Almost every single service on the internet that you sign up for asks you to ‘create’ a new password. Right there, in ‘create’ is your hint. They are NOT asking you to reuse the same password that you have provided for all or most other accounts you own across the internet, but to simply generate a completely new password that is supposed to be UNIQUE to that particular service.
Your email/username is easy to figure already as they are mostly publicly visible. So in most cases, it is just your password that is required to keep your account secure from unauthorized access. Then comes the part where you decide to create complex (something random and totally unrelated to anything in your life) passwords but end up storing them in you browser for easy management. That is a mistake, passwords should never be written down or stored anywhere unless you are sure that they cannot be accessed without breaking encryption.
Password managers?
The answer is YES. A password manager will solve all your password related problems after you get used to it. Start with creating strong and random passwords, go on and store your bank or payment card details and other secure info. You just have to remember one single password, called the ‘Master Password’ that’ll be your key to enter the ‘vault’ where all your passwords are stored. It helps make everything so organised; before I started using a password manager, I never realised I had over 200 accounts under different services spread over the internet.
Don’t you usually make a face when you are asked to change passwords frequently after a certain period? Even that becomes easy as you don’t have to be creative anymore, just regenerate and replace the old password in your vault.
Are they hackable?
Over the years, even if cyber criminals got their hands on some email addresses they never were able to break in. This is because the master passwords are protected with military-grade (AES-256) security, hidden behind thousands of rounds of hashing, or algorithms that convert strings of text into longer strings of text. No reputable password manager has leaked consumer master passwords so far(that we know of).
Choice of password manager?
Bitwarden – A free password manager that I settled with after trying out a few others. It is completely open source and can be self hosted by anyone. There are apps available for all platforms and addons for all browsers so that you can have your passwords at your fingertips everywhere. All your passwords will be encrypted with AES-256 and PBKDF2 by the Master Password that you set and thus can only be accessed by you. You can use any instance of Bitwarden without fear. Official instance – vault.bitwarden.com | My self-hosted instance – vault.sasach.work |
Dashlane or 1Password – These are proprietory and come with payment restrictions, the free plan(if available) allows you to have your passwords on one device at a time. If you are ready to pay for the features, go ahead.
KeepassXC – This is another military grade, free and open source password manager that I use extensively. The only drawback is that there is no real time syncing across devices unless you use a cloud storage along with it. The passwords are stored in an encrypted file locally that you can move offline. This is for people who don’t want their secure information anywhere on the internet and it takes a fair amount of technical know-how to set up. I also have a self-hosted instance that is compatible with KeePass databases – KeeWeb.
I recommend Bitwarden instead of any proprietary solution as it is not only cheap/free but you’ll also be supporting a company that supports FOSS (Free and Open Source Software). Here is a How-To guide for using Bitwarden. For self-hosting Bitwarden with all enterprise features unlocked, check Vaultwarden.
Two Factor Authentication (2FA)
On top of passwords, 2FA adds an extra layer of security to verify the authenticity of the owner. There are different kinds of 2FA. For people who are unaware of the term, the OTP or email verification that you perform for some services (banking for example) is a type of 2FA. Multiple services now offer 2FA under ‘Security Settings’ along with a walkthrough of how to set it up. The use of an authentication app for the 2FA code is the best option, SMS and Email can be fetched with some knowledge but 2FA code databases are harder to break into. I personally use Aegis Authenticator for my 2FA needs but I also suggest Authy as it provides multi device sync for people who don’t use cloud backups. You can read in detail about 2FA here : What is 2FA?
What advice do I have for you?
- Choose a really strong and easily memorizable master password for your vault and never write it down anywhere.
- Never store passwords in your web browser; always turn the ‘autosave passwords’ option off from the browser settings.
- Keep a short timeout for your password manager vault so that it doesn’t remain unlocked for long in case you move away from your device.
- In the start, it does seem overwhelming but you’ll soon get comfortable and feel the control.