Choosing your password manager

I have advocated password managers in a few previous posts. Here are a few considerations when you go about picking one for your own use:

How are your passwords stored?
The technical implementation may be hard for most users to figure out, so you may need to rely on reviews by others. The passwords need to be stored with an encryption algorithm that can only be retrieved using your master password (password to the password manager). Read their documentation explaining how they store passwords to understand. The company / people who own the password manager (if such a group exists) should not be able to retrieve your passwords even if they wanted to. This is Security 101. Convince yourself that this is how it is done before you proceed further with any password manager. Also – do not store passwords in your browser unless you secure them with a master password.

Cloud-based or local software
Are your passwords going to be stored in the cloud (the internet) or will they be stored only in your computer? There are advantages and disadvantages for both. Cloud-based password managers may have the advantage that you can use them on multiple devices: your personal laptop, perhaps your work computer, maybe even your mobile. A password manager installed locally on just one computer allows users access to their passwords only on that computer.

Conversely, a cloud-based password manager is a target for attack from the internet. Criminals will go after it given how valuable the contents are. There is less of that risk if your passwords are only stored on your computer.

2-factor authentication
Pick a software that allows 2-factor authentication. Enable it. Use it. Know what to do in the event that something happens that makes it difficult for you to access your 2nd factor (e.g. loss of a security token or your mobile phone to receive 2FA messages). Each password manager will have different methods of handling this.

Open-source or proprietary
Open-source software is software for which the code is publicly available. Proprietary software code is not. Prevailing security wisdom recommends open-source software. Proprietary software has less eyes looking at it and the odds are higher that someone who does detect vulnerabilities in the software does not wish to reveal it for fear of backlash from the company. Keeping code hidden is not great security practice, but it may be justifiable as a business practice. Some people may be willing to sacrifice some features if that is what it takes to use open-source software. Some will find the features to be worth the risk of ‘trusting’ a business. All other things being equal, choose an open-source password manager.

Which password manager does the author use?
I will keep that out of this essay in order to keep this article unbiased. Spend some time doing your own research before you ask.

Related posts
Passwords ain’t nothing but trouble
Lessons from Target on password complexity
When is 2FA not 2FA?

Leave a Reply

Your email address will not be published. Required fields are marked *