Do you have any of these bad password habits?
- Reuse your passwords because you cannot remember them?
- Using poor passwords because you do not want to type them?
- Using common passwords, 123456, qwerty, password, etc?
- Write down your passwords and leave them near your computer where they can easily be found?
If you answered yes to any of these, then your online identities and information are at risk. Hackers have increasingly smarter tools to get your passwords and your private information.
When you are travelling, your internet passwords are often in even more danger. Insecure internet, people finding your written passwords, your password being breached on one network and then being used on other sites you reused that password on, etc. A password manager can help keep on top of those pesky passwords.
- Browser and application integrations can automatically enter your password saving you time.
- You can generate a strong and long random password you will not have to memorise.
- Easy creation of different passwords for each service.
- Synchronise your passwords between multiple devices and browsers.
- You can use one master password. On mobile, use your fingerprint or PIN code.
- Reminders to change your password every now and then.
- Notify you if a service you use has been hacked.
- Automated changing of passwords.
Storing your passwords all in one place does not come without risks however. If this information is breached, all your login and passwords will be available.
Even if you decide not use a password, please look into making your passwords a mix of long and complex. Be careful the services you are using have acceptable security. These days 8 letter passwords can he cracked in minutes by high powered computers. 12 characters or more is preferred.
Password Management Options
The most popular browsers now allow you to store passwords and synchronise them for use across your devices.
Chrome and Google Smart Lock
To see what passwords Google is storing for you, go to https://passwords.google.com. You can enable Auto sign-in, or turn it off to ask for your password each time. You can also view the passwords you have stored. You need to log to the site and after a while it will challenge you again for the password to try stop people stealing your passwords if you leave the devices unlocked.
Warning: In the version we tested, Firefox will not prompt you for a password to show your saved passwords. We think it is dangerous to store you passwords in Firefox, because if you leave your device unlocked, anyone who knows what they are doing can view your stored passwords in the browser preferences. We do not think it is the best option.
Check this article for an overview of the Firefox password manager.
It supports multiple accounts for the one site, e.g., you can "Fill Login" with a selection of Twitter users you have saved.
Opera has its own password manager that can store passwords locally, or you can set up an Opera Account to synchronised with the cloud, see here for details on what the Opera Account can sync for you.
Testing the show local passwords feature on a Mac, we found it asked for the macOS user password.
Opera detected an attack in 2016 on their servers and asked users to change their passwords.
By default Edge will offer to save your passwords. If you sign into Edge with a Microsoft Account, it will also be able to sync your information.
Microsoft Internet Explorer (IE)
IE 11 also has a password manager as explained here. It is on by default and also has a sync feature first introduced in Windows 8.1 and Windows Phone 8.1.
Should I Use the Inbuilt Browser Based Password Managers?
Well, we do not really recommend Firefox for the security reason give above where it easily lets someone view your passwords if they have access to your unlocked device. Maybe you forgot to lock your computer when you got a coffee, it only takes a few seconds.
Chrome it takes a bit more effort, but there is an application called chromepass that can extract your encrypted passwords (except on macOS according to the readme file at this point).
Microsoft Edge passwords can similar be read with the "Edge Password Manager" program.
Running your device without an administrator account might reduce the chance of people being able to maliciously steal your passwords and install and execute third party software.
Please be careful when using computers you do not own and make sure you do not allow any of your passwords to be saved and used after you are gone, e.g., on a hostel/hotel/internet cafe computer.
If you only use one browser, you might find the inbuilt browser works well enough for you. A standalone password manager can allow you to use your passwords across many browsers and is worth considering.
Free version and Premium starting at $24 USD per year
LastPass not only save and generate passwords, but can fill in forms with addresses, credit card details and other personal information. The free version also supports secure notes, security challenge, multi-factor authentication.
A premium version (at $24 USD per year), throws in these extra features:
- LastPass in applications.
- One-to-many sharing.
- More multi-factor access options.
- 1GB of encrypted file storage.
- Emergency Access.
- Priority technical support.
This does not all come without some controversy however. The LastPass Wikipedia articles notes a number of incidents and security issues you can check out.
In October 2015, LastPass was purchased by LogMeIn. This caused a bit of a storm with some users. One example being the LastPass blog announcement comments on the acquisition, where some claimed they would be changing to a new password manager. A few appeared to have issue with LogMeIn previous changes of licences and price hikes. LogMeIn tried to assure people with "we (LogMeIn/LastPass) have no plans to change our existing business model". There is a nice summary here.
So did anything change? Well, in August of 2017 this announcement was made where:
- The price doubled from $12 to $24 a year.
- The free version lost unlimited sharing and emergency access.
It still seems a popular choice and cheaper than 1Password ($24 vs $35.88 yearly), so check it out and make up your own mind. LogMeIn Inc, probably is likely to hang around for a while, with $336.1 million in revenue in 2016.
Starts from $35.88 per year, with a free 30 day trial available
1 Password supports Windows, macOS, iOS, Android and has plugins for Chrome, Firefox, Opera and Safari.
- Support for local passwords, but they seem to be making this harder to access and pushing their cloud based offering.
- Password sharing.
Dashlane Password Manager
Starts from free to $39.96 Year
Dashlane first released in 2012 and is a popular password manager with support for macOS, Windows, iOS and Android.
- Dashlane can change a number of passwords automatically. See this list of sites that support this feature.
- Notification of hacked sites.
- 2 factor authentication.
- Password sharing with emergency contacts.
Are Password Managers in Browsers Safe?
Using browser based password managers come with risks. Especially ones that are communicating with a server over the internet, creating a target for people being able to steal your information.
The companies making browser based password managers will try make their products bug free, but there are no guarantees. Using a local database removes this angle of attack all together. This article has links to some bugs that have been found in popular browser password managers.
KeePass and Related Applications and Browser Tools
One nice feature of KeePass is that it can be stored locally on your machine and does not require your sensitive information to be uploaded anywhere. This is still an option however, but one you will be able to choose.
Another great KeePass feature is being free, although there are some paid options by third party developers.
KeePass uses an encrypted database to store your passwords and there are a number of applications listed below that can read it. The KeePass offerings are generally not as slick or have a full-time company behind them. Many of the KeePass programs are free and open-source, meaning the code is available for you to look at, or even create your own version.
Originally only a Microsoft Windows program, the KeePass family provides some alternative applications using the KeePass database format.
We have managed to achieve synchronisation between different devices by syncing with a cloud service. Use an encrypted cloud for double encryption, e.g., SpiderOak. Warning: This can be risky as you will need to careful not to overwrite changes by syncing to the latest version before making new changes. This means making sure the original device changes were synced to the cloud and the sync has occurred on the device where you want to make the changes.
Apparently version 2 of the KeePass database format allows synchronisation as outlined here and could provide some other options.
For Windows, KeePass is a good option as it is the original.
KeePassX was created originally as a cross platform version of KeePass that now works on Windows, macOS and Linux. A community of people felt the original KeePassX project was not responding to their issues fast enough and created a new version called KeePassXC. So far KeePassXC has been the more active project.
There is support for using KeePass in your browser:
- Chrome: chromelPass.
- Firefox: PasslFox.
- Safari: passafari. This looks a bit rough and perhaps no longer being worked on.
A company that provides devices for your security needs, including integration with password managers. Many big companies use their products to enhance their security.
So hopefully that gave you some food for thought about dealing with your passwords. Be safe out there!