I am often asked about password management and what one should do. I believe most folks should be using a different, randomly generated, password for each service they use online these days. This is because it is never a question of if, but when, a company’s password database gets stolen and the bad guys start reverse engineering the encryption to figure out folks’ passwords. The article linked is old, yes, but it’s still appropriate. It’s just easier now to do is all since the tools involved have had time to mature in complexity and power.
Once they have a username (often an email address) and password combination they, or more frequently someone they sell it to (yes, your data is worth real money to bad guys), quite frequently then move on to logging into these accounts to use them for nefarious purposes of one sort or another. These range from using an email address to send spam, scamming your grandparents or other loved ones, or even holding your devices or accounts for ransom. This is why many now say you should never reuse a password on any site ever.
There are many different password management apps out there nowadays, but most share a particular issue, IMO. That is the fact that they integrate with your browser. Now, this is all well and good from a convenience perspective, but the browser is one of the single most at-risk programs ion anyone’s system. Why would you allow your most important passwords to be integrated with a risky piece of software? In my view, this would be like putting your house keys on a hook outside the front door. Note that this isn’t to say that all password managers which do this are poorly implemented. On the contrary, many are very well designed form a security standpoint aside form this, in my opinion, critical aspect.
Then there’s the issue of where is your password data stored. Ideally, this should be in a location solely under your control but which is backed up properly to prevent loss. Many password managers store the data on their own servers, where one presumes they handle backups and such properly. The issue here is what happens when they get hacked? This treasure trove of passwords is one of the most tempting targets to bad guys on the Net these days. Oh, sure, you can set it up so that the data is only accessible by the end user but with this kind of thing a single trivial, and of course innocent, mistake, can leave you as open as though you had no encryption at all.
This is not a simple thought experiment. The most popular such tool, LastPass, has been hacked more than once. While the organization, by all accounts, handles these events properly, this is too much risk for many to accept. This is why I do not recommend LastPass or any other similarly browser-integrated password management software. It’s just a bad idea in general, as I see it.
This does not mean, however, one must stick to the old pen and paper version. While that works for some folks who have a very small number of accounts who don’t mind the risk and don’t use the same, or a similar, password on any financial institution website, for most it’s best to use a password manager. Setting up a password can be a major pain in the neck, to be sure, but it’s the only real way to mitigate the risk these days.
As far as what password manager folks should use, I have one I use and plan to continue using. It’s important that you get it set up “properly” up front, though, so if you’re a client, give me a buzz and I’ll talk you through the options.