Please - I am Begging - Start Using a Password Manager
For better or worse, the current state of authenticating our access to almost all systems starts with a username and password. And the number of systems requiring credentialing is growing and will likely continue to do so. Moreover, systems frequently require more complex passwords and frequent changes, thus rendering the "use the same password" technique almost useless. Most people choose to make this a source of frustration - I assure you, it does not have to be.
When I first learned of Password Manager, I was hooked. In somewhat of an odd corollary, I had the same reaction to learning more about the Value-Oriented style of investing. Simply put, with either one, you seem to either get it or you don't...neither is an acquired taste.
I have long wondered while the uptake was so slow on Password Mangers. Finally, I happened upon an article in the Wall Street Journal addressing this exact issue. You can read it here.
Security of Password Managers
Believe it or not, I have a Master's Degree in Computer Science. Admittedly, as my best friend frequently reminds me, the degree is somewhat dated. That said, I did complete my Master's Thesis on Cryptography, which was a novel concept back when I was sweating through my Master's curriculum in frigid Minneapolis. Despite my degree being a bit stale, I am able to discuss the merits of any Password Manager's Security. At the core, they are mostly the same.
Everything starts with the Master Password. This is "the one" password you have to remember. There are no resets, do overs, or root users with Password Managers. Knowing this password gains you access to the system where all your other Passwords are stored. Your Master Password is never transmitted anywhere, stored by the Password Manager, and is not accessible by the provider. The only person who knows it is you.
Your Password Manager is used as an encryption key for your data. That sentence simplifies things a bit...the following picture will further illustrate:
A few points to note:
- Your Master Password is never stored anywhere - it is the keystone for the whole process, so it cannot be forgotten
- All stored data is stored using 256-Bit encryption with the data at-rest on-line in encrypted form...more on the security of encrypted data below
- Your Password Data is easily transferrable to ANY new device...all that is required is to download the app and have your Master Password
- Browser extensions enjoy the same level of security, so you should feel free to utilize extensions as much as you like
The Security of 256 Bit Encryption
So how secure is this process. In short, the answer lies in the security of very large numbers. The Password Manager I use - Dashlane - employs 256-Bit encryption. To the innocent, it may seem that a nefarious actor has a 1 in 256 chance of "accessing the goods" - it is not quite so simple for this nefarious person. Rather, the 256 refers to 2 to the 256th power. To illustrate just how big this number is, here is it written out:
In case anyone is counting, that is a 78 digit number. If you are curious, a 1 with 77 zeros behind it is One Quattuorvigintillion. And getting to the point, the nefarious actor has a 1 in that number chance of hacking your Password Manager Account. Compare that to some of the other "password managers" I have seen:
- Same Password for every account
- Sheet of paper under the centerpiece on the kitchen table
- Note(s) on iPhone
- Passwords written on the top of brokerage account statements
Suffice it to say, while there are minute security cracks in all Password Managers, their security exceeds nearly every other authentication management system in use. If you have ANY concerns about the security of Password Managers, don't - they are as secure as anything you could possibly hope for.
Why People Do Not Use Password Managers
Reason #1: Effort. Migrating from a hodgepodge of passwords stored in browsers, under place mats, and on various places in your phone is cumbersome and this should be acknowledged. Just like there was no way around the fact that I would not have internet access when I went to sea, similarly, you can not circumvent the dedicated effort required to migrate to the Password Manager. Thankfully, only one big excursion is required. Afterwards, only minimal effort is required to maintain things and record new credentials as required.
Reason #2: Security Concerns. Some people do not trust the security of Password Managers. Extremely simply put, these concerns are seriously unfounded. To allay concerns, every reputable company providing an on-line service has a "Security White Paper" describing the system's security. You can read Dashlane's here. Recall, just as FedEx is in the business of delivering packages on-time, so to are Password Management systems in the business of securing your data...security is the integrity of the product - and the systems are top-of-the-line.
Anything is possible; however, given the lower hanging fruit available in commandeering passwords, the overwhelming number of criminals will bypass you if your passwords are protected with 256-bit encryption...you can take that to the bank.
It's All About Your Master Password
Password Managers typically have you remember one "Master Password". This is "the one" you have to remember (and never write down). Knowing this password grants you access into the application where the remainder of your information is stored. It is important to note that your password is never stored anywhere on your device, in the "Cloud", or anywhere else. This is the core of the security protocol illustrated above.
