Password managers are tools that are used to store all of your passwords in a single database. Their usefulness comes from the simple fact that as we daily deal with a lot of sites where we have to be authenticated, it only makes sense that each of these sites uses a different password.
It is tempting to resort to using a single password for all your sites, one that is easy to remember.
Certainly this has got an advantage, particularly when setting up a new device:
- You simply remember your password as usual;
- Set up your favourite services such as Facebook, Twitter or even your Google account.
- Within few minutes, you would have carried on with your digital life.
The danger is that, if it happens that your password is compromised–be it online or offline–then your digital life is at risk as well.
How Password managers work
This post concerns the use of password managers. Most of these managers do not only store passwords for you, but come with tools for generating new passwords, password expiration facilities and password strength testing.
This is when your password manager helps create a strong password for you. As you would recollect, most services, during account creation process, require you to provide a password.
However, as a security step, most will force you to create a password with certain minimum characteristics such as:
- At least six characters;
- A mixture of aphanumeric characters;1
- Having both lower and uppercase characters; and
- In some cases, force you to have special symbols that aren’t obvious such as the dollar signs, percentages, hash marks etc.
You can create new entries in a password manager and set these properties and have the password created for you.
Even though you may have different passwords for different sites, it is recommended that you change them after some time. While you can use only one password for years, it is not secure in the long run.
Because of that, there are some services that force you to to change your password. This is true in most intranet sites.
To deal with that, when creating new entries, you can tick that this password is going to expire within a set number of days. This could be two weeks or a month.
When the set time would have elapsed, the password manager will either remind you of this fact, or prompt for a new password.
In the same way you regularly change your bank card PIN, so should you do the same to your online accounts.
The strength of the password is the degree to which a password can be easily guessed. For example, the following are considered weak passwords:
- Dictionary words in your native or official language;
- Serial characters such as numbers 12345, letters such as “ABCD”. This also includes their variants such as refverse characters.
- Personal ID numbers. These include your national, passport, bank account number, phone number—anything that forms your unique fingerprint in the national database.
- Names of family members, sweethearts, birth dates or anything which anyone who knows you can guess.
Obviously, the strength of a password depends with who is to guess your password. Because of that, your password mustn’t be obvious even to your close associates.
Another determinant of password strength is its length: the longer, the better. Hence, the enforcement by most services for a password to be at least eight characters.
A password manager can help you with not only creating a strong password, but even testing its strength. The benchmark used for testing password strength are password breakers that resort to the use of brute force.
This practice is when a password breaker will try to guess your password against a set of dictionary words, certain entries and numbers.
Some password managers you can start using today
There are many password managers whether on the Google Playstore, App Store, Windows Store or in the Linux repositories. You can try them and see how you would rate them when it comes to user-friendliness, accessibility and affordability.
For a start, I would recommend Keepass on Windows. This is not only accessible, but it is free and opensource.
Although it is written in C#, a number of other password managers are compatible with its specification. This makes it possible to open your Keepass created databases on Android with Keepass for Android, or AuthPass on Linux. ON Linux, I often open my Keepass files using Password Safe, which is in the Ubuntu software repository. You can simply install it from the Software Center.
Password Managers are only secure to the extent that your computer is itself free from keyloggers, network snoopers and network sniffing. They are also effective as long as the services you connect to are themselves secure.
That last point explains why you should not use one password on more than one service: if one site is compromised, then whoever hacked the site can try other sites using the available password.
There are many other ways to secure your accounts, such as creating one app passwords, one-time passwords and using thumb drives to log in. All these depend on whether a service has two-factor authentication in place. Otherwise, I hope this post helped to show the utility of password managers as part of your security toolkit.
A set of alphabetical letters and numbers. ↩︎