Passwords are terrible. But every Web site and app seem to require them. I’m going to tell you why they suck, and how to make them suck a little less.
Why do passwords suck?
We’re trying to secure against a few competing goals:
- Humans need to remember them.
- Need to be hard enough that other humans can’t guess them.
- Need to be hard enough that computers can’t guess them.
And then on top of that, the people who make sites and apps add requirements that make it even harder.
“Your password needs uppercase, lowercase, symbols (no, not *those* symbols), a plot with a beginning, middle, and end, and we’re going to ask you to change it every 3 months, and you can’t use one you’ve used before.”my impression of every banking Web site ever.
Password re-use is bad. If you use the same password across all sites, one hack means you have to reset it at all sites. Hackers love this, because it means they have your email, which means they can re-set any other password using the “forgot password” link.
Forcing users to reset their password every few months is also bad: most people want to remember their passwords, so they increment the one they had before by a digit. “MyDogFluffy1” becomes “MyDogFluffy2”.
So people end up trying to make words they know and replace letters with symbols. 20 years ago, we called this l337speak (Leet speak, because only *elite hacker nerds* used it).
The problem, as the image above shows, is that it’s really easy for computers to substitute symbols for letters when running a dictionary attack to discover a word.
A mildly better password might be to use the first letter of each word in a phrase that you can remember. *WaLiaYs3* might be *We all live in a yellow submarine, yellow submarine, yellow submarine*.
But that isn’t great, either. You’re still going to use that thing *everywhere* and once it’s hacked once, it’s hacked *everywhere*.
What do people do to try and manage passwords?
- They reuse them
- They write them down
- Or, if they’re really being obscure, they write down hints of what the password is, not the actual password.
I have seen this: a notebook, stored in a file cabinet, that had pages and pages of hints about passwords, written in a non-English language.
What if it gets lost? What if it burns? What if it gets wet?
What is a password manager, anyway?
What if, instead of using the same password everywhere, you could have randomly generated ones?
What if instead of having to remember, or write on paper, all your passwords, you had them on all your devices, where you actually use them?
And what if, you only had to remember one password, that you didn’t use anywhere else?
This is what a password manager does. It ends the paper notebook.
It stores all your passwords in an encrypted vault, behind a master password.
It can be stored locally on your computer, and not shared across a network, or, because it’s encrypted, you can store it on a cloud service and have it on all your devices. It’s up to you and your comfort level.
What are the common password managers and their differences?
There are two approaches to this: one that says, have the browser save all your passwords, and the other, which is use a standalone program.
There are two things you should think about: lock-in, and security.
For example, you could use Chrome and have Google store all your passwords, tied to your Google account.
One problem might be, if your Google account wasn’t secured and got hacked, all your passwords are now vulnerable.
Safari does this a little better, using Apple’s Keychain to manage passwords.
Like Google, Apple will suggest a password, and store it. Better than Google, Apple will let you copy it and paste it somewhere if you need to (on a Mac.)
It’s secured in iCloud as an encrypted store and if you use an iOS device, it will auto fill in both the browser and apps. It’s not easy to look up passwords on an iOS device, but you can using the Keychain Access app on Mac.
But, like Google, it won’t let you edit their suggestions.
If you don’t use a password manager, but do use Apple devices, using Safari and Keychain to manage passwords is much, much better than nothing. But it won’t help you if you need to work cross-platform.
A separate password manager application will allow you to work across Mac, Windows, iOS, Android, and even Linux, will let you look up passwords, and tell you when a password has been compromised in a hack.
1Password by AgileBits is one of the longest-running password managers, having been around since 2006.
With version 7, they’re moving more users to a subscription model, although it’s possible to purchase outright if you prefer.
Synchronization can be local, through Dropbox, or iCloud. If you were paranoid, you could sync directly over USB between your phone and your computer, never storing anything in the cloud. 1Password Family accounts do use 1Password cloud storage.
