Password Managers

This is what the 'hacker' trying to crack into your passwords looks like. Well, maybe in the background there is a spotty Russian teenager, but let's go with the data centre image: it can crunch unimaginable amounts of password guesses and "letmein123" will probably be checked in the first millisecond.

This is what the 'hacker' trying to crack into your passwords looks like. Well, maybe in the background there is a spotty Russian teenager, but let's go with the data centre image: it can crunch unimaginable amounts of password guesses and "letmein123" will probably be checked in the first millisecond.

When we manage clients' websites this is what your passwords are going to look like:

llV+A}X&TmOW=9U
deposleepineidesitil
s~[k,--z8E*%GYh=4*/4r}[v0UFY^jSIm{OC<FGe#}X2WL

What these have in common is that they are (a) relatively strong passwords and (b) impossible for normal people to remember* - and in the 3rd example basically impracticable to write down or type out either.

However, this is what all your passwords should be like everywhere, and you should have a unique password for each website/service you log in to, so ... you need a password manager.

*It is possible to be secure and memorable e.g. a phrase like:

entropy boogie feeze leaves riding mother

...however, how many of these can you remember? The memorable ones need to be for the master password of your password manager, and any where you need them regularly away from your normal password manager environment (which is a separate topic). For everything else, random garbage is what you want, controlled by your secure password manager.

On this page you can find some notes, and if you are a KnowledgePower client reading this, hope you have it all under control 😉


Recommended password manager software

Which is best? Well, if you are not currently using a password manager then any of the above will be fine and a massive step-up in convenience and security. The above list is only a small selection of possible good options. Ask a friend for a recommendation. If they don't use a password manager, stop being their friend until they do.

A password manager will help you generate strong random passwords, organize your sites, login with a single click, and manage secure text files such as reminders about password reminders, as well as managing credit card numbers and the like.

Do I need a password manager?

If you are reading this then you are a web user and almost certainly a human. All human web users need a password manager. So yes.

Will a password manager work on my PC / Mac/ mobile / tablet / operating system / gold Apple watch?

Yes.

Are password managers difficult to install, difficult to learn how to use, expensive, or annoying?

No to all of the above, so these are not valid excuses for not using a password manager.

Is there any valid excuse for not using a password manager?

Yes, as follows: "I am a sociology research student and I am documenting what happens when I get hacked". Other than that, no.

When I use a password manager do I have to change all my passwords /  logins?

No, although a good one may scan your passwords and tell you to update the weak ones, and probably it is a good opportunity to update your important passwords to something stronger.

Will a password manager completely keep me safe automatically?

No, you have to use it sensibly and have generally improving security habits. "Generally improving" because you can never be perfect and there is always more to learn or adapt to. Once you have reasonable password habits, your next step will probably be enabling two-factor authentication on your main important accounts as well as on your password manager itself. You should also look at your email as a classic single point of failure.

1. 123456 (Unchanged)  2. password (Unchanged)  3. 12345 (Up 17)  4. 12345678 (Down 1)  5. qwerty (Down 1)  6. 123456789 (Unchanged)  7. 1234 (Up 9)  8. baseball (New)  9. dragon (New)  10. football (New)

SplashData's list of top 10 most common passwords in 2014

In the recent Sony Pictures hack the password for the payroll department... appears to have been “sonypayroll”. [Source]

Further reading

NB:

Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password D0g..................... (24 characters long) is stronger than PrXyc.N(n4k77#L!eVdAfp9 (23 characters long) because both have at least one uppercase letter, lowercase letter, number, and "special" character, so length trumps perceived complexity. Steve Gibson makes this very clear in his password haystack reference guide and tester