2.4 Installing and using a password manager
Alternatives to a browser’s password management are dedicated password management applications.
Before choosing any product to manage your passwords, you should make sure that it meets your requirements – in particular:
- Is the software available for your computer?
- Does it manage passwords on one machine or more than one computer?
- Can it synchronise passwords between multiple machines?
- Does it have a good reputation?
Check that the password manager software has a good reputation by making sure that it has been evaluated by a reputable organisation such as av-test.org : https://www.av-test.org/ en/ news/ secure-passwords-its-a-snap/ [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] . Don’t depend on anecdotal evidence.
When you evaluate using a password manager consider the balance of risk. A password manager only requires you to memorise a single secure password. All the other passwords it looks after can be long, unique strings of random characters, for example, dyet%eb5YT%^ahyrp)(nd. This is much more secure than using a paper notebook – thieves breaking into a house or office look for password notebooks. Notebooks also get dropped or left on the train!
Some examples of password manager applications are:
- LastPass is available for a range of operating systems, including mobile devices. It can generate and store passwords, and manage them across multiple devices.
- 1Password is available for Windows and Mac computers as well as mobile devices running iOS, Android and Windows Phone. As well as generating and storing passwords, 1Password can be used to hold other confidential documents. It offers password synchronisation through the free Dropbox cloud service where encrypted copies of all 1Password data are shared between your machines.
- KeePass is available for Windows, Mac and Linux operating systems. It is an open source password manager, which makes it easier for security experts to check its program code and identify potential security problems.
The protection offered by a password manager is only as good as the password you select to control access to it – the ‘master password’. Therefore, make sure to select a long, hard to guess password – ideally a phrase or combination of random words. This will prevent attackers from getting access to all of your passwords, even if they steal the password store from your machine or an online password system. For example, in June 2015 attackers were able to steal a large number of password stores from LastPass, putting those users with very weak master passwords at risk of having all their passwords used by hackers.
In September 2019, another vulnerability was discovered in LastPass by a Google Project Zero researcher. This was fixed almost immediately by LastPass in an update.