The Problem We are all guilty of it. The website entices you, showing you why
We are all guilty of it. The website entices you, showing you why you need to sign up for their service right now! You look for alternatives, your heart pounding in your ears as you believe there's no other option; you feel you simply must sign up. You click the "Register" button and it quickly prompts you for your name and email, which you happily and readily give. Then it hits you like a bus; you weren't ready.
It's asking for you to set a password.
At least eight characters, one special character, one number, one gold bar and a sacrifice to the Dark Lord Cthulu! Equally daunting as it is demanding, your account creation cannot continue until you complete this task. You mull it over for a minute, wondering "Do I really want to set another password I'm going to have to remember?" "No", you decide, "Ill just use one I already know." The heavy weight that burdened you suddenly lifts off your chest as you put in the password you've used time and time again, relieved you didn't have to think of anything original. You had done it. "The hard part is over" you think, as you confirm that all too well known password that has never failed you.
Except it has and you simply don't know that very same password was compromised in a data breach by some big company (like the Equifax one in 2017, for a example). Now all twenty something accounts you use this same password with are simply unlocked doors waiting to be explored by whomever wishes.
The general understanding for passwords is basically "more complexity = better security". Unfortunately, this couldn't be further from the truth. Yet service after service requires us to input these awful passwords that are long and difficult to remember, causing us to either reset our passwords constantly or reuse passwords we've already memorized.
How do we fix this issue?
Enter the password manager.
A password manager is an application that stores passwords in a database file and encrypts it using a single, strong password. Password managers store your login information and some allow you to store other things you'd like to keep under lock and key, such as emails, notes, etc. Instead of remembering a dozen different passwords, you only have to remember one and allow the password manager to do the work for you!
Which password manager should I use, then?
Personally, my password manager of choice is KeePassXC; its a free, open source application that gets downloaded onto your desktop, allowing you to input your login credentials through its browser extension.
You would create a database, go into settings, and allow the browser extension to access your password manager on your desktop as long as it is open. KeePassXC automatically locks itself up after five minutes of inactivity, which can be changed at the discretion of the user.
There's too many features this password manager has to cover in this article, but I will highlight two of my favorites; it has a built in random password generator you can access without having to login.
This allows you generate random passwords based on how strong you'd like them, what characters you like them to have, or for them to even be a complete random string of words. It tells you how strong each password is and how high the entropy count is. If you don't know what entropy is, it'll be covered in another article. For now, all you need to know is the higher the entropy, the better.
With a random password generator, you can forget coming up with passwords as long as you have access to your password manager. It will do it for you, and probably better than whatever you can come up with!
Another important feature KeePassXC that most competitiors charge for is Yubikey 2FA (Two Factor Authentication). Ill be covering the importance of this in another article, but just know that you can use it for free with KeePassXC.
KeePassXC can be downloaded on Windows, MacOS, and Linux, as well as used on iOS and Andorid devices through third party apps.
To use it on Android, KeePass recommends using KeePass2Android.
To use it on iOS, KeePass recommends using Strongbox.
To see the full list of features you KeePassXC offers, you view them on their website.
What about alternatives, like Bitwarden and Lastpass?
One thing you may notice when you're looking up alternatives for password managers are sites that never list KeePassXC. Why? Most likely because big magazines like PCMag are paid to market them. There's nothing wrong with that, but pushing only paid or freemium models of applications can leave the average user feeling as though they have no choice but to reach into their wallet for better security practices. As long as this site stands, we will always look for the most affordable path without compromising security; in this case, free seems pretty affordable.
However, there are some honorable mentions; Bitwarden and Lastpass.
Bitwarden is another free, open source password manager that does what it claims well. It offers the ability to sync across multiple devices regardless of platform using their secure cloud servers. If you're like me and don't trust their servers to be secure, you can host your own Bitwarden server to do the exact same thing. Of course, this will take extra time and money to get your own Bitwarden server spun up, whether you host it on a desktop (possible extra cost in electricity) or a virtual private server (DigitalOcean, for example, at $5 a month.)
Unless you host your own Bitwarden server, you wont get access to the full set of features Bitwarden has to offer, including Yubikey 2FA (Two Factor Authentication). Personally, this is an issue since 2FA is strongest when you have a separate device you own authenticating your identity. Ill do an article all about 2FA in the future, but for now its important to note that theyre not avaible without paying. To Bitwarden's credit, the price is only $10/year for the full set of features using their servers.
No article about password managers would be complete without at least mentioning the famous LastPass. Unlike the other two, LastPass is not open source; instead, they offer the password manager based on a freemium model allowing you to use the core features of LastPass without paying. Once you start getting into the premium features, however, it becomes more expensive than the previously mentioned password managers.
Like Bitwarden, your passwords are stored in their secure cloud servers, allowing you to have constant access to your passwords as long as their service is up and running. They, too, do not offer Yubikey support without paying the premium. They do allow you to conviently fill in login forms using a right click, something the previous two do not offer.
No matter which you choose, a password manager is a must. The ability to store all of your login information securely in one place will allow you to avoid reusing passwords and risking multiple accounts from being compromised. Plus, who wants to remember a dozen different passwords or constantly have to reset their password?