Password Manager guide

Managing your passwords is messy and complicated however, making use of a Password Manager can free you from the mess while keeping a high degree of security. If you are still using the same password for everything (like sunshine, princess, monkey or god-forbid admin) then you are putting yourself in danger of being hacked, your personal data stolen, and possible financial ruin. It is more important than ever to secure your personal and financial data, and using a Password Manager is the best way to go. There are a few important points we must address first, so let’s get started!

Choosing a good password

Ok first up, let’s make sure your passwords are safe enough to not be easily guessed or cracked by a program, because a password manager is useless if your passwords are easy to guess. You also need to have a different password for every website or service you have, period (see this guide). I realize that is probably something you don’t want to hear, but it’s the single most important thing you can do to secure yourself against hackers, why? Well let’s take the following scenario…

Say you have the same password (such as) Gmail and ShadyWebsite.net. Who’s to say that ShadyWebsite.net is trustworthy or able to keep your details (stored on their web servers) secure? Who’s to say that ShadyWebsite.net isn’t a trolling operation specifically built to steal passwords and hack accounts? Unfortunately it is all too common.

There are many other reasons to have different passwords for every website, but I hope the above reason is enough.

Now there are a few simple rules to follow when choosing a new password, which we’ll go through now…

• A good password uses a minimum of 8 characters (12 and up to 16 characters even better)
• A good password consists of at least one of each of the following…
  • Lower-case letters (ie. abcdefg…)
  • Upper-case letters (ie. ABCDEFG…)
  • Numbers (ie. 123456…)
  • Special characters: “~!@#$%^&*?

Alternatively you can use my Password Generator below to generate a strong password 🙂

Password storage

The next important step is the master password file that holds all your usernames and passwords and stored on a portable memory device like an encrypted USB drive, in a very safe location (same place you would keep valuables like jewellery, gold, cash etc) or if you prefer, you can have a little black book with all your passwords hand written in it, same concept, but you should never store this file on your PC, laptop, phone or tablet! You must store this file in a very safe place outside of your PC and preferably encrypted. This master file is likely the most valuable possession you have, so be sure to guard it accordingly.

Most password managers will allow you to export all your passwords to a secure, encrypted file for safe keeping which is the preferred method, but if you prefer to make your own file, here are some suggestions for text file types, text editors, storage devices and locations.

• Types of text files/editors
  • Windows: Notepad, Wordpad, Word
  • Linux: Vim, gEdit, Nano, gVim, Eclipse, Emacs
  • MAC: TextEdit, Brackets, TextMate, TextWrangler
  • Text File Types: .txt, csv, xml, or for more obscurity try .html, .htm, .php, .js, .css, .asp
• Types of storage devices
  • USB flash drive (usually comes with built-in encryption software)
  • Compact Flash, SD Card, MMS
  • External hard drive
  • CD/DVD/Blu-Ray optical discs
  • Notebook, pad, diary, LBB
• Good locations to keep your master password file
  • Wall safe/safe, locked cash box, locked filing cabinet
  • Safe deposit box at bank
  • Wherever you keep your valuables (gold, cash, jewelery)

Now just writing a bunch of usernames and passwords without some sort of formatting can make it very hard to read (and find) a given combo, so a good format to write them in, is like…

…or if you prefer a format that is readable by password managers, you will need to read up on the different formatting of password files which is beyond the scope of this article, but just a tip, these formats are not easy to read by humans, they’re designed for machines.

Password management methods

Master password

Most password managers use a master password system, which basically means that you enter your username and password into a given website, then click a “remember password” button. You then continue this process with any other websites you have login details for (passwords are safely stored on your computer via the password manager, usually encrypted) and then enter a master password in the settings/options of your password manager.

From this point on, when you visit a website that requires your login details, all you have to do is enter your master password and the password manager will auto fill/auto-type the username and password fields for you. The advantage of this system is that if someone steals your computer, unless they know the master password, they won’t able to login to any of your websites.

Browser password managers

Mozilla Firefox is the only browser that uses a master password right out of the box with no plugins needed, one of the reasons I use it. Other browsers all have a “remember password” function that appears after you have entered your login details on a given website, but offer no protection if your computer is stolen or snooped upon, so I don’t recommend using these types of password managers (except for Firefox).

Two-Factor authentication

This is an excellent method of authentication that generally only requires a mobile phone or landline and provides very good security without any investment in extra hardware or software (like a fingerprint reader or USB drive etc). Large internet companies (ie. Google and Yahoo) usually offer this as an option.

The way it works is like this
(example is Gmail)…

1. You login to Gmail (having previously setup 2-step verification) and presented with a page asking for a special code that Google would have sent you seconds ago when you clicked the login button
2. You receive this code on your phone and enter it into the webpage, click submit and enter your inbox as per normal

This way, even if your password is stolen, they won’t able to login to your Gmail account unless they also have your phone. It’s not foolproof but does offer a simple, and secure way to access your accounts.

Advanced authentication options

There are also many other, more secure methods of password management and authentication as outlined below. I favor fingerprint authentication but you will obviously need a fingerprint reader to use this method. I will briefly go through these options below but the focus of this guide is on password managers which are software based and easily obtained.

