You cannot stay safe without a password manager: after all, you quickly reuse your passwords, write them on a piece of paper or make them too simple for you to remember. With a password manager you avoid all that, but you do introduce a new risk: you put all your eggs in one basket, of which you sometimes don't even know where it is. What types of password managers are there and what are the risks? We give six tips for password management.
A good password must meet many conditions. It should not be too easy to guess, so it should be long enough and consist of a mix of letters, numbers and special characters. The disadvantage is that it is difficult for you to remember it yourself. That may still work for one password, but it is also not recommended to choose the same password for all kinds of websites and services. After all, someone who steals that password will then have access to all your website accounts. But remembering a whole range of uniquely good passwords is not for most of us.
You are therefore dependent on a password manager, who remembers the passwords for you. There are various types of password managers and in this masterclass we will review the most important ones, with their advantages and disadvantages.
01 Browser Password Manager
Most browsers already have a rudimentary password manager built in. The options are limited, but they are certainly suitable for easily saving the passwords you enter when you log in to websites. It is also difficult not to use them: if you have entered a password, they will ask by default whether they should save it.
Don't make it automatic to get up Save clicking the next time your browser asks that question. Because browser password managers aren't always that secure. In the summer of 2016, for example, it turned out that someone had broken into the servers of Opera Sync, the service that allows users of the Opera browser to synchronize their login data between different devices. The passwords were stored encrypted in Opera Sync so that the thief would normally not be able to see them, but if you used a weak master password (see box 'A strong master password'), the passwords might be crackable.
In general, browsers' built-in password managers haven't really evolved much in the last five years. An exception is Google, which introduced a central place in 2015 where you can manage which passwords Chrome remembers. Access to the website is even secured with two-step authentication.
02 Loose Password Manager
A good password manager does more than store passwords. It also helps you generate strong passwords because people are notoriously bad at that. As a result, all kinds of separate password managers have emerged, programs that (as their name suggests) help you manage passwords.
Having more features than browsers' built-in password managers, they promote more secure password hygiene, such as choosing a different password for each website. A browser extension then takes care of the integration of the password manager with your browser.
03 Unsafe apps
A program that entrusts you with something as sensitive as your passwords must of course be very secure. And unfortunately that is where things often go wrong. For example, the German group of security experts TeamSIK (Security Is Key) recently found a lot of vulnerabilities in password managers for Android. According to them, these apps give users a false sense of security.
The researchers analyzed the most downloaded password managers on the Google Play Store and found as many as 26 vulnerabilities in the apps MyPasswords, Informaticore Password Manager, LastPass Password Manager, Keeper Passwort-Manager, F-Secure KEY Password Manager, Dashlane Password Manager, Hide Pictures Keep. Safe Vault, Avast Passwords and 1Password – Password Manager. Some apps even stored the master password unencrypted. Others had a key hard-coded into the program code so that it was the same for all users. In either case, an attacker can gain access to your passwords.
Meanwhile, all the vulnerabilities that TeamSIK found have been fixed. But it is confronting to see that even developers of specialized security software fail to handle sensitive data such as passwords responsibly. And if you know that each of those apps has between 100 thousand and 50 million installs…
A strong master password
A password manager takes the task of remembering passwords off your hands, but of course he does not store those passwords unencrypted. Otherwise, that wouldn't be better than writing all your passwords in a booklet. A password manager therefore encrypts the saved passwords. The key that the program uses is derived from your master password. You then enter this password to access the password manager. Since access to all your passwords with a password manager depends on a single password, it is obviously very important that this is a strong password that no one else can guess. So don't get rid of it quickly with an easy-to-remember password, but put in some extra effort to choose a strong password. At least 12 characters long (and the longer the better), with a random-looking mix of upper and lower case letters, numbers, and special characters.