The holiday season is a time for celebration, family, and ...
Should I use a Password Manager?
- By Loïc Calvez
We have been getting this question more often lately and that is a great sign that people are starting to understand risks and exploring solutions. In this blog, we will dive into the pros and cons and our recommendations (if you just want the answer: you should).
Quick recap on “what is a password manager”: a software or service designed to store and manage passwords securely (and we are not talking about saving your passwords in your browser, that is mostly a bad plan).
Let’s first clarify something, you still should use Multi Factor Authentication (MFA), a strong password is not enough. To further clarify, that MFA provider should not be your password manager, the whole point of MFA is to have two distinct sources of authentication, if both of those are coming from the same passwords manager, you are back to one factor.
Now let’s understand the main problem with passwords management, it’s hard! Creating strong passwords, different everywhere, and keeping them fresh by changing them regularly takes a lot of effort… Which is where passwords managers come in, by simplifying those tasks, they make it simpler to make the right decisions (strong, diverse, fresh).
The counter argument: but if my password manager gets hacked, they will have all my passwords! This is indeed true! So, we now must weight the two risks against each other:
- The risk of selecting a weak password, that might be used somewhere else on a service that will face it’s own hacks.
- The risk that a service that is designed with one purpose in mind: protecting passwords, actually gets hacked leading to your passwords getting released.
My money on the biggest risk is: #1, to which someone invariably brings up: but wasn’t LastPass hacked multiple times? And yes, they were hacked (them and many others) and they learned from it, all the hackers got is a bunch of encrypted passwords (protected by your master password, if that was a weak one, well….).
Which brings us to protecting your password manager, which now that we made the argument that you should use one, is the most important point. First, have a strong password, for reals. We are talking 20ish characters (more like a passphrase), with uppercase, lowercase, numbers, special characters, misspelled words, inside jokes, all things that will make that password (passphrase) easy for you to remember and impossible for someone else to guess. I am also going to be controversial here and suggest that you can even write it down! (in a secret place, ideally just the beginning (don’t write the end of it)). Second, enable MFA on it, and use an authenticator app (Google and Microsoft both have free ones) not SMS text or email. For businesses: Use Single Sign One (SSO) to make it even easier for your employees to make the right decisions.
And there you have it, a simple way to do the right thing. For businesses, this goes in line with our standard recommendation: make it easy for your employees to do the right thing and they probably will!