Who do you trust more?
200 websites to store your passwords or yourself?
If you’re not using a password manager, you’re trusting 200 websites* to secure your same or similar passwords.
This is like living in a neighborhood where everyone’s house keys are the same. It’s only a matter of time before one house key is stolen and the whole neighborhood is screwed. Also, how do you know your neighbor is not snooping in your home?
Why would anyone live in a neighborhood like that? Why would anyone treat their passwords like that?
Every home should have a unique key, just like every online account. And every person should be in control of their own keys. That is what a password manager does!
Credential Stuffing Attacks
A credential stuffing attack happens after one website is breached and all the passwords leaked.
Those leaked passwords are fed to bots to see what other accounts across the internet let them log in.
Since so many people reuse passwords this attack is very effective.
This is why you see many people get hacked in succession; first their Twitter then their Instagram, and then 4 other accounts all in the same day. These bots are quick and vast so it’s nothing to check a few thousand accounts at once.
Password reuse is the biggest threat you’re facing, and trusting 200 websites with the same or similar passwords is not solving the problem.
How A Password Manager Fixes This
People have a fear of keeping all their eggs in one basket when it comes to password managers.
–The irony is that this is a positive and not a negative.–
With a password manager, you give every single account a unique password and then you have the option to store those ENCRYPTED passwords anywhere you trust.
It could be a flash drive under your mattress to a hidden folder on your computer.
Anywhere is better than using the same or similar passwords on 200 websites you don’t control and praying they don’t get breached.
Since you have ultimate control over your password vault it makes “keeping all your eggs in one basket” seem reasonable.
The Power Is Put Back In Your Hands
You’re bringing the power back into your hands with a password manager. You’re not relying on 200 websites to secure your passwords, you’re instead giving every account a unique password and storing that information somewhere you control.
It’s more likely those 200 websites to get hacked than one person.
Just think about it… Why go after one person when you can go after 1000’s of people from multiple websites and get the one password they reuse everywhere.
What About Online Password Managers?
It’s all about control.
Control comes in many forms such as your master password. Only you know it and only you can unlock your vault.
Another option for control is where you store your password vault.
You don’t have to use an online password manager; there are plenty of local password managers like KeePassXC, SafeInCloud, and Enpass. Many local password managers work with Dropbox or your own cloud storage so you have control on where the encrypted vault lives.
But what about cloud password managers like 1Password, LastPass, Bitwarden, or Dashlane?
It comes back to control.
They Don’t Know Your Master Password
For one thing, they don’t know your master password. You’re the only one with control over that.
So if you forget your master password, you’re locked out forever – as it should be. If they could reset the master password so could anyone that hacked them, it’s best they don’t know it.
The Secret Key
Then you have some that take it to the extreme, as one should for password managers.
1Password uses a secret key that is added to your master password to make it impossible to crack. Even after a 12-character long master password, it’s impossible to crack taking into consideration computers getting faster every year.
People don’t trust what they don’t understand and encryption is one of those things.
What’s protecting your passwords is our old friend math.
To explain this simply think of your master password as a number and your entire data as another number.
To make this easy your master password will be “2” and the vault data will be “2” also. Take both numbers and multiply them together to get your encrypted data.
2 x 2 = 4
To “crack” this output of 4 we just ask ourselves what 2 numbers multiplied together gives us the answer 4? It’s 2×2 and 1×4.
When it comes to password managers we’re dealing with much bigger numbers.
Numbers bigger than this 77682377966238676286949362426243267447754393337426953683325686669488525972944432779383627687238845568293375255886258366746544458766335577893374777467342875923534897633769832925628958735686354334625898328497276985834829656287724386597226692867972969766434262677373692267443636373594859259852399998222485337888444852376339884955656474789879378342542529854754469549749589955438772583776545963539524383478488954493424984333979624853239538626255447526578234484998637972266238633438476476232953958375829495998248874892
Go ahead, try to figure out all the factors of that number.
This grossly oversimplified the process of encryption, it’s more complex and secure than this but this does give you an idea.
It’s Like Your Bank
The reason to use an online password manager is that it’s like your bank.
You have one company that you trust to store your money.
That bank gives you a card so you can spend your money. It’s more convenient and safer to use a card with the chip then to carry cash.
Your password vault is the bank and using unique passwords with autofill is your card with the chip.
If you’re not using a password manager, it would be like asking Walmart, Target, Subway, and all the other stores you go to in real life to hold on to your one card number that you use for everything. As we’ve seen in the past, those stores can’t be trusted with storing the same card number that we use for everything. Target breach anyone?
This is the very reason why credit cards have the chips. The chip creates a different card number every time you use it. So if one store has a breach of card numbers it doesn’t affect your bank account.
I Still Don’t Trust Password Managers!
There are always a few people I can never convince to use a password manager.
I used to be one of them myself!
To solve this problem is super simple, just pepper your passwords.
Only pepper the most important passwords, no need to overthink it.
If by some impossible chance your password manager gets hacked the peppered passwords will still be safe.
With knowing all of this, I can’t see any reason not to use a password manager. For the people who say they have a system, please read this as your system is not as clever as you think.
*Dashlane (password manager company) wrote in 2015 that the average person by the year 2020 will have over 200 online accounts. From my experiences, this number seems to be very true. Before I got a password manager I thought I had maybe 50 accounts at the most. After setting one up it went well over 200 and I’m still finding accounts years later.