A few weeks ago, one of the long-time administrators of an organization I volunteer for was showing me around some spreadsheets. He needed to find an old email, but when he access his inbox, he couldn’t remember his password. He searched through the many papers scattered around his desk, then gave up looking, and tried a few passwords from memory until he hit on the right one. Then the website required him to change his password because he had been using it for so long. Maybe, he thought, he could add a dollar sign ($) or an exclamation mark (!) to the end of his previous password?
I bet this is a familiar situation, for you or for someone you know. If you don’t have a system set up to manage your passwords, odds are you forgot one sometimes. You can’t use the same password everywhere, because passwords requirements differ from one site to another. And you probably have hundreds of accounts for services ranging from your energy provider’s online billing system to Facebook.
Some people use different passwords for different types of services: one password for banking websites, one password for social accounts, one for their work logins, and so on. That’s better, but inevitably your work computer requires you to change your password, or you run into a banking website that doesn’t accept your default banking password and you’re forced to keep track of all the small variations in your passwords.
And while it’s better to use a few different passwords than (a variation of) just one password, it’s safer to use a different password for every single account.
That’s because each year, attackers steal hundreds of millions or even billions of online records. In the first half of 2016 alone, there were 974 publicly disclosed data breaches accounting for 554 million data records. On average, that comes down to three million stolen records per day. Given how frequent and how large data breaches are, odds are good that some information about you might have been stolen too.
When hackers steal data, they might have stolen your username and password combination. If they did, they can then try to access your other online accounts, assuming you use the same password in multiple places. This isn’t such a big deal if they log on to your YouTube account and post comments posing as you, or if they use your account to play Minecraft. But it is a big deal if the attackers access your bank account and transfer money out of it.
So good security practice requires you to use a different password for each service. Unless you have an exceptionally good memory, you won’t be able to remember that many passwords. And I haven’t even mentioned the fact that good passwords must be difficult to guess, which means they’re usually even more difficult to remember.
Enter the password manager. It’s usually an app for your phone and a plug-in for your browser that stores your username and password combinations for all web services you use. It then encrypts your passwords and allows access to them only if you enter a “master password”. The master password becomes the only password you have to remember, because if you know it, you can view all your other usernames and passwords.
Password managers usually install a browser extension. When you encounter a registration form that asks you to pick a password, the password manager can generate a complex, difficult-to-guess, and therefore secure password for you—and will automatically save the username and password to its database so you can look them up later. When you want to log in to a website, the password manager will automatically fill in username and password fields after you enter your master password.
I’ve tried three password managers: 1Password, Dashlane, and LastPass. They’re all good. I prefer 1Password, but you would do yourself a favor by trying out any of the three. It will take some time to set up and it might cost some money, but it’s worth it.