Managing your passwords is messy and complicated however, making use of a Password Manager can free you from the mess while keeping a high degree of security. If you are still using the same password for everything (like sunshine, princess, monkey or god-forbid admin) then you are putting yourself in danger of being hacked, your personal data stolen, and possible financial ruin. It is more important than ever to secure your personal and financial data, and using a Password Manager is the best way to go. There are a few important points we must address first, so let’s get started!
Choosing a good password
Ok first up, let’s make sure your passwords are safe enough to not be easily guessed or cracked by a program, because a password manager is useless if your passwords are easy to guess. You also need to have a different password for every website or service you have, period. I realize that is probably something you don’t want to hear, but it’s the single most important thing you can do to secure yourself against hackers, why? Well let’s take the following scenario…
Say you have the same password (such as) Gmail and ShadyWebsite.net. Who’s to say that ShadyWebsite.net is trustworthy or able to keep your details (stored on their web servers) secure? Who’s to say that ShadyWebsite.net isn’t a trolling operation specifically built to steal passwords and hack accounts? Unfortunately it is all too common.
There are many other reasons to have different passwords for every website, but I hope the above reason is enough.
Now there are a few simple rules to follow when choosing a new password, which we’ll go through now…
- A good password uses a minimum of 8 characters (12 and up to 16 characters even better)
- A good password consists of at least one of each of the following…
- Lower-case letters (ie. abcdefg…)
- Upper-case letters (ie. ABCDEFG…)
- Numbers (ie. 123456…)
- Special characters: "~!@#$%^&*?
Alternatively you can use my Password Generator below to generate a strong password 🙂
The next important step is the master password file that holds all your usernames and passwords and stored on a portable memory device like an encrypted USB drive, in a very safe location (same place you would keep valuables like jewellery, gold, cash etc) or if you prefer, you can have a little black book with all your passwords hand written in it, same concept, but you should never store this file on your PC, laptop, phone or tablet! You must store this file in a very safe place outside of your PC and preferably encrypted. This master file is likely the most valuable possession you have, so be sure to guard it accordingly.
Most password managers will allow you to export all your passwords to a secure, encrypted file for safe keeping which is the preferred method, but if you prefer to make your own file, here are some suggestions for text file types, text editors, storage devices and locations.
- Types of text files/editors
- Windows: Notepad, Wordpad, Word
- Linux: Vim, gEdit, Nano, gVim, Eclipse, Emacs
- MAC: TextEdit, Brackets, TextMate, TextWrangler
- Text File Types: .txt, csv, xml, or for more obscurity try .html, .htm, .php, .js, .css, .asp
- Types of storage devices
- USB flash drive (usually comes with built-in encryption software)
- Compact Flash, SD Card, MMS
- External hard drive
- CD/DVD/Blu-Ray optical discs
- Notebook, pad, diary, LBB
- Good locations to keep your master password file
- Wall safe/safe, locked cash box, locked filing cabinet
- Safe deposit box at bank
- Wherever you keep your valuables (gold, cash, jewelery)
Now just writing a bunch of usernames and passwords without some sort of formatting can make it very hard to read (and find) a given combo, so a good format to write them in, is like…
username: <span class="bold">JimJam2014</span>
password: <span class="bold">P$a10Jia</span>
…or if you prefer a format that is readable by password managers, you will need to read up on the different formatting of password files which is beyond the scope of this article, but just a tip, these formats are not easy to read by humans, they’re designed for machines.
Password management methods
Most password managers use a master password system, which basically means that you enter your username and password into a given website, then click a "remember password" button. You then continue this process with any other websites you have login details for (passwords are safely stored on your computer via the password manager, usually encrypted) and then enter a master password in the settings/options of your password manager.
From this point on, when you visit a website that requires your login details, all you have to do is enter your master password and the password manager will auto fill/auto-type the username and password fields for you. The advantage of this system is that if someone steals your computer, unless they know the master password, they won’t able to login to any of your websites.
Browser password managers
Mozilla Firefox is the only browser that uses a master password right out of the box with no plugins needed, one of the reasons I use it. Other browsers all have a "remember password" function that appears after you have entered your login details on a given website, but offer no protection if your computer is stolen or snooped upon, so I don’t recommend using these types of password managers (except for Firefox).
This is an excellent method of authentication that generally only requires a mobile phone or landline and provides very good security without any investment in extra hardware or software (like a fingerprint reader or USB drive etc). Large internet companies (ie. Google and Yahoo) usually offer this as an option.
The way it works is like this
(example is Gmail)…
- You login to Gmail (having previously setup 2-step verification) and presented with a page asking for a special code that Google would have sent you seconds ago when you clicked the login button
- You receive this code on your phone and enter it into the webpage, click submit and enter your inbox as per normal
This way, even if your password is stolen, they won’t able to login to your Gmail account unless they also have your phone. It’s not foolproof but does offer a simple, and secure way to access your accounts.
