Part of our Small Business series.
Prefer to watch instead? Catch our 2-part video series on password managers here.
Everyone talks about how your password needs to be better. It doesn’t have enough wacky symbols and numbers and capitals, it can’t have anything that looks like words, and it needs to be longer. If that’s not hard enough, it can’t look anything like any other password you’ve used before. And every service needs their own, even the forum you used once to get tips on marinating tofu:
“Ridiculous,” you mumble. “Tofu marinade fanclubs do not need a 30-character password.”
The Problem
And yet...the bad news doesn’t seem to go away. Every day there's another story of some idiot company that lost everyone's passwords, and how everyone needs to change again.
And the truth is they're right. All the stolen passwords get passed around between criminals, and they know that you use the same password for everything. If they are smart (and they are), they can use your email and password they bought from the LinkedIn breach, and try to use it on major banks, PayPal, email sites, and even your tofu marinade forum. And you're hosed.
Maybe you're a clever one: you normal password is 12345, but your LinkedIn password is 12345LI. Pretty tricky.
Except you're not that tricky. 1 in 50 LinkedIn users did the same thing to their normal password, and a different group did LI12345, and the bad guys can see everybody's tricks as they look through 117 million LinkedIn passwords.
And then they undo your trick, and make a little change to their program that tries everyone's password on paypal so that it tries 12345, PP12345. 12345PP, 12345paypal, and 12345PayPal.
And they get in and all your money is gone.
Any trick you can come up with to help you remember your passwords can be easily reversed by clever jerks. The only solution is for every password to be hard and not shared with any other site.
"But it's not fair!" you say. "How on earth can I remember 50 completely random passwords? That's a full time job and I've got stuff to do!"
The Solution
A password manager makes this problem go away. It is a little program that sits in your web browser and watches for passwords. If you tell it to remember a password, it gets added to a little list. When you sign up for a new service, it offers to generate and remember a perfectly complicated new password that no one will ever guess. And whenever you go back to one of those sites, it will remember everything so you can just click "ok".
But, but.." you say, "they always say that writing down your password is bad!"
And you're right. Sticky notes and and a file on your desktop are easy to find. But for lots of techno-jibber-jabber reasons, the good password managers are pretty safe. I don't recommend them for secret agents, mafiosos, or government officials, but for most of us, they're worth it.
When choosing a password manager, it's important to use a reliable and tested product. No Blue Light Specials or back-alley deals: you're going to entrust your life to this thing.
There are 3 top password managers right now. They have been tested for holes by passionate security nerds over the last 10 years and have come out in good shape.
Bitwarden (free version available). The best for most people. The free version is perfect for solo practices.
KeePassXC (completely free). A good option for those who do not want to trust any other company - it stays completely under your control.
1Password ($3-7/month). The premium option. It has the longest pedigree of excellence and has led the pack in ease and features for years.
I used to recommend Lastpass, but they have experienced some turmoil and some serious quality issues over the last 5 years. I hope they get their mojo back, but in the meantime, I cannot recommend them over these options.
Some companies make their sites hard to use with a password manager. For these, you may have to click on extra things when logging in. This may be a sign that their overall approach to security is dated and ineffective.
The Most Important Part
Password managers are not magic. The way you use it makes the difference between a valuable tool and a shiny toy. If you use one:
put everything in there, even the boring stuff. Make a habit of never typing a password on a web service.
Use the random generator for every password you have. Create the longest random string each site will allow you. Change all your non-random passwords to long random versions.
Make sure every device using your password manager is locked down tight.
Choose a strong master password for your password manager.
If your employees also log into important places, get a paid plan for all of you and use it to govern shared access and make sure their named accounts are strong.
If you want more protection, add Yubikey as a second factor to get into your password manager (example). This makes it almost impossible for attackers to steal your passwords. If you are the target of sophisticated, persistent attempts to steal your secrets, this approach is for you.
Extra Benefits
Done right, password managers have some unexpected benefits. It will protect you from phishing, from It will also make each of your passwords much better than you ever could.
Next Steps
Use a password manager to never type passwords into websites. Eliminating passwords in this way will save you time, annoyance, and is one of the most effective ways of protecting yourself from internet crime. It is fast and easy and you will thank yourself after two months.
Need help getting it right? We're just a call away.