What keeps people from using a password manager is the classic dilemma of “putting all your eggs in one basket“.
Let me show you that keeping all your passwords in one basket is more logical then what you’re already doing.
The Simple Solution
Peppering your passwords solves the problem of “keeping all your eggs in one basket.”
A pepper is a PIN or a word you add to the end of your randomly generated password, but when you store it in your password manager, you leave out the pepper.
Even if someone got in your password manager, they wouldn’t know your real password because it’s missing the pepper.
Not only that, but you also don’t need to put every password in your password manager. If you want to leave out your banking passwords, you can. There is no rule saying that every password needs to go in your password manager. What matters is that you don’t reuse passwords.
Why Keeping Everything In One Location Is A Good Thing
To explain my point, we need to play a game of “would you rather.”
Would you rather…
Keep your credit card number stored in one location you control.
Keep it stored in many different locations you don’t control?
Who Do You Trust More?
I am willing to bet that most, if not all, picked to keep your credit card number in one location you control.
Why is that?
It’s because you trust yourself more with your card number.
What Do Card Numbers Have To Do With Passwords?
If you think about it, your wallet is the one basket, but you trust it because you have control over it. You would be less trusting of your card number if it were kept with 200 other people.
This is the same thought when it comes to your passwords but backwards.
People won’t trust a password manager but will instead trust 200 different websites to store and secure their passwords.
If those passwords are the same, similar or weak it only takes one of the 200 sites to get breached for you to be screwed all over. The more spread out you become the greater the chances of you getting hacked.
Think about it, the average person in 2020 will have over 200 online accounts. If they’re using the same or similar passwords that means the passwords are spread out over 200 locations they don’t control nor do you know what they’re doing with it. At least with a password manager, you can give all 200 accounts a unique password and control where they go and one getting stolen won’t affect the other 199.
I don’t know about you, but having the same, similar or weak passwords stored on multiple websites I don’t have any control over sounds way scarier. Instead of worrying about a single password manager, you now have to worry about 200 random websites getting hacked.
What blows my mind more is all those sites selling who knows what kind of information about their customers thus making the attack surface even greater. Password hashes? Maybe. Secret questions? Maybe. Email, for sure! If it can be used as a unique identifier to track you it’s for sure being sold.
The Real Threat
The real threat is people reusing/weak passwords.
A password manager helps you create unique and strong passwords for every account. Instead of relying on 200 random websites to protect your same or similar passwords, you only trust them with one genuinely unique password. So if that one password gets breached, it doesn’t affect your 39 other accounts.
“2dgNf.>UqS56c” is unique, “Billy12” and “Spot?123” is not.
If you’re giving every single account a unique password, you’re bringing the trust back to yourself. You no longer rely on others to do proper security – you’re in control of your own wallet.
When it comes to keeping all your eggs in one basket, the real question you should be asking is who do you trust more, yourself or a bunch of random websites?
Where To Go From Here?
You need to give every single account a unique password.
People are bad about creating passwords. It’s not hard to figure out your kids, pets, anniversary date, and other facts about your life, so don’t use them as passwords. You need to use a password generator to make unique passwords for all your accounts.
Then you need a central place you TRUST to store this information. There is nothing more trusting then encryption, aka math.
A password manager encrypts your data with a master password that only you know. This master password puts you in charge; no one else can get this info without this one password. So if you forget it, no one can help you recover your vault so don’t lose it!
When you have set up your password manager and given all your accounts a unique password, you have put the power back into your hands.
Just like how you’re cautious with your wallet, you’ll need to be the same with your password manager. At least it’s easy to do because it’s all in one central location that you control.
Here are the typical responses I get when I have this debate.
I Still Don’t Trust Password Managers – To put your mind at ease you can either pepper your important passwords or do the 2 password manager method. Both of these options solve the fear of keeping all your eggs in one basket.
I Don’t Reuse Passwords, I Have a System – Your password system is not as clever as you think. I have this post that goes over why.
I Use the Note App or a Spreadsheet – What makes a password manager great is not it’s ability to store passwords, but it’s ability to generate them. Then on top of that, a password manager will encrypt the data with your master password which a note and spreadsheets app lack because they’re not built for that. Lastly, a password manager stores more than just your passwords. Like the credit cards that I talked about at the beginning – those can be stored in your password manager, and you also solve the issue of not having to save your card number on 200 different sites you have no control over.
I Use A Notebook – I can understand a few people preferring to use a notebook to store your passwords, but it’s not ideal. It’s not as secure as you think, and I’ve found the people who use paper to store their passwords are more likely to reuse/weak passwords, which is the biggest threat you’re facing. If anything a notebook is just making your life harder and less secure, I go over this and more in my post here.
My Password is Super Complex! – Your password complexity is not as important as how unique it is from your other passwords. You can have a 100 character long password made up of Egyptian symbols, but if you reuse that password, it’s only as strong as the weakest site you use it on. As this post has pointed out, spreading your password out no matter how complex it dramatically increases the attack surface to steal it. Once it’s stolen, it will get tried on every site that will let it log in. Also, you’re not as clever as you might think. I had one guy tell me he uses his home address, that info is not hard to find.
I have a lot of posts about password managers on this website, but I feel my post on the people who don’t trust password managers would be a good follow up read to this post.
You may also like my post about finding all the online accounts you signed up for.