I love password managers, but I can understand why people don’t trust them.
I understand because I used to think the same thing.
To get over my trust issue, I came up with tricks that help me come around to loving password managers.
I want to share these tricks with you and help you better understand password managers better.
Note: I’m NOT being paid by any password manager company to write this or promote. Any password manager mention here I have either paid for myself or used (open source).
Why Password Managers?
We live in a time where we need a password for everything. Before I got a password manager, I thought I had maybe 30 passwords? After getting a password manager, I found out I had over 100.
It’s so easy to forget all these accounts until you need them. Even more annoying when you need to get into these accounts in a hurry.
To make our lives easier we tend to use the same password for all accounts. While this solves the problem, it creates a new one. If one account gets leaked in a breach, then all accounts are breached. Breaches are only going to get worse with more and more people using the internet.
To see if you’ve ever been in a security breach or at risk of being hacked check out https://haveibeenpwned.com/.
To stop from being hacked, you need to use a unique password for every account. This is hard to do. For one thing, coming up with passwords is annoying. So most people stick with using variations of their pets or child’s name.
This is why password managers were created; they allow you to give every account a unique password and it’s easy to manage. Back in the day, they were very niche as people did not have that many passwords. Now password managers have
We’re in a phase where people are slowly moving to password managers but still don’t fully trust them. I’m sure when planes came around many people didn’t trust them either. Just like planes many standards have come into place that makes password managers secure and safe to use. But having a parachute just in case is what this article is all about. Let’s take a look at the tips I’ve developed to help you have a “parachute” for your password manager.
How Encryption Works
Before I go into all the options, let me give you a simple explanation of how encryption works. Encryption protects your data in your password manager. It sounds simple enough but how does it work?
Let’s do an example.
What list of two numbers multiplied together gives you 4?
That’s easy, 2*2 and 1*4.
Now, list all the two numbers multiplied together that give you 7962255958559385932295452286933728664667582744873777426226977532545294927747996725237959543234934675756367679672783274587627949796849936545366323655343496598546976855524828848654326836436286896423279679294388463874468822787784848335828472627794247897269243383767565478352289782645754854943527627899583657725262768242822379399482397937348943937528665492537759479967966685584644588585558733286549643222886554434476793969797499244636624978464699876788834326657292?
That’s a tough one.
The only way we can figure it out is if we try all combinations or guess. If we guess, the odds are not in our favor, especially with large numbers. You get to a point where it’s more likely to get a kiss from Brad Pitt on a Tuesday while underwater on a space ship to pluto.
This is a straightforward explanation of how encryption works; it’s even more secure and complext than this.
Your master password and unencrypted data are the two numbers in our example. The computer converts the data to numbers to calculate the answer. To reverse it we take the answer and use the master password to “divide” to get the unencrypted data.
The actual numbers password managers use are far higher than this.
This is why if you forget your master password there is no reset; you need the missing number to solve the math problem.
What If Your Password Manager Gets Hacked?
Worrying about your password manager getting hacked is a valid concern. That is why I wrote an entire post on the topic “what if your password manager gets hacked“.
No Name Option
Our First option is what I call the “No Name Option”.
To explain it check out this image…
What site is this?
There is no URL, and the name tells me nothing besides it’s Stan’s least favorite place.
If you’re me then you know it’s for Starbucks.
The off chance that someone got into this account they would not be able to get very far. They do have the info, but they also have a lot of websites to figure out where it goes. There are easier fish to catch so they’ll move on.
Think of sentences or words that describe the site that only means something to you. Another example is my brother worked at Walmart. So I would do “Brett’s (my brother) last job.”
Not every login needs to be this just the important ones. It’s a great compromise, and you get to use a unique password which is the most important thing you can do.
Salt Your Passwords
Salting your passwords is something webservers do to make the hash more unique.
You too can use this in your password manager.
When creating a password for a site add a word to the end of it. So if your password manager generates “SZTh42$U=ZgmcU6” add your word to the end of it “SZTh42$U=ZgmcU6bacon”.
“bacon” is the salt. When you store this password in your password manager leave out the salt.
