My social media profile is public. I have nothing to hide. Who’d want to hack my account on a food delivery app? Who’s interested in my personal information. Don’t hackers have more important people to stalk?
We’ve often come across these reasons for not securing one’s digital life and dismissing password hygiene and best practices. However, data breaches can jeopardize our digital security, and expose personal data, including names, email addresses, passwords, government identities, dates of birth, credit card information and medical records, among other things, to cybercriminals who can use this information for identity theft, financial scams, and other sinister cyber, as well as real-world, crimes.
As we sign up for more and more online services, it is imperative that we step up our game.
While much has been said about the need for using strong and unique passwords online, every data breach incident reveals that many people still opt for weak and common passwords: predictable passwords like names of pets or spouses, favorite sports teams, date of birth, etc., common sequences like ‘asdf1234’, ‘12345’, ‘qwerty’, etc., and common phrases like ‘password123’ or ‘idonthaveapassword’. Sigh!
Also, we, humans, are terrible at picking random passwords and generally end up creating poor passwords. Even trying character substitutions and capitalizations doesn’t really help – while it appears that “J3nM@rch!” is a complex password, it is as easy for a hacker to crack as “jenmarch1”.
Additionally, human memory is limited and cannot remember too many complex passwords anyway. To get around the problem, most people either use a previous password or generate a variation of their previously used passwords. Well, that doesn’t help.
Because of our pervasive digital lives, we end up sharing a lot of our personal data with several organizations and government institutions. Often, because of a security failure or a deliberate intrusion, this data is exposed to unauthorized actors. When a website or an online service leaks your email and password combination, malicious individuals can try the same combination on other popular services thereby compromising your other online accounts as well.
This password fatigue—creating weak passwords so they’re easy to remember (and subsequently easy to crack), password reuse, and writing down more complex passwords on sticky notes or in plain text files—as well as sharing passwords via email or in chats puts our personal information and digital security at risk.
What does one do?
It’s not hard, really. Use strong, complex, and unique passwords for each login account. That’s it.
However, as detailed above, it’s easier said than done. Enter Password Manager.
Password managers are virtual vaults where you can securely store login credentials for all the sites you visit as well as other sensitive information. You can store unlimited passwords and other such information in a password manager and retrieve as and when needed across all your devices – laptops, tablets, and smartphones.
Most people fail at trying to come up with complicated passwords on their own and end up with variations on predictable patterns. Password managers help in generating strong and complex passwords as well as auto-filling them on websites and in apps, without a need to memorize it ever.
Essentially, password managers enable using strong and complex passwords as well as avoiding the problem of password reuse.
To avoid the problems associated with passwords, many organizations are looking to adopt a variety of passwordless authentication solutions, including biometric authentication. Last year, Microsoft announced passwordless sign in, allowing users to completely remove the password from their Microsoft Account and allowing them to sign into Windows as well as services such as Outlook and OneDrive using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email.
However, until we have a truly universal alternative to passwords, we’re stuck with them for now. And therefore, a password manager is a must have.
(Additionally, enabling two-factor authentication (2FA) on your online accounts is a great way to add an additional layer of security. It adds an extra step to your basic log-in process, requiring an additional bit of information like a code via a text message or an authenticator app.)
Which password manager should I go for?
There are several password managers available in the market… some that require a subscription, some which offer a limited free trial, and a few no-cost options. The popular ones include 1Password, LastPass, Enpass, Dashlane, Keeper, and Bitwarden (not an exhaustive list).
Most modern browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox as well as Keychain on Apple devices too offer rudimentary password management. That said, these are actually a good way to start. The feature is free to use and requires no initiation to get going.
Once you get a hang of password management, you might want to move to a proper password manager though, since it offers much broader functionality, works outside the walled gardens of a particular ecosystem, and allows you to store a variety of data and not just login credentials.
(Microsoft is trying to transform the password management experience available on its Edge browser into a well-rounded experience via its Autofill feature available as part of the Microsoft Authenticator app and also on Chrome browser as an extension. If you’re on Windows, I’d recommend you take a look at this arrangement.)
Before you pick a password manager, there are a few things you should consider. Of course, find one that fits your budget. I know it seems like an additional expense to undertake, but like we’ve discussed, it really is a necessity of sorts now. Also, make sure that the password manager you choose offers a fully-featured app for all the devices and platforms you work on.
While most of the password managers are cross-platform, some of them don’t offer apps for platforms like Linux or ChromeOS or offer only basic functionality on certain platforms while shining bright on the primary platforms they focus on.
If you aren’t comfortable with a cloud-based password manager, you can opt for an offline one like Enpass which doesn’t store your information on its servers. Instead, you can store your data locally on your device or use your own cloud storage (Dropbox, iCloud, Google Drive, OneDrive, etc.) to sync data between your devices. KeePass is a similar open-source alternative.
All credible password managers use a zero-knowledge approach to user data and do not have access to your passwords or any other information. So, you don’t have to worry about putting all your eggs in one basket. However, it’s always a good idea to read the specifics around security, encryption, and privacy before you sign up.
Making the password manager work for you
First things first. When you set up your password manager, create a strong master password. The master password is the single key to unlock all your digital credentials and in most cases, unrecoverable if you lose it. Keep the master password something that you can memorize (but don’t choose a weak one. After all, you just have to memorize one password now) or for safety reasons, write it down on a piece of paper and keep that paper safely in a locker or something.
On the first run, also check your existing credentials to identify which of your existing passwords are weak, reused, or have been exposed in data breaches. Change these passwords immediately to improve your password hygiene right away.
You can also configure the degree of complicated passwords you need when you generate passwords. It is recommended to use passwords that are at least 20 characters long and include uppercase and lowercase letters, numbers, and special characters. Of course, sometimes, you’ll have to specify the criteria as required by the website or app you’re trying to sign up on.
While we keep calling them password managers, you can store a lot more information than just login credentials. It’s a digital vault, really… credit card information for easy access while shopping online, medical records for quick access on a doctor visit, loyalty membership information, and more. Password managers also allow adding PDF or image files as attachments (you can use it to store your vaccination certificate, for example) as well as creating secure notes.
Password managers let you to securely share passwords and other sensitive information with family and friends when needed. Better still, I’d recommend you set up a shared family vault for common credentials for things like your child’s school portal, Netflix, utilities, et al. You can also create separate vaults for personal and work credentials to better organize your information.
A side benefit of password managers is their ability to guard against phishing attempts. Password managers fill account information into websites based on their URL. When a password manager fails to fill login credentials on a webpage automatically, it is possible that it might be a phishing website with a malicious link.
A password manager works best in conjunction with its browser extensions. Instead of firing the password manager app when you’re trying to create an account on a website or sign in to an existing account, the browser extension offers you password suggestions and login credentials then and there for a seamless experience. If your password management experience is not seamless, you might end up going back to your old, insecure password habits. That’s not ideal. Make the password manager work effortlessly in your workflow, else maybe, look for another one.
When you’re getting started, it does take a while to set up your password manager and log all your credentials. But once done, it’s worth the effort. A password manager will help you in managing your passwords and other important information as well as maintaining password hygiene as you go along. Stay safe!
Abhishek Baxi is a technology journalist and digital consultant.