Fingerprint authentication

These used to be the stuff of James Bond movies, but today you can expect to see fingerprint readers on laptops (built-in) and desktops via an external USB device you simply plugin. Once you’ve setup the fingerprint reader (which only takes a few minutes) you simply run your index finger across the reader, it reads your unique fingerprint, and Windows will automatically log you in. You can also setup the fingerprint reader for all your website usernames and passwords along with the frequency at which it will need a re-swipe of your finger (aka: Paranoia Level) and all other settings.

USB key authentication

This is no different from having a key to unlock your car, you simply insert the USB key to authenticate (usually with a password too) and you’re good to go. One of the advantages of this method is that you can encrypt your entire hard drive (the USB drive holds the encryption key) so if anyone steals your computer and tries to hack into it, they’ll be faced with a bunch of scrambled data, not your personal data.

Smart Card authentication

Smart Cards are and excellent form of authentication and can use one, two or even three factors on top of the card itself as extra security. Smart Cards are generally the realm of medium to large corporate businesses but can just as easily be implemented at the home user level with a USB Smart Card reader.

Choosing a password manager

Now taking everything I have explained so far in this guide, let’s choose a password manager that suits your personal requirements. I have made a table below that shows the features, security, cost and my rating, as well as my top picks.

Password Managers – Last Revised 2014/08/29
NAME	LICENSE & COST	OS SUPPORT	BROWSER INTEGRATION	OVERALL RATING
1Password	Proprietary / $35+	Windows, OS X, iOS, Android	IE, Firefox, Chrome, Safari, Opera	7/10 Good program but needs better guidance/instructions for initial setup.
Dashlane	Proprietary Free & Premium $30+	Windows, OS X, iOS, Android	IE, Firefox, Chrome, Safari	8.5/10 Very comprehensive app, excellent setup guide.
F-Secure Key	Proprietary Free & Premium $2.20mo	Windows, OS X, iOS, Android	No, password vault only	6.5/10 Passwords need to be added manually, good for storage only.
iVault	Proprietary / $8 per year	Windows, OS X, iOS, Android	No, password vault only	7/10 Good security, manual password entry, cloud-based, needs better instructions.
KeePass	GNU Open Source / Free	Windows (ports for Linux, OS X, iOS, Android, Windows Phone)	Yes via Auto-Typing	8.5/10 Excellent features, dozens of plugins, easy install and setup.
Keeper	Proprietary / From $10 per year	Windows, OS X, iOS, Android	IE, Firefox, Chrome, Safari	8/10 Great features & excellent security with easy install instructions.
iCloud Keychain	APSL / part of OS X & iOS	OS X, iOS	Safari	7/10 Slick interface, great for Apple users
LastPass	Proprietary Free & Premium $12 per year	Windows, Linux, OS X, iOS, Android, Blackberry, Windows Phone, Firefox OS, Surface RT	IE, Firefox, Chrome, Safari, Opera	9.5/10 Excellent and easy setup, they really have thought of everything, top marks.
Mitto	Proprietary / Free service	Cross-Platform (All OS)	IE, Firefox, Chrome, Safari	8.5/10 Very good security, easy to use, good features, comprehensive setup.
Norton Identity Safe	Proprietary / Free	Windows, iOS, Android	IE, Firefox, Chrome, Safari	8/10 Good product, easy setup & great security.
Password Box	Proprietary Limited Free & Unlimited $2.00+	Cross-Platform (All OS)	IE, Firefox, Chrome, Safari, Opera	9/10 Very impressive, easy installation, great features.
Password Genie	Proprietary $15 per year	Windows, OS X, iOS, Android	IE, Firefox, Chrome, Safari	6/10 Unable to test as purchase required before download, website needs overhaul.
Password Safe	Artistic License (Open Source) Free	Windows, Linux (ports for OS X, iOS, Android, Windows Phone)	All	7.5/10 Good program but really needs full browser integration.
Pleasant Password Server	Proprietary $25 per user (packages available for more users)	Any OS, iOS, Android (server requires Windows Vista, 7, 8, Server 2008, Server 2012)	All	8/10 Very comprehensive app, good features, suitable for SME to large corps.
RoboForm	Proprietary $10 to $40	Windows, Linux, Mac OS, Android, iOS, Windows Phone	All	9/10 Excellent product, easy setup, great features.
More info: Proprietary Software, Open Source Software; Chrome, IE, Firefox, Safari, Opera
If you have any questions or want me to add some software to this table, just email me anytime

In conclusion

Moving your passwords from unorganized and high-risk, to organized and security conscious using a password manager is quite a task, and I hope I have helped you in that quest. It’s far easier and much more secure to have your passwords managed by good software instead of relying on your memory or scant bits of paper.

If you have any questions you’re welcome to email me anytime.

Cheers!, Richie

• Password Manager at Wikipedia
• List of Password Managers at Wikipedia
• Smart Cards at SmartCardBasics.com
• Fingerprint Reader at Wikipedia