The password vault is encrypted using AES, and locked behind a master password of your choosing. On iOS, the app can also be set to unlock with Touch or FaceID.
One thing that puts people off is that 1Password is pricing. It costs $2.99 a month for an individual, or $4.99 a month for a family of 5. That’s $60 a year, which isn’t bad, but can be difficult to convince people who think they’ve been getting by just fine without it. (They’re wrong. You need a password manager.)
1Password’s password generator can generate both numbers and symbols or the pronounceable combination-of-words like the XKCD cartoon above.
1Password can display which passwords have been compromised and need replacement. In iOS, this is just a list of passwords that you can review individually.
On iOS, the app is free. If you use the iOS app exclusively, or want the family membership functionality, you can subscribe through the app.
Enpass works similarly to 1Password, but at a lower price. The desktop application is free, and the mobile app costs, either 50 cents a month, or $41.99 for lifetime use.
Enpass has a free plan for mobile, but it’s limited to 25 items and a single vault. The single vault isn’t concerning, most people use a single vault under normal circumstances.
Enpass’s password generator can generate both numbers and symbols or the pronounceable combination-of-words like the XKCD cartoon above.
The iOS app also has a nice audit display, showing how many passwords are hacked, re-used, or just plain older than 30 or 60 days.
Enpass is a little rougher around the edges than 1Password, having not been in development for as long as 1Password, does the security audit better, and works with Mac, Windows, Linux, iOS and Android. It also has a portable version that can run on a USB stick, which is nice if you need to use a computer that isn’t yours.
Enpass does have guides for importing data from 1Password and others, making it easy to migrate to.
Enpass also insists that they’re an offline password manager, and that they will never store anything on their servers, although you can (and for most users, should) use iCloud, Dropbox, or other cloud storage for your password vault in order to sync it across devices.
Dashlane has a $4.99 a month, or $10 a month plan for individuals. The 10 dollar a month plan includes credit report monitoring and identify theft restoration.
Dashlane has a free plan, but it limits you to 50 passwords and 1 device. That’s a nice trial, but come on: once you start using it for everything (as you should), you’re going to exceed 50 passwords.
For families, the prices are $7.49 or $14.99. Both individual and family plans also include a VPN service.
Dashlane stores your passwords in a vault on their servers, and unlike 1Password or Enpass, are only available as subscription.
LastPass is free. Free for all your devices, free for individuals.
There’s a premium service that includes 1GB of file storage on their servers, for $3/month.
For families, you get 6 licenses with the premium service for $4/month.
Lastpass can be completely managed through the browser, or using the mobile app. They store everything in their servers, and there’s no desktop app.
Bitwarden is one we’re seeing advertised a lot more on social media. What makes it interesting is that it’s so flexible.
Sure, you can use it with mobile and desktop. It supports Mac, Windows, and Linux. It supports browsers. It supports the command line interface.
And if you’re on a friend’s computer, you can use the web vault access. They’re using AES 256bit encryption, similar to 1Password, Enpass, and others – because it’s a good choice.
Remember, earlier we talked about storing the password vault on your own computer rather than a password manager’s servers?
1Password and Enpass let you do that. Bitwarden takes it a step further. Bitwarden is open source, so you can view the source for all the applications, and compile them yourself if you really wanted to.
That’s not as important as this: They give instructions for running the password vault on your own server. If you don’t want to use their cloud, you can make your own, with instructions for hosting it on Linux, Mac, and Windows.
If you have concerns about being independent from a company, being able to separate your passwords from their control, Bitwarden might be the answer you need if 1Password and Enpass don’t satisfy your concerns.
They do have business plans that use their cloud – 2 users are free forever, 5 user teams are $5/month, with additional users added at $2 per user per month. Enterprise plans are $3 per user per month.
You need a password manager. You need to stop re-using passwords, and you need to generate better passwords for each new login.
I don’t care strongly which one you use, only that you use one.
All of these interoperate with 2 factor authentication, which is a separate issue, and something I’ll write about another time.
Please, please, use a password manager.