The New Oil

The New Oil logo
Data Breach Defense: Password Managers

Data Breach Defense: Password Managers

What is a Password Manager?

A password manager is a program or service that allows you to store login information such as username, password, and other data in a secure format. It can also be used to generate secure passwords.

Why do I Need a Password Manager?

The single most important thing you can do to protect your accounts is to use strong, unique passwords that are not reused anywhere. Weak passwords can be easily guessed using off-the-shelf computers, usually in a matter of minutes or seconds, and even a strong password reused across multiple services can be unsafe as some companies are still not using proper measures in securing your passwords on their sites. Using a strong, unique password on each service will make your accounts practically impossible to hack this way. A strong password should consist of sixteen or more characters consisting of upper and lower case letters, numbers, and special characters, and should not be reused on any other accounts. Of course, this means that a good password is impossible to remember, so the solution is to use a password manager. By using a password manager, you only ever have to remember a single password: the master password to login.

What Should I Look For in a Password Manager?

The most important thing is to look for a service that is “zero knowledge”. (This is also sometimes called “zero access” or “end-to-end” encryption.) This means that no employee of the company can see your passwords and information. Remember: if they can see it, so can a criminal who gains access. Note that end-to-end encryption is not the same as regulary encryption. Don’t be fooled by companies who only say “encrypted” or “military-grade encryption.” Make sure they claim to be end-to-end encrypted.

You should also consider whether or not cloud-based services are right for you. Cloud-based services offer conveniences like synchronization between devices, but you also run the risk that a successful criminal will download your database and then have all the time in the world to find weaknesses in the encryption. Conversely, locally-stored databases are safer from a data breach but run the risk of getting deleted, lost, or corrupted if you don’t keep reliable backups.

Avoid The Following

  • LastPass is a popular password manager, but they’ve been riddled with security issues and questionable business decisions for years. This includes things like limiting free users to choose between only using their account on either mobile or desktop devices (not both) or - most notably - a massive 2022 data breach, which they announced on December 23 (the Friday before Christmas, knowing that most people would be busy for the next few days and unlikley to see the disclosure) where they attempted to downplay the issue as a minor incident. It would later come to light that large swaths of users’ vaults were unencrypted (such as the sign-in link for the website, allowing attackers to craft more convincing phishing emails), vaults had been stolen from the databases (meaning attackers would have endless time to attempt to crack them), user passwords were poorly hashed (making them easier to crack), and the breach had all been a result of poor internal security practices. This was merely the latest and largest in a series of blunders made by the company, who has proven themselves untrustworthy in their treatment of customers and their data. Even if you don’t go with one of the password managers I recommend here, I strongly urge you to avoid LastPass.

Listed in alphabetical order, not order of recommendation

Pros
  • Recently audited

  • Available on all operating systems

  • Available on F-Droid

  • Passkey support (web extension only to add new passkeys)

Cons
  • Cloud based

Pros
Cons
  • Not all clients are audited

  • Not cloud based

  • Not all clients available on F-Droid

  • Limited passkey support (varies by client)

Pros
  • Recently audited

  • Available on all all operating systems (browser extension only for Linux and Mac)

  • Available on F-Droid

  • Passkey support

  • Can export passkeys

  • Comes with free calendar, cloud storage, email, and VPN as part of a Proton account

Cons
  • Cloud based

  • Browser extension required for desktop access (except for Windows)

  • Early product, missing some features that other password managers may already have (such as credit cards)

Click here to see my criteria for selecting these services

Honorable Mention: 1Password

1password logo

1Password does not qualify for a full endorsement on this site because they do not have source-available clients. However 1Password’s security is praised by experts, they have been audited, they have a long and positive track record, and they even support a variety of open source initiatives. 1Password would not be my first recommendation for most users because other equally good, open source alternatives exist (such as the ones listed above), but if none of the recommended offerings appeal to you for any reason, 1Password is also a highly reputable option. 1Password has passkey support. (Note that 1Password does not offer a free tier.)

