Password Managers

Posted on Sept. 2, 2020

Password Managers

Using a different password for every online service you use is absolutely essential for security.  While this offers protection from data breaches and common hacking techniques, it can make it a challenge to remember all of the different credentials.  That's why software has been developed to help you manage and generate passwords, called a Password Manager.

 

Contents

 

What is a Password Manager?

A password manager is software you can install on your machine. It takes care of storing your account information so you don’t have to remember all the passwords and usernames for each website you visit. When visiting a website, it will enter your credentials for you, and you won’t have to remember which password was for your bank, for your email, or for your favorite shopping site.

 

Advantages

The advantage for password managers is obvious: you are no longer required to remember long, complex passwords. But there is an additional advantage as well. Unlike writing your list of passwords down in a notebook, password managers encrypt your passwords when stored. By encrypting them it’s adding another layer a malicious user would have to break through to steal it.

Most password managers also include a password generator. As the name implies, it generates a new password for any account and takes into account length and complexity when creating one. It can offer some peace of mind, as you know the password it generates is hard if not near impossible to guess.  Having a unique, complex password for every site you visit is the most effective thing you can do to protect your accounts.

 

Disadvantages

At first glance, you may think this solution is the easiest option, but it has its weaknesses. First, your username, password, and their associated service are all stored somewhere. Somewhere can mean one of two places: either it is stored on a web server or stored on your computer locally. In either location it will still be encrypted, however each storage option has a drawback.

If you’ve opted for a password manager that works across devices, this likely means it’s stored on a web server. Any information stored on a web server is accessible via the internet, and nothing on the internet is completely safe. Although it is encrypted to offer protection, it doesn’t mean it’s 100% secure. Opting for a password manager which stores them on your computer has a different problem; your passwords aren’t accessible on any other machine. In either case, your passwords are only available on computers where you have the password manager software available. If you don’t have it, you’ll have to know the username/password combination.

 If your password manager has a password generator and you’ve decided to use it, you probably don’t know your password. After all, it’s meant to be long and complex. 

Some password manager applications have a subscription fee, while others will let you try the program for free but ask you to subscribe after a certain period.  Open source solutions are free and maintained by a volunteer community of engineers, and many accept donations if you like the software.


 

What about Browser Password Managers?

If you're using any modern browser (Chrome, Edge, or Firefox), you've probably seen it ask you to save your password upon logging into a website. At the core, it appears to function similarly to a password manager, so you may be wondering if you can use the one in your browser. After all, it's free and much easier to use. But before you start clicking "save password" on every website, there is one crucial feature to take note of: Browsers store passwords locally.

 

Chrome

Chrome has two ways it can store passwords. Which method it utilizes depends on two conditions: if you're logged into a Google account and have "sync across devices" turned on. Since syncing only works if you have a google account, you probably guessed where it's storing those saved passwords - your google account. Since it stores passwords in your account, they are compromised if your google account is compromised.

If you have neither a google account or have syncing turned off, it will store these passwords locally on your machine. Like others, if someone has access to your computer, they have access to your passwords.

You can find more information on chrome's password storage here.

 

Firefox

Firefox stores passwords locally on your machine and comes with a "password manager" to manage your passwords. However, anyone with access to the browser can access your passwords. That is, unless you implement a "Master Password." By setting up Master Password your passwords will be encrypted when stored.

Firefox has a feature similar to Google where it can "sync" your passwords across devices. Again, this relies on two conditions: a Firefox account and "Sync" turned on. By turning "Sync" on, we are also storing passwords on a web server.

Look here for how to set up Master Password in Firefox.

Click here for a more detailed look at Firefox's Sync with Master Password.

You can find more information on Firefox's password storage here.

 

Edge

Edge also stores passwords locally on your machine via a Credential Manager found in your control panel for Windows operating systems. (Hit Window + s and type in credential manager to pull up). In the Credential Manager, you'll see a list of all saved accounts and their respective URLs. 

A risky feature here is the only thing stopping someone from seeing a password if clicked on is your windows account. That means anyone who can log in to your Windows user can see your passwords.

 

Should I use a password manager?

The answer is: it depends. There is no doubt that a password manager is much safer and more reliable than writing your passwords down in a notebook. If that is something you currently do then a password manager may be the solution to implement. 

Our advice: create a password that is hard to guess and perhaps uses some techniques discussed in our last post. Use a password manager if you feel you need to and consider its drawbacks. And finally, implement two-factor authentication on all accounts where possible.


 

Sources


 

Back to Blog