The beginner’s guide to using a password manager 🔐
This is the first part of the two part series on access control and account security. After this, be sure to read Part 2: Multi-factor authentication is for everyone.
Let’s face it. In modern life, as an integral part of the digital economy, we have to remember a bemusing number of user account IDs and passwords. With each passing year, more and more services that we avail go online and thus compound this problem.
It’s not easy and it’s certainly not efficient to tackle this manually. And so, to reduce this heavy load, we all come up with our own hacks for storing passwords. This invariably results in us picking up some terrible habits for both choosing passwords and storing them. Some of these include:
- Reusing the same formula or password-ingredients across accounts over and over to the point where it becomes committed to our muscle memory and we could type them out even in our sleep;
Storing passwords in really worrying ways such as
- writing them in our diary that we might leave at the coffee shop
- scribbling it on post-it notes which may fly away out the window; or
- using plain text files on your local drive which would leave us locked out of all our accounts if the disk fails
How to cope with all this?
Look, we all get it. We obviously need to remember a ton of passwords and human memory is not up to the task. Besides, I can thing of much better ways to put our brain to use than storing complex passwords for numerous online accounts. The answer is clear, we need to store it all elsewhere. But that presents a whole new challenge of securing it against unauthorised access by others.
Though it seems that there is little respite, all is not lost.
It is really easy to use a password manager!
How safe is a password manager?
The answer is that it depends. Yes there are many password managers out there and it can become a bit daunting to sift through them and pick one. But do your research, and find something that works for you on the platforms and devices which you use regularly. There are definitely good options out there and many of them which
- conduct independent third party security audits of their product
- publish findings of such audits to demonstrate their capabilities; and
- have a bounty on offer to anyone who can detect and report bugs or security loopholes
All of this goes to ensure that they are able to build and maintain a robust platform to meet your needs.
How do I access my passwords within a password manager?
Generally speaking, password managers allow you to store data in their platform using AES-256 standard encryption for data at rest. They also ensure any data in transit, between your devices and the server where the password manager is hosted, is also encrypted with the same standard.
You require a master password to access your account and a private encryption key to be stored on your device to encrypt your data before it is transferred to the server. You are able to view this data on any of your devices as the same private key is used to decrypt this data as it arrives on these devices.
The master password and your private key are never transmitted over the network. Using the password manager application on any of your devices, you are able to access the entire library of account details and passwords stored in the manager. While this happens, your data is only transmitted over the network or stored in any location in an encrypted form.
Who can read my passwords?
Nobody else but you.
Technically, anyone who has your master password and your private key can access your account details and passwords.
Practically though, if you are able to safely retain your master password and encryption key offline, the rest of your data remains well protected with the password manager, accessible only to you on all devices with your access credentials.
If your forget your master password or lose your encryption key, nobody can assess your data anymore (with the computing power available in the world today, it can take millenia to decrypt any data stored with AES-256 standard encryption).
Do I need to pay for a password manager?
For any service, you either pay with your money or with your data. It’s generally a bad idea to compromise on this front especially when it comes to a good quality password manager. However, to this there is one exception — Enter Bitwarden!
Bitwarden is open source software. All of their source code is hosted on GitHub and is free for anyone to review. Plus for the really paranoid folks out there, you can download and host your own instance of bitwarden and completely bypass external servers.
Bitwarden’s free product tier is a great place to start for those who are completely new to using a password manager. This is a highly recommended alternative to ways by which we typically save passwords outside of a dedicated password manager.
Why I think bitwarden has a free-forever product tier
- Bitwarden is true to their mission of making password management accessible to everyone regardless of their ability to pay
- For people who require capabilities beyond the core features, Bitwarden offers various paid services
- This model creates an effective sales funnel for them where people enter the ecosystem using the free tier and may later consider upgrading when required creating a win-win situation for the organisation and the user community
Why Bitwarden makes sense for you
- Lifetime access to core features at no cost
- No cost barrier to entry
- Highly reputed service provider with a long-standing track record and independent third party security audits
It is difficult to manage passwords manually offline. Consider using a password manager to simplify this process while greatly improving the overall security of your online accounts.
Pick a password manager that best suits your needs, do the necessary research to find out what works best on all your devices and operating systems. Consider paying for the service as long as the feature set makes sense and the service provider is of considerable repute withstanding a history of industry scrutiny. After all, you are going to entrust them with all your sensitive information.
If you can’t make up your mind or you are looking for a recommendation, the try Bitwarden which has a lifetime free and open source core product. You will not be disappointed!
Lastly, no matter what you do decide when it comes to storing your account passwords, please do yourselves a favour and ditch the text files, the spreadsheets and the sticky notes.
Disclosure: This post represents my personal opinion and is not sponsored by any third party, including Bitwarden.