Passkeys

As of mid-2023, we have seen a rapid release and adoption of a new technology called “passkeys.” I won’t spend time here explaining how they work because it is somewhat lengthy and complicated, but if you’re interested there’s an excellent write-up here. Whether or not you should use passkeys depends on several factors. For a more comprehensive explanation, I suggest checking out EFF’s deep dive into passkeys, but here’s the basic summary:

When to use passkeys

  • If you’re not currently using a password manager(1)
  • If you’re currently re-using passwords (regardless if they’re good or not)
  • If you’re not using a security token for multifactor authentication

When not to use passkeys

  • If you’re currently using a security token for multifactor authentication
  • If you have a high threat model where even a small mistake could be catastrophic

1: You will still need to pick and use a password manager to take advantage of passkeys (see the next section on why)

Be aware that passkeys are still an early technology and it may be dangerous to rely on them entirely without a backup solution (in other words, at this time I don’t recommend disabling your passwords entirely).

Storing Passwords & Passkeys in the Browser & Apple Keychain

It’s common for people to store passwords (and now passkeys) within the browser when prompted or to use Apple’s built-in Keychain feature (or Android’s built-in passkey support). I generally don’t recommend using the browser’s built-in password manager. For the browser specifically, malware exists that is capable of stealing browser data including history, passwords, credit cards, addresses, and authentication tokens (meaning the attacker simply reloads the page and is now already logged in as you). I also find using a third-party password manager to be a better overall experience, with better apps, easier use across devices, no penalty or difficulty should you decide to switch devices or browsers, and an easier time exporting and importing passwords. However, if you still would prefer to use the built-in browser password manager, I recommend at least locking it with a secure passphrase when not in use. Regarding Apple Keychain and Android passkeys, I feel the same way as I do about the browser password manager: while Apple Keychain and Google passkeys are - to my knowledge - secure, I prefer to use a third-party password manager who won’t lock you into a single ecosystem or operating system. (Note: at this time, 1Password and Bitwarden cannot export passkeys but both organizations have expressed an interest in adding this feature in the future.) I share the same concerns about focus on security, but to a lesser extent given Apple’s and Google’s excellent security track records.

Getting Started

Most password managers have documentation on how to import your existing passwords from wherever you may be storing them, such as Apple Keychain, Chrome, or another password manager. A good first step is to import your existing login information and wipe it from your old solution (Chrome, Keychain, etc).

After that, I suggest you stop what you’re doing immediately and adopt secure passwords for your most critical accounts. Bank, email, and other accounts you can’t afford to live without. Do it right now before you do anything else.

For the rest of your accounts, I recommend updating your passwords to something secure “as you go.” This means you change passwords as you use them. For example, next time you log into eBay, change your password. Then, next time you order pizza, change that password. In time every account will have a unique, strong password.

Tips & Tricks

For your master login password, I recommend you use a passphrase so that it’s easy to remember but still secure. A passphrase is a series of words rather than a single word or a string of random gibberish. A good passphrase should be at least five random words, so try to avoid famous quotes or obvious words like a list of your children’s names. One common resource for generating a good passphrase is EFF’s Dice-Generated Passphrases. You could also Bitwarden’s free password generator. A good passphrase can take upwards of hundreds of years to brute force or guess.

Make sure you enable two-factor authentication on your password vault - the stronger the better. If you can afford it, I recommend using a security token here even if you don’t use it elsewhere (though I recommend using it wherever possible). Your password vault is a single point of failure, so it’s imperative to put the utmost level of protection on it.

Some password managers also allow you to use them to store your 2FA seeds. This can be convenient, but it does create a single point of failure. If you choose to go this route, be sure to use the highest level of security available on your password manager, such as a strong passphrase with a security token.

Password managers typically include a note-taking section. This is a great spot to take notes like MFA backup codes, answers to security questions, or other account-specific details you want to remember. However, beware that this creates a single point of failure for each account, so ensure that you’re applying maximum protection to your password manager in this case.

A common strategy for added account security is to give false answers to security questions. For example, a common security question is “what is your father’s middle name?” This kind of information is easy to find online for most people these days due to the increasingly digital nature of public records. A criminal could call the bank posing as you, answer the question, and transfer all your funds out of your account. Instead of the true answer, answer with a randomly generated word and record it in the notes section. Again, be sure to secure your password manager as well as possible because this is still creating a single point of failure.

If you want to see which services currently support passkeys, you can check 1Password’s Passkey Directory or Bitwarden’s Passkey Index.