Advanced authentication options
There are also many other, more secure methods of password management and authentication as outlined below. I favor fingerprint authentication but you will obviously need a fingerprint reader to use this method. I will briefly go through these options below but the focus of this guide is on password managers which are software based and easily obtained.
These used to be the stuff of James Bond movies, but today you can expect to see fingerprint readers on laptops (built-in) and desktops via an external USB device you simply plugin. Once you’ve setup the fingerprint reader (which only takes a few minutes) you simply run your index finger across the reader, it reads your unique fingerprint, and Windows will automatically log you in. You can also setup the fingerprint reader for all your website usernames and passwords along with the frequency at which it will need a re-swipe of your finger (aka: Paranoia Level) and all other settings.
USB key authentication
This is no different from having a key to unlock your car, you simply insert the USB key to authenticate (usually with a password too) and you’re good to go. One of the advantages of this method is that you can encrypt your entire hard drive (the USB drive holds the encryption key) so if anyone steals your computer and tries to hack into it, they’ll be faced with a bunch of scrambled data, not your personal data.
Smart Card authentication
Smart Cards are and excellent form of authentication and can use one, two or even three factors on top of the card itself as extra security. Smart Cards are generally the realm of medium to large corporate businesses but can just as easily be implemented at the home user level with a USB Smart Card reader.
Choosing a password manager
Now taking everything I have explained so far in this guide, let’s choose a password manager that suits your personal requirements. I have made a table below that shows the features, security, cost and my rating, as well as my top picks.
|Password Managers – Last Revised 2014/08/29|
|NAME||LICENSE & COST||OS SUPPORT||BROWSER INTEGRATION||OVERALL RATING|
|1Password||Proprietary / $35+||Windows, OS X, iOS, Android||IE, Firefox, Chrome, Safari, Opera||7/10 Good program but needs better guidance/instructions for initial setup.|
Free & Premium $30+
|Windows, OS X, iOS, Android||IE, Firefox, Chrome, Safari||8.5/10 Very comprehensive app, excellent setup guide.|
Free & Premium $2.20mo
|Windows, OS X, iOS, Android||No, password vault only||6.5/10 Passwords need to be added manually, good for storage only.|
|iVault||Proprietary / $8 per year||Windows, OS X, iOS, Android||No, password vault only||7/10 Good security, manual password entry, cloud-based, needs better instructions.|
|KeePass||GNU Open Source / Free||Windows (ports for Linux, OS X, iOS, Android, Windows Phone)||Yes via Auto-Typing||8.5/10 Excellent features, dozens of plugins, easy install and setup.|
|Keeper||Proprietary / From $10 per year||Windows, OS X, iOS, Android||IE, Firefox, Chrome, Safari||8/10 Great features & excellent security with easy install instructions.|
|iCloud Keychain||APSL / part of OS X & iOS||OS X, iOS||Safari||7/10 Slick interface, great for Apple users|
Free & Premium $12 per year
|Windows, Linux, OS X, iOS, Android, Blackberry, Windows Phone, Firefox OS, Surface RT||IE, Firefox, Chrome, Safari, Opera||9.5/10 Excellent and easy setup, they really have thought of everything, top marks.|
|Mitto||Proprietary / Free service||Cross-Platform (All OS)||IE, Firefox, Chrome, Safari||8.5/10 Very good security, easy to use, good features, comprehensive setup.|
|Norton Identity Safe||Proprietary / Free||Windows, iOS, Android||IE, Firefox, Chrome, Safari||8/10 Good product, easy setup & great security.|
Limited Free & Unlimited $2.00+
|Cross-Platform (All OS)||IE, Firefox, Chrome, Safari, Opera||9/10 Very impressive, easy installation, great features.|
$15 per year
|Windows, OS X, iOS, Android||IE, Firefox, Chrome, Safari||6/10 Unable to test as purchase required before download, website needs overhaul.|
|Password Safe||Artistic License (Open Source)|
|Windows, Linux (ports for OS X, iOS, Android, Windows Phone)||All||7.5/10 Good program but really needs full browser integration.|
|Pleasant Password Server||Proprietary|
$25 per user (packages available for more users)
|Any OS, iOS, Android|
(server requires Windows Vista, 7, 8, Server 2008, Server 2012)
|All||8/10 Very comprehensive app, good features, suitable for SME to large corps.|
$10 to $40
|Windows, Linux, Mac OS, Android, iOS, Windows Phone||All||9/10 Excellent product, easy setup, great features.|
|More info: Proprietary Software, Open Source Software; Chrome, IE, Firefox, Safari, Opera|
|If you have any questions or want me to add some software to this table, just email me anytime|
Moving your passwords from unorganized and high-risk, to organized and security conscious using a password manager is quite a task, and I hope I have helped you in that quest. It’s far easier and much more secure to have your passwords managed by good software instead of relying on your memory or scant bits of paper.
If you have any questions you’re welcome to email me anytime.