By Troy Wolverton
The Mercury News
WWR Article Summary (tl;dr) Password managers are programs or services that store all of your passwords in one place, whether on your computer, your phone or in a secure space in the cloud. What’s more, most of them will generate complicated, hard-to-crack passwords for you, so you don’t keep reusing “password123.”
The Mercury News
Passwords are a pain.
Actually, they’re more than that. They’re becoming unmanageable.
The average person has dozens of passwords they have to keep track of. And that number is only growing as we sign up for more apps and online services. The situation is made even worse by sites and services that require users to change passwords frequently and by widespread hacking attacks that necessitate replacing passcodes.
Many people resort to simple tricks _ using simple, easy to remember passwords; reusing favorite ones over and over; or slightly altering passwords by changing their order or substituting numbers for letters. But these passcodes are often easy to guess, and if your password on one site is compromised, a hacker can potentially gain access to your accounts on other sites.
As hopeless and frustrating as all this seems, there is a solution, using a password manager. I’ve been testing out a couple, after long resisting them, and am now wondering why I didn’t start using one sooner.
Password managers are programs or services that store all of your passwords in one place, whether on your computer, your phone or in a secure space in the cloud. What’s more, most of them will generate complicated, hard-to-crack passwords for you, so you don’t keep reusing “password123.”
Those new passcodes are typically complicated and hard to type, much less remember. But don’t worry. Many password managers will conveniently fill in passwords automatically when you go to a web site. And some will do the same when you launch smartphone apps.
Password managers have been around for years, and there’s one that’s built into the Safari browser on Apple’s Mac computers and iPhones. I never got around to using one, because it seemed inconvenient, and I just didn’t want to take the time to set it up. What’s more, I use both Macs and Windows computers, and there’s no easy way to take a password generated by Safari and plug it into a browser on a Windows desktop.
But I’ve been increasingly worried about the security of my data. Like many of you, I haven’t always used the best practices when it comes to passwords. I’ve frequently re-used some of them. Many of the ones I’ve used haven’t been terribly complicated. And I have reason to believe some past passwords were compromised in some of the recent widespread hacking attacks.
I’ve taken steps in recent years to make at least some of my data more secure, turning on two-factor authentication on many sites and trying to make the passwords I use more complex. But a recent meeting with cybersecurity experts with the Electronic Frontier Foundation spurred me to finally start using a password manager. Worried about protecting my personal information and financial accounts and about safeguarding my work and my sources, I thought I should take security more seriously.
Bill Budington, a security engineer and technologist at the EFF, recommended three different password managers, 1Password, LastPass and KeePassX. I focused on 1Password and LastPass, because they each are more complete products than KeePassX, which is an open-source effort whose different components, desktop software, mobile app, cloud storage, are cobbled together.
Both LastPass and 1Password work similarly. They each store your passwords in a locker in the cloud. You set a master password, hopefully a long and strong one, that encrypts all your data within the locker.
Each of the two companies offer PC programs, browser plug-ins and mobile apps. When you access a website or service on your computer, each service will offer to remember your existing password or, if it’s already in their system, will automatically fill in your log-in information. If you ask them, both systems will also randomly create new, more secure passwords, allowing you to change their length or characters to meet the requirements of particular sites.
Things work a little less smoothly for the mobile apps, at least on the iPhone. Some apps, such as the Safari web browser, will allow you call up a password stored in 1Password or LastPass without having to switch over to those password managers. But most apps don’t work that way. Instead, you’ll have to flip from the app you’re using over to your password manager, copy the password for the app you want to use, then flip back over to that app.
The process is a little convoluted, it’s certainly more complicated than just typing in “password123”, but it doesn’t take all that long, and it’s more secure.
Both LastPass and 1Password also offer secure storage for other data. You can use that storage to hold your bank account or credit card numbers. You can also use it to store your answers to the security questions that many sites now require to help verify their users.
Each of the two systems is a bit rough around the edges. LastPass’s interface wasn’t always clear. With some sites, I wasn’t able to save a new password after I generated it. On other sites, I unwittingly generated and saved multiple passwords and then had to figure out which one was active. When changing passwords to new, more secure ones, both LastPass and 1Password frequently didn’t automatically store my username or even prompt me to plug it in, meaning I had to go back into the programs and add it in manually.
Although the two systems are very similar, there is a big difference in price. You can use LastPass for free. For $12 a year, you’ll get 1 gigabyte of storage and the ability to share passwords with up to five people in your family. By contrast, 1Password costs $35.88 a year for a single user and $59.88 for up to five users.
I’ll likely stick with LastPass if only for the price, which seems like a bargain. But either system is a heck of a lot better than what I was doing before. That’s probably true for you too.