A new password for EVERY site?!?!?

November 24, 2022

Last week we finished our discussion of WiFi routers. This week we’ll delve a bit deeper into password managers: how they help you, why you need one, and what to look for.

There are many password managers available and many with free plans. But the most important thing to look for in a password manager is that it securely encrypts your password “vault” (your list of passwords) with a good quality cipher. AES 256-bit encryption is the current standard (for a bit more on what that is, check out https://go.ttot.link/AES256). Preferably you’d use a “zero knowledge” password manager, that is one which doesn’t forward your master password to the vendor of the password manager. Of course that means that losing your master password would cause you to lose access to your entire vault. That’s why many password managers also provide an alternative mechanism to decrypt your vault, usually with a phrase or a series of words or characters that are used to prime the encryption engine. But if you lose that backup phrase…well, you’re really out of luck.

Your master password should be long but one that you can easily recall. It should be a phrase with spaces and special characters, and the longer, the better. I would discourage using a phrase that is tied to you like “my birthday is march 5, 1982” – a phrase like this could be guessed. Instead make it a phrase unconnected to you but one you can remember like “b1nkl3_TW1NKL3 l1ttl3 *, HOW 1 WOND3R wh4t you IS!?!” – it’s long, has mixed case, numbers, and special characters, and, if you study it for a while, you’ll recognize the pattern I used in constructing it – the letters a, i, and e are always replaced by 4, 1. and 3, the case of the words alternate, and the word “star” is replaced by an asterisk

Also to consider is whether your password manager should only store your vault locally (i.e. stand-alone) or store it somewhere in the cloud (cloud-based or connected). The latter type checks to see if the cloud copy is newer than the version on your local device and, if it is, downloads it to your local device when you open the password manager; it syncs any changes you make to your local copy to the cloud. While some stand-alone managers will allow you to manually copy your locally saved passwords to a cloud service like Google Drive, Box, or OneDrive and manually restore them to another device, I don’t recommend going that route. Being a bit paranoid, that’s the kind of manager I first started using but I quickly found that the password vault on my various devices would get out of sync with each other. So I switched to connected password managers.

The article at https://go.ttot.link/PwdMgrFeatures has a good list of things to look for in a password manager and https://go.ttot.link/BestPwdMgrs discusses PC Magazine’s recommended paid password managers. That article also has a link to an article that discusses their recommended free password managers.

Personally, I use 2 password managers and pay for them: Bitwarden (https://go.ttot.link/Bitwarden) and Lastpass (https://go.ttot.link/Lastpass). Both have free and paid plans. They are pretty much the same, feature for feature but Bitwarden is open source so anyone can inspect their code (the source for all the components is at https://go.ttot.link/GithubBW) and they have an option for you to host the Bitwarden service on your own hardware (https://go.ttot.link/OpenSourceBW) so your password vault stays within your complete control.

If you opt to use Bitwarden’s cloud they currently have 3 pricing levels for personal accounts: Free, Premium (currently $10/year), and Family (currently $40/year for up to 6 users), See https://go.ttot.link/PricingBW for details on the plans. Lastpass has a free plan and they currently charge $36/year for an individual subscription and $48/year for a family plan for up to 6 users (pricing is on Lastpass’s main page, just scroll down a bit).

One other really nice feature about the Bitwarden manager is that you can enter your seed for two-factor authentication and it will generate your one time passcode for you (see https://go.ttot.link/TOTP for more info on two factor authentication and TOTP – Time-based One Time Password). Lastpass does not have this feature.

Both managers are multi-platform (apps for iOS, Android, Mac, Windows, Linux, and browser extensions for all major browsers), can autofill passwords (see https://go.ttot.link/AutoFillLP for an explanation), can automatically save new passwords to your vault, and to help you organize your sites, they both have folders in which you can save your information. They both also provide a way to save other information like credit card information and general notes, all of which are encrypted using the same technology used to encrypt your passwords.

Why do I pay for two password managers? For backup – you can never tell when one or the other will quit the business or adopt some business practice with which I disagree. Both password managers offer to save new passwords when I create one so it’s relatively simple to keep them both current.

That’s it for this week. I’ve just gone over two of the many available password managers. Feel free to choose either of them or go with one of the other ones discussed in the articles I’ve linked, above or go with one you find with your own research. But whatever you do, get and use a password manager! And be sure to let me know what you’d like to discuss next week.

As always, my intent with these columns is to spark your curiosity, give you enough information to get started, and arm you with the necessary keywords (or buzzwords) so you’ll understand the basics and are equipped to search for more detailed information.

Please feel free to email me with questions, comments, suggestions, requests for future columns, whatever at tony@TonysTakeOnTech.com or just drop me a quick note and say HI! And don’t forget that I maintain links to the original columns with live, clickable links to all the references at https://go.ttot.link/TGColumns+Links or https://go.ttot.link/TGC+L – it should be updated shortly after this column appears online.