Too Many Passwords? Get a Password Manager!

Take a few minutes to mentally run through all the services and accounts you have requiring a username and password to access. How many of those credentials can you remember right now? If you can remember quite a few and these all follow the general "strong password" rule, you've got a superhuman memory!

But for the rest of us, it's overload and we generally do one or two of the following things:

• Set easy to remember, but easily cracked passwords for all our accounts
• Use a handful of good passwords across many sites and services
• Use good passwords for sites and services, but keep a file or spreadsheet or even a note with these passwords jotted down

Regardless of how many of the above you do, there are common problems. If your passwords are varied but too simple automated login attempts have an easier time guessing and getting in. If you've put all your passwords in one basket (so to speak), if a bad actor gains access to one account they can easily pivot and try the same credentials with other likely services where they may be able to cause more havoc.

The problem here is what's known as password fatigue. In layman's terms there are too many credentials to remember, and it causes and reinforces bad habits we already know are risky.

Many sites and services require the password you set matches requirements the provider decides is secure enough. You know how this goes: it must have a lowercase letter, an uppercase letter, a number, a special character like a #, and it has to be a certain length. But even these requirements can be easily dodged to make less than ideal passwords like "1Rhinoceros!".

No matter how many reasonably strong, reasonably memorable passwords you make at some point you will start to forget them.

So enter the password manager! A password manager is pretty much what it sounds like: a service or app you enter your credentials in that's secured. You may be wondering "how is trusting a service or app much better than me writing down my passwords or keeping them in my own files?". Good password manager vendors typically do several of these things:

• Your passwords stored are not just encrypted - they're hashed and salted. This adds additional complexity that is not easily decrypted by a bad actor.
• The password manager services/apps tend to default to the most strict security practices. For example, a mobile app for a password manager may by default require you use a facial or fingerprint unlock each time you access it to prevent someone from switching active apps and getting into all your passwords.
• The password manager provider does not even know what your account password is. Most providers will provide you a "private key" - usually a series of random characters - you need to provide before your account password to be able to get into the password manager. In more rigorous products, the provider doesn't know what your private key is, which makes things even in more secure but also means you need to be additionally cautious about not losing your private key.

Password managers exist to make password security easy. In nearly all products you use what is known as a master password to get into the password manager service or app, which then allows you to access everything you've stored. These products have evolved to do more than just save passwords securely: most also include other types of information you'd rather keep handy but private like lock codes or even driver license info (license #, issue & expiration date, etc.), random password generation, and autofill functionality.

At NocTel, we tend to recommend two particular products (NocTel is not affiliated with either) from our own use within the company and personally. These are:

LastPass (lastpass.com)

We like to recommend LastPass for individuals who are completely new to password managers primarily because LastPass offers a free personal tier for individuals. This gives a low risk way of learning about a password manager and getting most of the really useful functionality out of it, such as mobile apps (iOS and Android), convenient unlock methods, password creation, and password autofill.

1Password (1password.com)

In terms of functionality we like 1Password the most! On top of the usual primary functionalities like password creation, autofill, mobile apps, and app unlock methods; 1Password also features useful auditing capabilities like warning you if you've reused a password multiple times as well as warning you that a password you're using has appeared in any credential dump breaches (this warning does not necessarily mean it was your credentials that were breached, just the password has appeared somewhere). These additional auditing features help keep you proactive with your security.

A surprisingly handy feature 1Password also provides is the ability to see several of the previously used passwords with the associated entry. This comes in handy when you've reset your password in the app, but the service you're resetting the password for requires your current password first. Finally, 1Password offers a web browser plugin for popular browsers like Safari and Chrome. This lets 1Password easily do autofills for you on desktop and mobile.

With all that said, we do warn that 1Password does not offer a free tier like LastPass. If you're familiar with how password managers work, we definitely recommend giving 1Password a shot. Otherwise we advise leaning toward LastPass since all the functionality in 1Password can be overwhelming.

A point of clarification we make for users not familiar with password managers is that no password manager will automatically update your password for you. If you ever reset your password with a service or app manually or are forced to by the provider due to a data breach, you will need to update the associated password in your password manager.