You’ve probably heard your favourite YouTuber talking about a password manager at some point. Regrettably, this post isn’t sponsored, but I’m going to try to pitch the software to you anyway.
The idea is simple: a password manager stores a database of your passwords so you don’t have to remember them all. But the way it does it keeps you far more secure than if you just wrote these passwords down yourself in a text file or on a piece of paper.
I know you love a list, so I came up with five reasons why you should start using a password manager right now.
And unlike those sponsored YouTubers, I don’t care which one you choose. I use 1Password, and it seems to be regarded as the best in class, but if you choose another one, that’s fine by me. My understanding is they’re all quite good. And some are even open-source.
Use the one that best fits your needs and your budget. But seriously, use one.
1. It has the convenience of a hand-written list without the vulnerability
Probably everyone has written down a password on a sticky note. I’ve seen passwords on whiteboards in an office before. And I used to write down my passwords on a piece of paper.
These are all terrible ideas from a security perspective. So why are they so common?
I can only speak for myself, but I did it because of convenience. I rarely sign into my government accounts, so there’s no way I’m going to remember my passwords for those. It’s way easier to have somewhere that I can look up my credentials when I need them.
But paper is also incredibly easy for anyone else to access. Thankfully that never happened to me, but it has happened to others. The only defence you have is how well you’ve hidden the thing.
A password manager gives you the same level of convenience. It will set you up with a vault where you can store your passwords. In fact, it’ll be more convenient because it will autofill log-in forms for you.
Where it differs from a list is the level of security. Your passwords will be behind the master password to your vault. If I steal your computer, I won’t be able to do much without that password. And even if I somehow get your vault without using your password, the file will be totally useless.
Password managers don’t actually store your passwords. They store encrypted versions of them. Your information isn’t decrypted until it gets to your local computer. And the software does it based on a key generated from your master password that only exists on your local computer. This is an intense process, and I recommend watching Computerphile’s video on the topic if you want to know more.
What you need to know is that your vault is useless, meaningless text to anyone who doesn’t have your master password. And it’s far harder to get hold of your vault than it would be to grab a sticky note from under your keyboard.
2. You will never reuse a password again
I know you know that you shouldn’t reuse passwords. It’s great advice, but it’s hard to put into practice. You need an account for everything these days, so it’s common to end up with 100 or more. Who on Earth can remember 100 different combinations of usernames, passwords, and the sites on which they’re used? It’s not practical.
Based on the conversations I’ve had, it seems most people instead create a handful of good passwords, or maybe just one with variations, and use those for all their accounts. That’s certainly what I did for most of my life.
The problem is that it doesn’t matter how good your password is if someone else knows it. If any of your accounts gets breached, and it’s safe to assume eventually one will, any account that shares a password with it will be vulnerable.
People don’t tend to get hacked because some criminals sat there guessing passwords. It’s more common that some website’s database gets hacked, then that information is dumped on the dark web. Afterward, people take those username/password combinations and try them on other sites. Most people don’t just reuse passwords; they also reuse usernames.
Password managers help you mitigate this risk by making it far more practical to avoid reusing passwords. They do the remembering for you. You still only have to remember one password – the one for your vault. It’s all the convenience of reusing passwords with none of the risks!
As a bonus, most password managers will warn you if you’re reusing passwords between accounts. I actually couldn’t find one that doesn’t have this feature.
3. Password managers help you create better passwords
It’s one thing to use a different password on every site, but are they any good? If your Facebook password is “secretCode” and your Instagram one is “NOhackers”, I have bad news for you.
Thankfully, every password manager also has password generator functionality that helps you create absolutely ridiculous ones. I mean, you no longer need to remember it, so what does it matter if it’s “yQz_DMQDh7W*Yrk!H$Y3FaH-x3RAN>iH!VmPhe”?
It’s not generally considered a best practice to use passwords you find on random blog posts, so don’t use that one.
Now, I’ve heard some people push back and say they don’t like the idea of using intense passwords like that in case they decide to stop using their password manager someday. They’d prefer to use something they could remember if necessary.
No problem! Just change the settings on the generator so you end up with a passphrase. One of the best ways to increase your password strength is to string together some uncommon words and insert some numbers and symbols between them. Even better if you arbitrarily capitalize a word, and maybe throw a symbol in mid-word.
I ran the password generator on 1Password and got “violable4NECROPSY.morris”. That’s 24 characters, sure, but you could easily remember it. It’s just three words and two separators. This password sounds like something when you think of it, unlike “Q34in8!N@v!WG7MtaG3wG6z_” or even “CpNxprygHKNnMqWsBLmJpDrC”.
You’re also free to keep coming up with your own passwords if you choose. I rarely find myself doing that though.
4. Your password manager will be phish repellant
One of the most common ways for criminals to steal your information is through phishing. That’s when some jackass sends you an email, text message, or phone call in which they pose as a legitimate service and try to lure you to cough up sensitive information. You know those scary emails you get from a bank where you don’t even have an account? Or those Amazon emails about a problem with a package you didn’t order? Those are phishing attacks.
These interactions often try to create a sense of urgency. Or maybe they promise something that seems too good to be true. Either way, the goal is to get you to act, usually by downloading a file or clicking a link.
If the phish was well made, it can be extremely difficult to tell the email isn’t legit. And yeah, sometimes you might click the link just to see what’s going on.
You really messed up making it this far. You shouldn’t have opened the email, and you definitely shouldn’t have clicked the link. A better strategy would have been to open a new tab and go to the site in question to investigate. If there really is an issue, you’ll find it there. But since you’re here, your password manager can be your last line of defence.
Here’s what the legitimate Amazon.com login page looks like with 1Password installed.
Note the popup with my blacked-out email address. That’s never going to show up on a phishing site. Your password manager associates each account with a website, for obvious reasons. It won’t load that information on any other site, not even legit ones. Here’s what it looks like when I go to the legit login page for Minecraft:
I don’t have a Minecraft account, so nothing comes up. I also don’t have an account with any Amazon phishing sites and neither do you, so you’d see something like this. Then you’ll know to get off that site immediately.
5. A password manager has your back
Look, sometimes we do everything we can to protect our data and the bad guys still get their hands on it. Maybe some website we haven’t used in years experiences a breach. Maybe someone else downloaded malware while using our computer and the malware compromised an account before we could remove it. This sort of thing can happen to anyone through no fault of their own.
With a password manager, if this does happen to you, you’ll be in a great place to begin with since that account will have had a unique password. Criminals won’t be able to credential stuff their way into more of your accounts.
But on top of that, most password managers have some sort of dark web monitoring tool that will help you find out whether one of your accounts has been breached. Each one does it a little differently, and some offer this service for free separately from their full software. They might even have functionality that will warn you if you try to use a password that has already been exposed.
All of this is opt-in too. So if you have concerns about your email address being looked up in this way, just don’t opt-in.
There are way more reasons to use this software
Frankly, this article just scratches the surface of what a password manager can do for you. The software can help you securely store ID cards, medical records, credit card information, and much more. They’re far more than just a list of passwords.
Are you going to start using one, or do you already have one installed? Let me know in the comments.