The Vegetable of the Internet
Password managers are the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For nearly a decade, that’s been “123456” and “password” – the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.
The safest (if craziest) way to store your passwords is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our memory. [1]
I’m not just talking to you either. When you’re playing tech support for half a dozen family members this holiday season, why not get them set up with a password manager while you’re at it? The whole internet will thank you. Silently.
The Convenience and Security of Password Managers
A password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. [1] It’s a better and safer alternative to reusing the same two or three passwords. [2]
During setup, you’ll be required to generate a strong master password, and then add your credentials to the password manager, either manually or through the password manager’s automatic tool that can find and upload credentials for you. [2] However, all password managers secure your passwords somewhat differently.
A web-based password manager keeps your passwords encrypted in secure databases in the cloud. Some are built into your favorite web browsers, like Safari, Chrome, and Firefox. Others may store your passwords locally in an encrypted file on your computer, tablet, or phone. In order for anyone – including the government or a malicious hacker – to access your account, they’ll need to possess your strong Master Password in order to decrypt the password manager’s database. [2]
Bitwarden – The Best Choice for Most Users
Bitwarden is secure, open source, and free with no limits. The applications are polished and user-friendly, making the service the best choice for most users. Did I mention it’s open source? That means the code that powers Bitwarden is freely available for anyone to inspect, seek out flaws, and fix. In theory, the more eyes on the code, the more airtight it becomes. [3]
Bitwarden was also audited for 2022 by a third party to ensure it’s secure. You can install it on your own server for easy self-hosting if you prefer to run your own cloud. There are apps for Android, iOS, Windows, macOS, and Linux, as well as extensions for all major web browsers. [4]
One of my favorite Bitwarden features is its semiautomated password fill-in tool. If you visit a site you’ve saved credentials for, Bitwarden’s browser icon shows the number of saved credentials from that site. Click the icon, and it will ask which account you want to use and then automatically fill in the login form. This makes it easy to switch between usernames and avoid the pitfalls of autofill that we mention at the bottom of this guide. [1]
Bitwarden also supports passwordless authentication, meaning you can log in with a one-time code, biometric authentication, or a security key. It also has excellent support for passkeys, including the ability to log into Bitwarden with a passkey, which means you don’t need to use your username or password even to open your vault. [1]
1Password – The Swiss Army Knife of Password Managers
What sets 1Password apart from the rest of the options is the number of extras it offers. Like other password managers, 1Password has apps that work just about everywhere, including on macOS, iOS, Android, Windows, Linux, and ChromeOS. There’s even a command-line tool that will work anywhere. [5]
I still find BitWarden to be a more economical choice for most people, but there are some very nice features in 1Password that you won’t find elsewhere. If you frequently travel across national borders, you’ll appreciate my favorite 1Password feature: Travel Mode. This mode lets you delete any sensitive data from your devices before you travel and then restore it with a click after you’ve crossed a border. This prevents anyone, including law enforcement at international borders, from accessing your complete password vault. [1]
1Password also offers tight integration with other mobile apps. Rather than needing to copy and paste passwords from your password manager to other apps (which puts your password on the clipboard at least for a moment), 1Password is integrated with many apps and can autofill. This is more noticeable on iOS, where inter-app communication is more restricted. [1]
The Risks of Browser-Based Password Managers
Most web browsers offer at least a rudimentary password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox ask if you’d like to save a password.) This is better than reusing the same password everywhere, but browser-based password managers are limited. [1]
In recent years, Google has improved the password manager built into Chrome, and it’s better than the rest, but it’s still not as full-featured or widely supported as a dedicated password manager like those below. [1] Apple’s macOS password manager, Keychain Access, also works great, but it’s limited to Apple devices. [1]
The main problem with built-in browser-based password managers is that if you have any non-Apple devices, you won’t be able to sync your passwords to them. All in on Apple? Then this is a viable, free, built-in option worth considering. But for most of us, a dedicated third-party password manager is the way to go.
