Data Breach Defense: Password Managers
What is a Password Manager?
A password manager is a program or service that allows you to record login information such as username, password, login link, and other data. Your password database is stored in an encrypted format. Additional security measures vary from service to service.
Why do I Need a Password Manager?
The single most important thing you can do to protect your accounts is to use strong, unique passwords that are not reused anywhere. I discussed in the Understanding Data Breaches section how encrypted passwords can be stolen from a service’s database and then decrypted later. Using a strong, unique password will make your password practically impossible to decrypt, thereby keeping your accounts safe even in that situation. A strong password should consist of sixteen or more characters consisting of upper and lower case letters, numbers, and special characters, and should not be reused on any other accounts. (This last bit of advice is insurance: if a service was not encrypting - or poorly encrypting - your password, not-reusing passwords (and usernames) will prevent an attacker from being able to easily access all your other accounts. This is called credential stuffing.) Of course, this means that a good password is impossible to remember, so the solution is to use a password manager. By using a password manager, you only ever have to remember a single password: the master password to login.
What Should I Look For in a Password Manager?
The most important thing is to look for a service that is “zero knowledge,“. They may also use terms like “zero access” or “end-to-end encrypted.” (Note: this is different from regular encryption.) This means that no employee of the company can see your passwords and information. Remember: if they can see it, so can a criminal who gains access. You should also consider whether or not cloud-based services are right for you. Cloud-based services offer conveniences like synchronization between devices, but you also run the risk that a successful criminal will download your database and then have all the time in the world to find weaknesses in the encryption. Conversely, locally-stored databases are safer from a data breach but run the risk of getting deleted, lost, or corrupted if you don’t keep reliable backups.
Avoid The Following
- LastPass is a popular password manager, but they’ve been riddled with security issues and questionable business decisions for years. This includes things like limiting free users to choose between only using their account on either mobile or desktop devices (not both) or - most notably - a massive 2022 data breach, which they announced on December 22 (the Friday before Christmas, knowing that most people would be busy for the next few days and unlikley to see the disclosure) where they attempted to downplay the issue as a minor incident. It would later come to light that large swaths of users’ vaults were unencrypted (such as the sign-in link for the website, allowing attackers to craft more convincing phishing emails), vaults had been stolen from the databases (meaning attackers would have endless time to attempt to crack them), user passwords were poorly encrypted (making them easier to crack), and the breach had all been a result of poor internal security practices. This was merely the latest and largest in a series of blunders made by the company, who has proven themselves inept and unethical in their treatment of customers and their data. Even if you don’t go with one of the password managers I recommend here, I strongly urge you to avoid LastPass.
Listed in alphabetical order, not order of recommendation
Pros
Some clients are audited
Available on Debian, Mac, Windows, Android, and iOS
Popular clients include KeePass XC, KeePassDX (Android), and Strongbox (iOS)
Cons
Not all clients are audited
Not cloud based
Pros
Available on Debian, Mac, Windows, Android, and iOS
Comes with free calendar, cloud storage, email, and VPN as part of a Proton account
Cons
Cloud based
Browser extension required for desktop access, no desktop app or web vault available
Early product, missing some features that other password managers may already have (such as credit cards)
Click here to see my criteria for selecting these services
Click here for a visual version of this chart
Honorable Mention: 1Password

1Password does not qualify for a full endorsement on this site because they do not have source-available clients. However 1Password’s security is praised by experts, they have been audited, they have a long and positive track record, and they even support a variety of open source initiatives. 1Password would not be my first recommendation for most users because other equally good, open source alternatives exist (such as the ones listed above), but if none of the recommended offerings appeal to you for any reason, 1Password is also a highly reputable option. (Note that 1Password does not offer a free tier.)
Getting Started
I suggest you stop what you’re doing immediately and adopt secure passwords for your most critical accounts. Bank, email, and other accounts you can’t afford to live without. Do it right now before you do anything else.
For the rest of your accounts, I recommend updating your passwords to something secure “as you go.” This means you change passwords as you use them. For example, next time you log into eBay, change your password. Then, next time you order pizza, change that password. In time every account will have a unique, strong password.
Tips & Tricks
For your master login password, use a passphrase. A passphrase is a series of words rather than a single word. A good passphrase should be at least five random words, so try to avoid famous quotes or obvious words like a list of your children’s names. A good passphrase can take upwards of hundreds of years to brute force or guess.
Password managers typically include a note-taking section. This is a great spot to take notes like MFA backup codes, answers to security questions, or other account-specific details you want to remember. However, beware that this creates a single point of failure, so ensure that you’re applying maximum protection to your password manager in this case.
A common strategy for added account security is to give false answers to security questions. For example, a common security question is “what is your father’s middle name?” This kind of information is easy to find online for most people these days due to the increasingly digital nature of public records. A criminal could call the bank posing as you, answer the question, and transfer all your funds out of your account. Instead of the true answer, answer with a randomly generated word and record it in the notes section.