With your password, the Password Manager employs encryption technology pictured above to encode your data. While I am simplifying somewhat, the important piece to note is that your data is encrypted with very, very difficult to hack methods. While anything is possible, you should rest very easy that your encrypted data, which is usually stored locally on your device and on your Password Manager Vendor's servers, is extremely safe. Indeed, worrying about your encrypted data being "hacked" should not dissuade you from using a password manager...these systems are far, far better than any system of writing passwords down somewhere.
How to Rid Your Life of Password Anxiety
The journey has to start somewhere. It's going to be somewhat painful, so my suggestion is to pick a day - maybe a weekend morning is a good time - and just tell yourself you are going to do it. Once you start - believe me - you won't look back.
Step#1: Pick a provider
There are many out there - I use DashLane, but you can research your own here.
Step #2: Select your Master Password
This has to be something you will never forget.
Step #3: Change the Password for your most visited site
It's time to jump in and start randomizing your passwords and making them unique for each site. For me, I do the following:
- Go to the site
- Go to the "Change Password" function
- I make a "Secure Note" with my Username and Password
- For my Password, I make them long and completely random...You never have to remember them and infrequently have to type them in, so be creative - Uppercase, Lowercase, Numbers, and symbols for EVERY password
- For passwords, research has shown that password length is the key to avoiding your password being hacked, so don't be afraid to amp it up with the number of characters.
- Let the Browser Extension save the password for you
Step #4: Repeat Step #3 for as many sites as you can until you are worn out for the day
Step#5: Repeat steps#3 & #4 until you have changed all the passwords you use
Once you have gone through the pain of randomizing all your passwords, I assure you that you won't want future passwords any other way. Whenever you happen upon a new site requiring credentials, you will reach for your phone and make a new entry in your password manager.
Quick Review of the Benefits of Using a Password Manager
Now let's review the benefits of using a Password Manager...
Benefit #1: Never Being Locked Out
It seems whenever we need it the most, technology sometimes fails us, especially if we are attempting to access a website we don't frequently visit. Password Managers significantly reduce the probability of this happening. You really do not want to be caught out when you are trying to transfer funds or modify allotments to your 401(k) account. I freely admit, there is always tech support...
Benefit #2: Secure Passwords
Now that you have a secure way to store and generate passwords, your accounts will be "more secure" as you will no longer have the easy to discern birthdates, children's names, and other publicly available information in your passwords. Additionally, you will not have to use the same password for multiple accounts - a practice any reputable security expert will tell you to avoid.
Benefit #3: Sharing Passwords
For families, there is an inevitability of multiple clients for the same account. In these instances, password sharing is an invaluable tool. This has applications for parents with younger children obviously. Concomitantly, it also has benefits for adults with older parents whose accounts need to be monitored to insure bills are paid, accounts are not overdrawn, and to perform general checks for suspicious activity.
Benefit #4: A Thinner Wallet
The Premium Versions of some Password Managers have a specific application for storing credit card information. Therefore, if you use a specific credit card for on-line transactions, where having the actual physical card is not required, you can simply use the information stored in the Password Manager to complete your transactions. Thus, you need not carry the actual card with you. The same logic applies for your Social Security Card, Birth Certificate, Passport, and other items where you may need the information, though you need not have the physical document with you.
Benefit #5: Estate Planning
Being the Executor of an Estate is one of the more daunting tasks you can assign to someone, especially if they have no prior experience in the craft. The job is made even more difficult when the Executor has no blueprint of your financial life. Providing your Executor Emergency Access to your Password Manager can at least inform him/her where your accounts are. Then, your Executor can use that information to aid in your Estate Settling. Moreover, if you have Digital Assets - think Facebook, Twitter, LinkedIn, Instagram, etc. - he/she can follow those entities' protocols for managing your accounts going forward. And finally, you also have use of secure notes to detail exactly where the original Estate Documents are. Provide as much detail as you can....we won't be able to ask you anything at that point!!!
The Internet Age has been upon is for a while now and we are only going to grow more dependent on technology going forward. Whether we like it or not, credentialing is still a password-driven game. Therefore, it makes sense to fortify your defenses with strong, random passwords.