Personal Finances · Security

Why I use a password manager and why you should too

Over the past two-plus decades, I have accumulated over 500 logins and passwords. I suspect that’s more than the average web user, but probably not by much. Keeping track of these all in my brain would be impossible. Of those logins, I only remember four of them: my computer login for work, my computer login at home, my email password, and my password manager password.

That last item might have caught you off guard.  A password manager?  What’s that?

The Problems with Passwords

Before I dive into what a password manager is, you need to first understand the problems of passwords.

First, passwords often aren’t complex enough. Passwords that lack complexity are easily guessed. The best way to increase the complexity of any password is by making it longer. For example, in 2015, cracking a random password that was 10 characters in length (upper, lowercase and numbers) took as little as 2 hours.  Adding special characters increased it to a week. And that was in 2015. Every year, those numbers get smaller and smaller.

Some folks solve the problem of lots of passwords by coming up with clever schemes that morph a password based on the site. However, this too suffers from a lack of complexity.

Second, passwords reuse. Over the course of my career, I’ve seen a lot of shoddy security work. It only takes one website with shoddy security to get popped to compromise a reused password everywhere. Even sites who put lots of resources into security get hacked, such as LinkedIn or Yahoo!

Third, phishing exposes passwords.  Everyone has received at some time the email purporting to be from a Nigerian prince. Often these emails will contain a link that takes you to a login site that looks legit, even with the expected logo. Put your password in that form and now the baddies have your password. You better be hoping you have 2fa turned on. Try this phishing quiz to see how good you are at identifying phishing attempts.

Why You Need a Password Manager

Password managers are one solution for the problem of keeping so many logins secure. Basically, they become your personal database of usernames and passwords. Over the last 20 years, I’ve used a password manager to make my life easier in the following ways:

  1. I only have to remember one password. The password manager keeps track of all the passwords for me.
  2. A password manager creates strong passwords for me. No more entropy-weak passwords from my weak brain.
  3. With browser integration, a password manager can reduce my chances of getting phished. The manager won’t put my username/password into an illegitimate website.

Those are just a few of the ways that a password manager can make your life easier.

My First Password Manager: Password Gorilla

I first started using Password Gorilla sometime in the early 2000s. My requirements were:

  • Free
  • Worked across Windows and Mac (sorry, psafe
  • Compatible with psafe, just in case I wanted to migrate

To enable syncing between my different computers, I put the password database in my Dropbox share.

This solution worked well for many years. Some of this solution’s drawbacks include:

  • Clunky UI that seemed to get slower and slower as I added more and more credentials
  • Occasionally I’d have to deal with file conflicts with Dropbox because I’d added/changed a credential on different machines without a sync
  • No browser integration
  • No 2fa integration

Despite its failings, I succeeded in setting up my wife and my oldest kids with Password Gorilla. I don’t think they were thrilled with the clunkiness and preferred using Chrome’s built in password manager most of the time.

Interlude: Chrome password manager

By default, Chrome saves usernames and passwords for you. Not only does it save passwords, but it will also help you create strong passwords. Naturally, it won’t put your password into a phishing site. Additionally, with Chrome Sync turned on, your usernames and passwords get synchronized across your computers.

For most folks, the Chrome password manager is a big step towards better security. It’s not as secure as the latest password manager software, but it’s much better than nothing.

Even though I was still using Password Gorilla, I found I was relying more and more on Chrome’s password manager, only occasionally opening Password Gorilla. I found it slightly annoying that Chrome won’t save passwords for Google accounts. However, I found a way to get around that by importing the username and password. Additionally, Chrome wouldn’t recognize password forms on some sites and fail to recall a password for some sites.

My Current Password Manager: 1Password

During my first day at DumpsterFire, the onboarding team bought me a perpetual license to 1Password, version 6. I stored credentials that I used at work in it, but I never replaced my home setup, mostly because Password Gorilla was working just fine.

One of the perks of working at StartupInc was getting a free family license to 1Password, version 7. A little over a year ago, I moved the whole family into a 1Password family account. Some of the benefits of 1Password include:

    • 2FA. Not only can you set up 2FA with 1Password itself, but you can also use it to generate your 2FA codes, making it even easier to login to websites
    • Sharing passwords/documents between family members. I store our Wifi password and similar credentials in a vault shared with the whole family. I share another vault with my wife for other credentials.
    • Password recovery for the family. A couple of times, my kids forgot their Password Gorilla database password. Usually they ended up remembering their password, but with 1Password, it’s easy to help them recover their account if they forget their database password
    • Secure documents. I have one vault that I share with my wife that includes all of our tax returns and supporting documents.
  • Mobile support

When I recently left StartupInc, my 1Password account was “frozen”. I hope to talk my new employer into getting a 1Password business account. If I can’t convince them, I’ll end up buying my own license for $60/year. Between usability and convenience, I think it’s worth it.

Conclusion

There are many password managers out there, including some unsavory ones. Until passwords go away–and I’m not holding my breath!–password managers are an improvement over not using one.

Do you use a password manager? If so, which one and why do you like it? I’d love to hear about it in the comments.

Hasta luego!

4 thoughts on “Why I use a password manager and why you should too

  1. I’m dumb and only use the Chrome password manager. I only store less important accout passwords on it. I have unique passwords for my important accounts (brokerage, bank) that are not shared and never stored anywhere so I always type it in manually, using only one, secure computer. Those credentials are stored in a doc on a thumb drive so others have access if something happens to me.

    I heard and read 1Password is good. I really should subscribe but am too lazy and cheap. Yeah, I’m stupid.

    1. Thanks for stopping by. Storing credentials in a way that someone can recover from your untimely demise is a great idea. When my father passed away years ago, it was a bit of work recovering his password for the email account he ran his business from. Luckily we were able to recover it.

  2. I use lastpass. I’m pretty happy with it.

    One thing I’ve done as of late is use the password manager to randomly generate the username as well. Probably a bit overkill, but I like not having the commonality across important financial institutions, for example.

    1. Randomly generated usernames would give a tiny bit of help if a site got popped and username/passwords were retried elsewhere. Or if you wanted to keep your online identities separated, perhaps for nefarious purposes. But usernames are public knowledge. Not reusing passwords will give you the most mileage.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.