You wake up to a constant chiming from your phone. It annoys enough to wake you on an early morning of a day off.
Who can be reaching out to you so early? Is it one of your group texts? Is it work? You pick up the phone and start the morning routine.
You see a myriad of text and email notifications about various accounts. All related, whether you notice at the moment or not, to two common things. An email and a password. The dreaded day has come.
dangCoolPass44! dangCoolPass45! dangCoolPass50!
Are these familiar? Maybe similar to a password used at work where they require a biweekly or monthly update of passwords but laziness kicks in after the first 3 months and a workaround is found by incrementing a digit.
We tend to reuse passwords because we can only devote so much time and bandwidth to the chore of remembering them. We may just break down, rotate between four or five passwords at a time, and hope for the best. It's natural to consolidate laborious tasks to make our lives easier.
What if I told you there's a better way to manage your passwords that doesn't require remembering them all? Stick with me, we'll get through this.
Every service in today's Internet connected world is (usually) based around two things: an email and a password. It's a typical method because most Internet users have or can create the pair, it's simple to implement an account recovery flow, password resets, etc. But it has at least one con: it places the burden of managing passwords on the user.
There are other ways for services to handle accounts but most require action and knowledge of the end user to pick up. There's a constant tug-o-war between ease of use and security. So, for now, we're stuck with passwords and I dream of the day when we no longer depend on them.
Here's an example of an average user's password collection where P[n] is a password and A[n] is an account:
P1 / | \ \ A1 A2 A3 A4 ------------------ P2 / | \ \ A5 A6 A7 A8
This is a one-to-many relationship between a given password and associated accounts. When a password gets compromised (or "hacked"), you end up in a situation like so, where an "x" delimits a need to reset the password.
P1 / | \ \ A1 A2 A3 A4 ------------------ P2 / | \ \ x x x x A5 A6 A7 A8
This person now has to reset passwords for accounts A5 through A8.
An ideal setup is as follows, where each password is only tied to one account, a one-to-one relationship:
P1 P2 P3 P4 P5 P6 | | | | | | ... | | | | x | A1 A2 A3 A4 A5 A6
As you can see, only when P5 was compromised, the owner just had to reset the A5 account. But, dang, that's a ton of passwords to remember!
The easiest situation, but least secure, is to use one password for all accounts:
P1 / / / | \ \ ... A1 A2 A3 A4 A5 A6
The great thing is that you CAN have this setup while also having it be secure! It'll look something like this:
PM / / | | \ \ P1 P2 P3 P4 P5 P6 | | | | | | ... | | | | | | A1 A2 A3 A4 A5 A6
The PM here is a Password Manager and I'm about to preach it up.
A password manager is specialized software for handling one thing: Passwords. And it does it extremely well.
It can store passwords, generate new ones, remember the history of any changes for a given account, store notes, URLs, and more. This data is stored in a secure fashion so only you can access it. They tend to have clients that work on smart phones, desktops, and at the least web browsers. All you have to do is remember one password to access the password manager.
Now, it sounds like this is an "all eggs in one basket" situation and you'd have a worse situation if your password manager account got compromised. I have one answer to that though I won't go into detail in this blog post: Two Factor Authentication (2FA). Enable it on whichever password manager you pick and use it! I also highly encourage you to enable it on any account you deem is important (email, banks, etc.) As for the one password you use, I recommend the multi-word approach as it tends to be more secure and easier to remember. Just don't forget to setup that 2FA!
Next, I'm only going to go over two accounts, both of which reside in different types of implementations. The two types are cloud based service and the other a local database.
A Cloud based service is the most common and has the highest ease of use. A company or some entity manages the service and often make money by having businesses pay them for support and/or sharing of passwords within them. A service often has a free tier that individuals can use with a restriction of not being able to share passwords with other users.
The "cloud" comes in with the server based storage and syncing of your passwords between all your devices. When you connect to the service through a client application it'll fetch the cloud-based (let's call it "remote") copy of your passwords and determine whether your local or remote is the latest. The service usually has an automatic and/or manual way to deal with conflicts, but if you're the only one accessing the password store you shouldn't see this often.
Signing up tends to be as simple as any other service: you just need an email and a password. Remember, this pair of credentials is the key to all the others in the long run, so keep it secure but accessible. And enable 2FA!
These services commonly have a web-based client to connect to and reliable while you have an Internet connection. There are also native clients applications that live on smart phones and desktops. I highly recommend downloading these native clients on personal devices and logging in as they act as local copies even when your Internet connection goes down.
My current preference to this type is Bitwarden (https://bitwarden.com/) as it's a great mash up of open source, ease to use, and a company devoted to transparency and trust. In actuality, Bitwarden is a mix of the two types we go over in this post (cloud + local database) since you can still access local copies of your passwords when off-line, but it's easier to consume it as cloud based. I primarily use it for my work accounts since I prefer a more hands on approach to personal passwords, which we'll go into next.
A local database type of password manager relies on a pair of things: An encrypted database file and an application that can read, write, decrypt, and encrypt it at will of the owner. There's not usually an Internet or company dependency here besides fetching the applications to access the database file. It instead relies on volunteers of open source code contributors to maintain the applications and is created with decades-hardened of cryptography technology. There are solutions that are maintained by a company as well if that's desired.
Once you have the application, you can create a database file and start loading/generating passwords into it. The database file is usually locked via a password but based on the application you can use biometrics, a USB dongle, whatever is supported! You can also enable 2FA on it and while I suggest it here as well, because you will be maintaining the file you can just make sure 2FA is on whatever syncing process you'll be utilizing.
Side note: When downloading these native applications, it's important to consider their integrity via methods like SHA-1 hashing which I won't go into here. But feel free to hit me up about it or wait for a possible blog post.
This type, however, ultimately relies on the user to maintain their database file. Think of this as a manual transmission car compared to an automatic. Instead of having a service back up and store the passwords for you, you'll have to take it upon yourself to do it.
Some easy ways to backup this file is to utilize a service you're already using, such as Google Drive, Dropbox, or NextCloud. Just remember to have 2FA enabled on the service you use as that's the point of access to your password database.
My personal choice for Local Database PMs is KeepassXC for desktop (Windows/MacOS/Linux) and Keepass2Android for my Android phone. There are iOS equivalents but I'm not familiar with any at the moment. You can search for "keepass" and do some research to find one. These are based on the original application called KeePass Password Safe which was only made for Windows.
I'm going to end this post with suggestions on adapting to using a password manager. Some people like to get everything done at once but it's important to realize that you may have countless of accounts and this could take awhile to get done with! Instead, I suggest a method of transitioning as you access your accounts. I also suggest starting with less important accounts so that you get used to the new process and if something goes wrong it'll be less nerve wrecking to fix. Remember that most accounts have a way to recover them so don't be afraid. Newly created accounts are also a good target.
The next time you access your bank account update your password to use a generated and stored one from your password manager (and enable 2FA if not already!) Amazon shopping? Update the password. Eventually, you'll have encompassed most of the accounts that matter and sooner or later after that you'll build it into your routine for everything.
Happy password managing!