Of course it’s important to protect your passwords, but think about how many you have and the sheer magnitude of the task. Think about how hard it is to remember them. Think about where you have them written down. Think about how many times you’ve used a child’s birthday or a pet’s name as a password—and how easy that would be to guess. So security is reason number one.
Reason number two is convenience. Filling out, not just passwords, but all those online forms is a pain. A password manager can auto-fill those for you. More about that in a moment.
Just What Is a Password Manager?
A password manager is usually a piece of software, although it can be a hardware device, usually something that looks like a flash drive. I’m going to assume software because that is what I’m familiar with and it seems the most common.
Any password manager shares the same basic characteristics. It stores passwords in an encrypted (coded) form in a secure vault and uses a master password to access the stored passwords. Beyond that, password managers can and do have many other useful features. I've been using Dashlane for several years, so I'm going to use that as an example of what is typical of the best ones.
This is a screenshot of one account on my mobile phone (a router that I no longer own) as an example of some of the things a password manager does. Notice that I have also covered my email address and password. The password is shown with the typical dots but notice (second line) that you can see it or copy it, which is very useful. My password isn't very good and I've reused it 30 times--just like most of us do.
As a result, the password has been compromised. Dashlane describes a password as being compromised when any account that uses the password has been hacked.
This information and more is shown on the screen on my laptop. I'm showing part of that below so you can see the menu, but I can't show more without revealing user names or blacking out a huge space. I also can't show a pulldown box that allows the user to change categories (about a dozen categories like business, news, and so forth allow passwords to be organized), deleted (like my closet, I should keep my passwords neater, deleting ones like the unusable Linksys), shared (with caution, although it is a useful feature) and enable auto-login, which I love but don't manage as actively as I should.
The graphic below lets you see what the same basic information looks like on a laptop screen. They are both usable, just different. I often prefer to use the mobile for a quick login to a site where I just want to check something.
Features of Password Managers
The highly-rated password managers generally have the same basic features. What they do and do not have is explicitly stated on each site. The graphic is the Dashlane menu which has a number of features in addition to password management. The only other Vault feature I use is the Payments feature, although I could probably make good use of others.
My personal favorite, although it is not the most important from a security standpoint, is the autofilling of forms. I have to fill out a lot of forms because I often ask for information from websites. It’s so annoying to fill out a several-item form and try to submit it, only to discover that I have to go back and correct a typo. So the password manager makes my online life faster and more convenient and I love it for that. However, auto-fill is not an unmixed blessing: more about that in the Drawbacks section a little further on.
My second favorite thing is that the password manager can store credit card numbers and fetch numbers and billing info while the user is filling out an order. The password manager requires the master password in order to access a credit card, even though the user has already signed in, adding an extra level of security. It also adds to the ease of making purchases online, so you want to watch out for that! I try to be even safer by storing only one credit card online, that one being the one I use for everyday online purchases. Because I use it so much that credit card gets hacked from time to time and the bank immediately and graciously cancels it and issues a new one. That means the credit card in my password manager gets changed more frequently than my other credit cards and that’s good.
Most password managers offer free trial and the user should take advantage of it before deciding. Full-featured password managers are not free and their prices and scope of coverage (mostly additional devices) vary greatly, so be sure to comparison shop. I'm going to do a post on searching soon which will help a lot of people make online comparisons among different products.
The Security section also has useful information. The mobile capture shows an alert I received recently with the company name blacked out since I don't know the status. I immediately changed my password, using the Password Changer feature seen on the menu screen above. It gives strong passwords like bu9zibGWTCuc with a single command. All sites with sensitive data should use a strong, unhackable password like this and with the password manager a user doesn't have to make it up or remember it.
The Password Health screen again shows I don't really pay enough attention. Most of the passwords shown are not the result of a site that has been hacked, although some of them are. They are the result of using the same password as a site that has been hacked. That makes those passwords indirectly unsafe, I think. What I should do is first go through and delete the sites I never use and then change the passwords on the remaining sites. At the very least I should go through the list and see if there are any sensitive sites, primarily those with financial data, listed.
That suggests two more recommendations. First, be selective in setting up accounts on sites. If you do, give no more information than absolutely necessary. The best advice about storing credit card data is just don't do it. If your email address is taken in a hack, that's one thing. If your credit card is stolen, that's a big problem!
Second, think of your password manager account as a closet that needs to be kept clean. If you are prompted to save a password, be sure it is a new one. Otherwise you wind up with a dozen listings for the same account. There will inevitably be a few dups that should be removed manually to ensure that the right password is being fetched.
Possible Drawbacks of Password Managers
Like any other online operation, it is possible for password manager companies to be hacked. Security teams search the web for soft spots and all the major password managers have been called out at one time or another for a vulnerability that could open the door for hackers. These announcements are made public and the password manager firms appear to have been quick to work on the the flaws in their software, unlike many of their colleagues in other lines of work. Security experts themselves use password managers and point out that the benefits of using a password manager outweigh the risks.
Auto-filling is one of those risks. The process allows some hacking routines to syphon off email addresses. If you use it, as I do, be selective. As with everything else about this subject, the better protected the site itself is (a bank, for instance) the safer your data will be. If the site is questionable, the security of your data will be also.
A Final Piece of Advice
When you decide to try out a password manager be sure it is pinned to your start menu. Then it will be ready when you need to use it--and I think you'll be using it a lot!
Consumer Reports has an open article on password managers that you should read before searching for one.
Stay safe!
Update 8/10/18
I forgot to mention that all the major browsers have a password manager. I checked mine on Firefox (Options => Privacy and Security). It has features like saving passwords and autofill. None of my research sites recommended using the password manager on a browser and some specifically recommended against it. That makes sense to me. Browsers are exposed to a lot of websites and that would increase the chance of picking up malware. Keeping passwords in the "locked vault" of a secure app seems to be better advice.
No comments:
Post a Comment