Too Many Passwords to Remember? Use a Password Manager.

Markus Jakobsson wrote an interesting article for Wired recently debunking some Cyber Lock common myths about password security. He argues that longer passwords that are easy to remember are actually more secure than the shorter, more complex passwords that many systems enforce. It’s worth a read:

Fighting Hackers: Everything You’ve Been Told About Passwords Is Wrong

I think Jakobsson’s argument misses one point: even if passwords are memorable, most people have far too many to actually remember them.

Password managers are the answer to this situation. These are programs on your phone, desktop or web that remember usernames and passwords for you. You only need to remember one password, the one for your password manager.

Let me describe how this works. When I come to a login form on the web, I press a key combination to bring up my password manager. If I haven’t already unlocked my password manager it will ask for the master password. Afterwards it looks up the credentials for the site I’m on, fills in the username and password fields and logs me into the site. Once the password manager is unlocked then I can log into any site with a single key combination. (Don’t worry, it’s much faster than it sounds!)

Some password managers are applications that run on desktops, tablets or phones. These usually store usernames and passwords in encrypted files on disk so that the information is secure in case the device is stolen. Other password managers are web based, storing that same encrypted information out in the cloud. Either way these products offer a great combination of security and ease of use.

I’ve been using a password manager called 1Password for several years on my Macs, iPhones and iPads (it’s also available for Windows and Android.) The Mac version is fantastic and logging into websites really is as simple as pressing a key combination. On iOS the experience isn’t quite as smooth and requires a copy and paste of the password. 1Password also isn’t cheap, desktop licenses start around $50.

Another very popular password manager around the Matrix office is LastPass.  LastPass is web based and should work on any device with intranet access. There is no cost to use LastPass, though a $1 per month subscription to the Premium service enables some additional features.

So take a look at the password managers that are out there, pick one and start using it. Not only will it make your online experience easier but more secure as well.

Have you used a password manager you love? Tell us about it.

2 thoughts on “Too Many Passwords to Remember? Use a Password Manager.

  1. Yep, password managers are a lifesaver for sure. I was using LastPass for a while, but then they had the incident last year where their servers were hacked (http://en.wikipedia.org/wiki/LastPass_Password_Manager), and since they keep all the login/password data on their servers, I ended up chickening out and stopped using them.

    I looked at 1Password too, but it was a little to pricey for me :) Instead, I’ve been using OneLastPass (http://www.onelastpass.com). Despite the derivative name, I like it better than LastPass, since it doesn’t actually store anything. It’s a Chrome extension (and web app) that just takes your master password and the URL you want a password for and generates a long, strong, unique password for the site.

    Apparently, they’ve extracted the password rules for most sites, so I haven’t encountered cases where the password they give me was not accepted. The most annoying part is that you have to change your password wherever you have an account to use the OLP-generated password, but after that, it’s a breeze and I don’t have to worry about whether their servers are compromised or not (they don’t get my login info at all and no passwords are actually stored on the site).

    Are there other popular options out there (preferably free) other than OneLastPass, 1P, and LastPass?

    • The only other free option I have any experience with is Passpack It didn’t fit my exact needs for that project, but I was fairly impressed with the product overall. They have a blog post talking about the LastPass security incident and how their approach differs from that of LastPass. It’s a worthwhile read if you’re interested in the security issues surrounding a service like theirs.

Leave a Reply

Your email address will not be published. Required fields are marked *