Self-Hosted Password Managers
If you’re the type who wants to retain more control over your data in the cloud, you can sync your password vault yourself using a file-syncing service like Dropbox, NextCloud, or Edward Snowden’s recommended service, SpiderOak. [1]
Enpass and KeePassXC are two services that don’t store any of your data on their servers. Instead, they use a local vault to store your data, and then you can sync that vault using a file-syncing service. This means attackers have nothing to target on the service’s servers. [6,7]
The downside is that it’s a little more complex, as you’re managing two services – the password manager and the file sync. But if you’re already using a file-syncing service, this can be a good option. Enpass and KeePassXC both offer all the features you’d expect in a password manager, including auto-generating passwords, breach-monitoring, and biometric login support. [6,7]
The Rise of Passkeys
A concerted effort to get rid of passwords began roughly two days after the password was invented. Passwords are a pain – you’ll get no argument here – but we don’t see them going away in the foreseeable future. [1]
The latest effort to eliminate the password comes from the FIDO Alliance, an industry group aimed at standardizing authentication methods online. Enter passkeys – generated cryptographic keys managed by your device (usually your phone) that are easy to create and use, with nothing to remember. [1]
Passkeys are supported by all the major password managers we’ve discussed, including Bitwarden and 1Password. They work by generating a unique public-private key pair for each account you have. The website you’re logging into has the public key, and your device has the private key, allowing you to authenticate without a password. [1]
While passkeys aren’t a radical departure from password managers, they’re still an improvement by virtue of being a preinstalled tool for people who aren’t going to read this article and immediately sign up to use a password manager. If millions of people suddenly stop using 12345678 as a password, that’s a win for security. [1]
The Importance of a Strong Master Password
No password manager is perfect, but the ones above represent the best I’ve tested. They’re as secure as they can be while remaining easy to use. The main vulnerability is if someone gains access to your master password. [8]
That’s why it’s so important to create a strong, unique master password. Don’t reuse the same password you use for other accounts. Make it long, complex, and random. Consider using the Diceware method for generating a secure master password that’s also easy to remember. [1]
With a strong master password, your password manager becomes a secure vault for all your other credentials. Just remember – only one password to rule them all. Make it a good one.
The Pitfalls of Autofill
A good password manager stores, generates, and updates passwords for you with the press of a button. But be careful with the autofill feature. Some password managers will automatically fill in and even submit web forms for you. This is super convenient, but it has made password managers vulnerable to attacks in the past. [1]
For this reason, some password managers, like 1Password, require you to opt into the autofill feature. We suggest you do not use it, even though it’s tempting. Manually selecting the correct login from your password manager is a small price to pay for the added security. [1]
Conclusion
Password managers are not a one-size-fits-all solution, but they are an essential tool for protecting your online credentials. Whether you choose Bitwarden, 1Password, or one of the other options we’ve discussed, a password manager can help you create stronger passwords, store them securely, and keep your digital life safe from prying eyes.
So the next time you’re playing tech support for your family, do them a favor and get them set up with a password manager. It might just be the most important gift you give them all year.
References:
[1] Gilbertson, S. (2024). Best Password Managers. Wired. Retrieved from https://www.wired.com/story/best-password-managers/
[2] Dashlane. (n.d.). A Skeptic’s Guide to Password Managers and Security. Retrieved from https://www.dashlane.com/blog/a-skeptics-guide-to-password-managers-and-security
[3] Bitwarden Community. (n.d.). Suppose a hacker got my BW credentials. Retrieved from https://community.bitwarden.com/t/suppose-a-hacker-got-my-bw-credentials/43645
[4] Privacy Guides. (n.d.). Passwords. Retrieved from https://www.privacyguides.org/en/passwords/
[5] UCSB. (n.d.). Password Best Practices. Retrieved from https://www.it.ucsb.edu/general-security-resources/password-best-practices
[6] CyberNews. (n.d.). Are Password Managers Safe? Retrieved from https://cybernews.com/best-password-managers/are-password-managers-safe/
[7] AWS. (n.d.). Root User Best Practices. Retrieved from https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html
[8] Microsoft. (n.d.). Create and Use Strong Passwords. Retrieved from https://support.microsoft.com/en-us/windows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb
