Main content area

Make your life easier with a Password Manager

If you're like most of us, you have more accounts online than you can shake a stick at. At one point, chances are you reused the same password on many sites. Things were simpler once.

These days, even with Multi-Factor Authentication, you’d like to be a lot more careful. Again, if you're like us, you probably visited Have I Been Pwned?, entered your email address and realised various of your old (or, worse, current) passwords are now common knowledge.

How do you track all your dozens of accounts, all your passwords, and all those other security credentials without resorting to Post-It®s, hand-written notes or unmaintainable text files?

We use password managers.

Your browser's password store

Your browser of choice has a basic password store built-in; it remembers your passwords; it can pre-fill some log-in forms automatically; it may sync across devices so when you change your password on the laptop, it updates on the phone; it might even suggest new, safe passwords; and it's convenient!

Although they're okay for casual use, built-in password stores might not be a good match for you.

For all you know, they store passwords on your disk without any encryption. This would make them very bad for, say, banking or work passwords.

They may even store passwords beyond your control. Password synchronisation happens via the Cloud. The aphorism ‘there's no such thing as The Cloud—it's just somebody else's computer is true. It is someone else's computer, operating under someone else's security policy, and often running in a foreign jurisdiction you (or your work) might not consider safe. This list of Global surveillance disclosures since 2013 makes for sombre (and long) reading.

But it turns out most password managers can do what your browser password stores can do, and better.

Password managers

Superficially, a password manager does the same thing a browser's password store does: it stores passwords.

But there's a lot of value added to that.

It uses a database to store site names, URLs, account names, passwords, notes, and many other types of private information. It encrypts the database with up-to-date, powerful ciphers. A single passphrase unlocks everything like a master key. And, if you need extra security, you can also add factors like a YubiKey®, facial recognition, fingerprint, or a key file on your computer.

The password manager sits hidden from view until you hit its shortcut (or tap its icon if you're that way inclined). Type a couple of letters to search for a password by account name, site name, note, or whatever other information you've stored. Double click, and it can automatically open a browser tab and log you in.

Or copy site URLs, usernames, and passwords, and paste them straight to a browser, if that's more convenient at the time. The password manager will even automatically clear the clipboard after you've used the password, so a malicious user can't just paste the copied password into an email to themselves.

Very importantly, a password manager can let you know if a password you use has been leaked on the Internet, and can give you tips on how to improve the quality of your existing passwords.

In the browser

Password managers integrate with browsers using browser extensions. This swaps the built-in password store for the password manager's, so you keep the same behaviour and convenience: it'll fill in passwords; it'll create new entries when you sign up on a new site; when you change your password, it gets automatically updated in the password manager; and it suggests a very strong password based on your preferences.

The same goes for mobile devices. On Android, you can choose what app provides the password store for the entire operating system.

For personal use

At CIVIC, our colleagues use password managers in a lot of ways, and some are ‘abuses’ of the concept. You can do this because password managers aren’t just for websites. They will happily store any type of secret.

We use them to keep track of our various accounts, so we instantly know what sites we've signed up on before.

We use them to know what we use sites for. For instance, is this a site we use for buying replacement disk drives for our servers? Is it for books? Cat toys?

We use the note section in entries to store the answers to website security questions. For instance, this frees us to answer ‘uZwwaqOR’ to ‘what is your mother's maiden name?’ and have a different answer on every site. Instant fraud protection!

We use them to store potential issues with the site's security. For instance, ‘keep passwords shorter than 20 characters, this site quietly truncates them and then complains.’

We store recovery codes for multi-factor authentication.

We use them as part of our Digital Wills. No-one likes to talk about such things, but if anything should happen, critical, private information remains accessible to our loved ones.

We also use it to store WiFi passwords, phone PINs, computer logon passwords, lock combinations and a whole range of other secrets for ourselves, and for older family members who might forget or misplace them.

How about work?

Password Managers are great for work. We can securely share passwords with team-mates. In fact, they are one of the few ways we know to share second factor authentication codes. (those six-digit numbers sites ask you for)

This is invaluable for sites that only allow a single super-admin account, and someone's phone (or password manager!) has to be the second factor authentication, but we need multiple people to be able to log-in just in case.

It's also a lot easier to find CIVIC accounts our colleagues have made without us knowing.

With password managers, you could store encrypted work databases on a private cloud like NextCloud or ownCloud. On some managers, you can also securely and transparently synchronise some of your passwords with others. Directly, not via Someone Else's Computer.

For technical people, the manager can act as an SSH agent, securely storing your secret keys and providing your SSH identity so that you can log into remote servers securely, without typing a password. And, your keys stay encrypted and safe.

Password stores used for work can have additional safety measures: they can self-destruct if someone enters the wrong passphrase too many times. This won’t be something you want for a personal database, but a work one would also be stored centrally, so it's safe to destroy a copy.

Conclusion

At CIVIC, the sheer number of sites, accounts, and passwords we have to deal with daily makes using a password manager a no-brainer. We rely on ours, and we keep discovering new ways to use them.

 

Contact us, and let us help you with your own security concerns online!