5 things you should know about password managers

Tools such as Last Pass and Dashlane can save you a lot of headaches

New data breaches are coming to light almost weekly and they reveal a simple but troubling fact: many people still choose weak passwords and reuse them across multiple sites. The reality is, remembering dozens of complex passwords is almost impossible, and carrying them around on a scrap of paper that you have to keep updating is a huge hassle. That’s why password managers exist. Here’s why they’re important, and how to get the most out of them.

Password variety is important

With password leaks being a case of “when” and not “if,” you should limit the damage attackers can do by choosing a different password for each online account. Remembering all those passwords is hard without making them predictable, and that's where password managers can play a big role. They’re available for most browsers and operating systems, including mobile ones, and provide a hassle-free login experience.

Password complexity matters

Most password managers can generate complex passwords for you, and that's important. Websites generally store cryptographic representations of passwords called “hashes,” but depending on the algorithm used, those hashes can be cracked. The more complex a password, the less chance an attacker will be able to recover it from the hash, so it's good practice to use passwords with 12 or more characters, combining upper and lower case letters, numbers, and special symbols.

Usually, you'll still need to remember a master password that logs you into your password manager. You may also want to know your password for a few critical accounts, like email, in case the password manager is unavailable for some reason. In that case, sequences of words combined with digits and uppercase letters can be just as difficult to crack. An example would be DogsCatsRabbitsMyTop3Animals. These are typically referred to as passphrases, because they’re longer.

Offline vs. online

Password managers employ a variety of security models. Some are offline, like KeePass, Password Safe or Enpass, which means they don’t synchronize across different devices: you have to move the encrypted database between the various instances of the program each time you add or change a password, or use a cloud sharing service like Dropbox to keep the database in sync. Others, such as LastPass, Dashlane and 1Password, automatically synchronize your passwords across different devices, and some even provide Web-based access to your password “vault.”

If you choose one of the service-based implementations, pay attention to the architecture and make sure it decrypts the database locally inside the application or browser, without ever sharing the master password with the service provider.

Don't rely on a master password alone

Protecting all your passwords with a single master key isn't the best idea, because it can create a single point of failure. But many password managers offer two-factor authentication, where accessing the password vault also requires a one-time code sent via SMS or generated by an app such as Google's Authenticator. Make sure the password manager you choose has this feature, and turn it on.

Even when you’re using a password manager, it's a good idea to enable two-factor authentication (sometimes called two-step verification) for all your online accounts that offer it. An extra layer of protection never hurts.

Make use of other security features

Some password managers offer the option to log you out after a period of inactivity. That’s useful, because it's not a good idea to keep the password vault open for extended periods of time, especially on a shared computer. Logging you out automatically can limit the damage if your computer gets temporarily infected with malware. It's also best not to flag devices as “trusted,” which disables two-factor authentication for that device.

Join the CSO newsletter!

Error: Please check your email address.

Tags password managerssecurity

More about DropboxGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place