username and password into the respective fields on that well-designed fake page, because you don't realize it's fake.
4) Cross Platform Access
Password managers work across devices, including PCs, Macs, and mobile devices, with the option to sync your encrypted password database to the cloud. Access to that file and its contents can be secured with biometric authentication and 2FA.
By contrast, if you manage passwords in an encrypted file that's saved locally, you have to manually copy that file to other devices (or keep it in the cloud in a location under your personal control), and then make sure the contents of each copy stay in sync. More friction.
5) Surveillance Safeguard
Password managers generally offer good protection against "shoulder surfing." An attacker who's able to watch you type, either live or with the help of a surveillance camera, can steal your login credentials with ease. Password managers never expose those details.
Is there a case against password managers?
Even armed with those arguments, when I make that recommendation to other people, I typically hear the same excuses. Honestly, though, none of them hold up to scrutiny.
"I already have a perfectly good system for managing passwords."
Usually, this system involves reusing an easy-to-remember base password of some sort, tacking on a special suffix or prefix attached to that base on a per-site basis. The trouble with that scheme is that those passwords aren't random, and if someone figures out your pattern, they pretty much have a skeleton key to unlock everything. And a 2013 research paper from computer scientists at the University of Illinois, Princeton, and Indiana University, The Tangled Web of Password Reuse, demonstrated that attackers can figure out those patterns very, very quickly.
More importantly, this sort of scheme doesn't scale. Eventually it collides with the password rules at a site that, say, doesn't allow special characters or restricts password length. (I know, that's nuts, but those sites exist.) Or a service forces you to change your password and won't accept your new password because it's too close to the previous one and now you have another exception to your system that you have to keep track of.
Also: How to manage your passwords effectively with KeePass TechRepublic
And so you wind up keeping an encrypted list of passwords that are not exactly unique and not exactly random, and not at all secure. Why not just use software built for this purpose?
"If someone steals my password file, they have all my passwords."
No, they don't. They have an AES-256 encrypted blob that is, for all intents and purposes, useless gibberish. The only way to extract its secrets is with the decryption key, which you and you alone know.
Of course, this assumes you've followed some reasonable precautions with that decryption key. Specifically, that you've made it long enough, that it can't be guessed even by someone who knows you well, and that you've never used it for anything else. And if you've enabled multi-factor authentication, you've given a password thief one more very large hurdle to get over.
If you need a strong and unique password, you can generate one at correcthorsebatterystaple.net, which uses the surprisingly secure methodology from this classic XKCD cartoon. Other high-quality random password generators are available from 1Password, LastPass, and Random.org.
You definitely shouldn't write that key down on a sticky note or a piece of paper in your desk drawer, either. But you might want to write down that password and store it in a very safe place or with a very trusted person, along with instructions for how to use it to unlock your password file in the event something happens to you.
"I don't trust someone else to store my passwords on their server."
I understand the instinctive reaction that allowing a cloud service to keep your full database of passwords must be a horrifying security risk. Like anything cloud-related, there's a trade-off between convenience and security, but that risk is relatively low if the service follows best practices for encryption and you've set a strong master password.
But if you just don't trust the cloud, you have alternatives.
Also: 57% of IT workers who get phished don't change their password behaviors TechRepublic
Several of the password managers I've looked at offer the option to store a local-only copy of your AES-256 encrypted file, with no sync features whatsoever. If you choose that option, you'll have to either forgo the option to use your password manager on multiple sites or devise a way to manually sync those files between different devices.
As a middle ground, you can use a personal cloud service to sync your password files. 1Password, for example, supports automatic syncing to both Dropbox and iCloud, ensuring that you're protected even if one of those services is compromised.
"I'm not a target."
Yes, you are.
If you're a journalist working on security issues, or an activist in a country whose leaders don't approve of activism, or a staffer on a high-profile political campaign, or a contractor that communicates with people in sensitive industries, you're a high-value target. Anyone who fits in one of those categories should take opsec seriously, and a password manager is an essential part of a well-layered security program.
But even if you're not an obvious candidate for targeted attacks, you can be swept up in a website breach. That's why Have I Been Pwned? exists. It's easy enough for a compromised website to force you to reset your password, minimizing the risk of that breach, but if you've used that same combination of credentials elsewhere, you're at serious risk. And no matter how careful you are, you're always at risk of being fooled into handing over your credentials in a well-designed phishing attack.
Which password manager is right for you?
Any password manager solution is better than none.
The simplest solution is to use the password management tools built into your default browser or operating system. That option works especially well for anyone who is technically unsophisticated, has a limited number of credentials to store, and uses hardware and services from a single ecosystem. If you're setting things up for a friend or relative who has a Mac and an iPhone, for example, Apple's Keychain will suffice. Those who live in Google's ecosystem can probably get by with Chrome's password manager.
For those whose computing life is more complicated, a third-party solution is most appropriate.
Although most commercial programs offer a free tier, that option typically involves unacceptable limitations, such as a restriction on the number and type of devices you can use or the number of credentials you can save. A noteworthy exception is Bitwarden, a free, open source app whose free tier has no such limitations.
For personal use, most full-featured commercial options cost a few dollars per month; family subscriptions typically cost a bit more but allow five or six family members to share a subscription. These paid plans usually offer some more advanced features as well, including support for hardware-based authentication and the ability to share passwords securely.
Finally, most commercial password managers include business plans that allow central administration and robust organizational sharing and security. As a bonus, some business plans include free personal licenses so employees can manage personal passwords using the same tools they use for business.
We've put together a list of the best free and paid options here: Best Password Manager in 2021. Each entry in this list includes pricing details as well as a link to security information. Every paid program offers a free trial, and we strongly recommend taking advantage of those trials to see if a program is right for you.