Why you need a password manager
You probably have at least dozens and dozens of online accounts.
Accounts, accounts, accounts
Every online account you have, and have ever made, has a unique, random, and alphanumeric password, right? No password is used more than once, ever? If so, skip this section.
Chances are, if you have too many accounts, you just use the same username and password for a lot of them. I used to do this too, until I learned the risks of doing so. Well, technically speaking, if each and every site is properly configured, this shouldn’t be a problem. In a perfect world, all passwords are encrypted before being sent, and are never stored in plaintext. The only version that exists on earth is hashed with a strong, modern algorithm and uses a unique, random salt that’s not used anywhere else. If that’s the case, then even in the event of a database leak, no information is disclosed, and can therefore not be used against you.
Great, but the world, very unfortunately, is anything but perfect. Not all websites are using HTTPS, and for those that do, not all are using the strongest encryption available. Many people enter their passwords on public computers, which can have keyloggers installed. And, nearly impossible to detect, some sites don’t properly store passwords. Some just store everything in a file called
passwords.txt and call it a day.
Maybe you don’t care about that account on a not-so-secure site. But, if you re-use passwords, your other accounts may be at risk. If one platform has all of its passwords leaked, what happens then? Hackers know people re-use their usernames and passwords, and will therefore try all leaked username and password combinations on many popular, and some not-so-popular sites. If they manage to login to your email, then they can reset passwords on all the other sites you’re registered for.
That’s why you should use a unique, and strong password for every single site.
Ok, so using the same password over and over again isn’t a good idea. Neither is using tons of different, but weak, passwords. So, you need a way to generate and store lots and lots of good, unique, strong passwords.
If you only have a handful of accounts, and say, use Google sign in for everything, you’re probably just fine remembering a few passwords. But, if not, you need a way to generate and store all of those passwords.
This is where password managers come into the picture. Password managers are a very useful utility in the modern online world of accounts. All you need to do is remember one very strong master password, and your password manager stores all of the other passwords for you. Many password managers will also store your username, and will even auto-generate secure passwords for you.
The good password managers go the extra step, and make logging in online super easy. These password managers often exist as a browser extension, and will even auto fill passwords for you. All you need to do when you want to login is press a button, and your secure password, complete with username and all, is filled in. Password managers like this make it even easier to have secure passwords than typing in “abc123” for all your accounts.
My personal favorite when it comes to password manages, is … LastPass. LastPass is even better than those good password managers I was talking about a paragraph ago. It exists as a:
- Browser extension
- Safari on Macs
- Mobile app for iOS
- Mobile app for Android
- Desktop app for MacOS
- Desktop app for Windows
- Desktop app for Linux 🙂
And probably even more. All your data is securely synced across all of your devices.
LastPass automatically syncs all your passwords across all devices you have logged in to your account. This is great, because it makes it really easy to login to your accounts, regardless of what device you’re using. In iOS 12, LastPass even supports entering passwords in any app on iOS.
Well, how is this done securely?
Glad you asked. All of your LastPass passwords are encrypted using your master password. Since you’re the only one that knows this password, you’re the only one capable of decrypting all of your other passwords. Not even LastPass themselves is capable of decrypting all your passwords. They never even receive your master password, because it’s hashed well over a thousand times before being sent to them.
Even if someone did manage to hack their way into LastPass, and download the file containing all of your passwords, it’s absolutely useless to them. The weakest point in the entirety of the password manager is your master password. So, if you set your master password to ‘abc123’, and the file gets stolen, then yes, an attacker can decrypt everything. But, if you’re password is a good passphrase(i.e. “Th3Doct0r’sName!sBob”), rest assured that your data is secure.
Another security feature you should be using for all of the online accounts that support it is two factor authentication. Two factor authentication adds a layer of security even in the event that your password is compromised. It generally consists of asking for a six digit, time-dependent number that hopefully only you, and the service, knows. This way, even if an attacker knows your username and password, they don’t have this number, so they can’t login. This number is often sent to you via a text message, or generated via an app. When you set up an account, you are given a code to scan, and from then on, that app generates a code for you.
One of the reasons I like LastPass is because they also have a mobile app called LastPass Authenticator. This takes care of two factor, and will sync these codes across all your devices that support that app. I used to use Google Authenticator, but when I got a new phone, I lost all of my two factor keys, and it took me a while to regain access to all of my accounts. Had I been using LastPass, all the codes would have been synced, and I wouldn’t have needed to go through the tedious process of disabling two factor on all of my accounts.
Leave your favorite password manager in the comments!
Originally published at www.nerdoflinux.com on October 29, 2018.