If for some reason someone gets in your password manager they won’t have the real password. You still have the convenience of the password manager auto filling but before you submit, enter your salt.
The salt can be placed anywhere in the password. In the rear, front, or even 3 characters from the left. Just make sure you know the correct location when setting the password on that site. In the notes section of the password manager, you can put a reminder like “The salt goes at the end” or just plain old “end” to keep it vague. This way you know it has a salt and where it goes.
This idea also works in reverse. The password you store in your password manager could be 3 characters longer than the actual password. So when its time to log in the password manager auto fills and you back space 3 times to get the real password.
Just like the other option mentioned before I would not do this for all my accounts. Only critical accounts like banking or email.
Don’t Use Cloud Password Managers
It’s harder to steal a file on your home computer then it is to take a file on the internet. Or even placing the file on a flash drive that you only plugin when you need it is vastly harder to steal.
Combine this with the Salting method above, and you have a super secure option that also makes your life easier.
To be even more secure stick to open sourced password managers. Also, don’t forget to back it up! Once a year or when you make changes to important accounts like email or banking you backup to a flash drive or anything not connected to your computer.
One way to make your password manager more secure is to layer them.
Use VeraCrypt to make an encrypted volume. This is just a file that is encrypted with a password. You can then place your password manager encrypted vault into that. So if you need to access your password manager, you must unlock the VeraCrypt volume and then open your password manager.
Another way to do this multiple layers idea is to have numerous vaults. A password manager like KeePassXC allows you to have as many vaults as you want. You can have a vault for your common passwords and a more secure vault for your banking passwords.
SmartPhone Only Vault
Smartphones are more locked down then your computer which is great for security! This is especially true for iPhones.
Since phones are locked down pretty well you can use them to store and generate all your passwords.
The problem is getting the passwords off the phone to your computer. If you use an iPhone and MacOS, you can easily share your clipboard and do it that way. I’ve done this before, and it works quite well.
You could also manually type them in, but hopefully, you use Diceware passphrases as it would make it a lot easier.
Your phone is the 21st-century version of a password book. You don’t have to worry about lousy handwriting or coming up with passwords. It’s easier to find passwords and keep important notes. Your phone is always on you, so it’s the ideal device to use for storing your passwords. With many phones defaulting to fingerprint readers and face scanners, it’s even easier to secure your phone along with your password manager inside.
What About A Virus or Malware?
A reason that gets thrown around for not using a password manager is the fear of a Virus.
Having all your eggs in one basket makes it a prime target for a computer virus to attack. This is a real fear and why we must take steps to make sure our computers are safe.
But this problem is not limited to password managers. How are you dealing with passwords now?
- Are you letting your browser store them? If so, it’s super easy to pull them out if you’re
- Are you storing them in an Excel file? Excel is not the best option for security, and when you open the file, everything is visible. Plus, you have to enter the password to unlock the file at one point so what’s to stop the virus from getting that and the file?
- Are you manually entering your password? Viruses key log what you type. People who manually type passwords are also more likely to repeat them which is way worse!
You’re screwed no matter what.
Well… not completely. When it comes to password managers, these companies spend all their time thinking about these situations. These companies jump through the hoops to make sure your data is safe;
They make their app so that when you enter your master password, it’s in a secure desktop. Not only that, many password managers
If you’re looking at your odds, the safest bet would be to use a password manager.
No matter what, only enter your passwords on computers you trust.
Think About Your Family
A password manager can act as a “digital will.” If you get hurt or your loved one and can’t relay essential passwords you have a serious problem.
Having a password manager and sharing with someone you trust will make everyone’s life so much easier in these difficult situations.
Many password managers have emergency access; you set the wait time and the person you trust invokes it and gets access afterward.
Since the data is encrypted in your vault, you can store other things beyond passwords like code to your home vault, secret family recipes or where you hid something.
One More Thing
If you go with a password manager, the best advice I can give anyone is to write down your master password and put it somewhere safe.
Get a fireproof safe or a safe deposit box. Physically write down your master password and keep it in there.
If you forget your master password, there are NO reset options.
This can also act as
What Do You Think
I’m curious to hear what you think below. Why don’t you trust password managers or what solutions have you come up with?