Skip to content
February 27, 2021 / paulio10

Password Managers

What You Want in a Password Manager

The arena of managing your passwords is somewhat complex. After using LastPass for years, and having over 700 accounts all over the Internet, here are the factors I think are the qualities I believe you want in any password manager system you choose to use.

A good password manager has 4 things I look for: Security, cell phone and laptop support, Weak Password detection, Duplicate Password detection, and Darkweb Monitoring / company breach search.

#1 – Security

The management system must encrypt your entire set of passwords using industry-strength strong encryption. The management system must not have any “back doors”, and not store the master password in cleartext (or in easily-reversible two-way encryption) on their own servers. You must be protected if there is ever a break-in at their end. No web sites are 100% secure, even when the best security people fix them up – you can just assume this, today, for maximum safety.

You want to choose a secure, long, master password that nobody else can guess even if they’re your family or best friends – but at the same time, it must be easy for you to remember, so you NEVER forget it. Because of the strong security, there should not be any way to “recover” your password if you forget it – because that “recovery” method is like a back-door, reduced security. Your passwords could be stolen if somebody guesses your master password OR finds a way through that “recovery” system.

Many sites, even many banks do not get the password-recovery part right, by making you use easy to guess security questions. Some of them ask you a set of security questions in case you forget your password, questions like, “what is the name of your pet?” and “what city were you born in?” – questions which other people could easily answer if they spent a few hours studying your life on the Internet! I always answer these questions with extra characters so nobody can guess my answer. For example, if you have a dog named “charlie”, you could enter “charlie5551212”, or “charlie!!!” or “5charlie20”. If you pick a pattern you feel is secure, you can use it to answer every question the same way, so you only have to remember one pattern. Your birth place might be “5scottsdale20”, your first car’s color might be “5white20”. That sort of thing. But pick your own pattern, don’t use one I listed here.

The other highly insecure mechanism to avoid is, “enter your cell phone number so we can verify you if you forget your password.” This means that if a hacker CLONES your phone (which is very easy to do), they can use that to “verify” they are you, by saying they forgot your password, and get access to your stuff. You don’t want that.

Buy a Yubikey and set it up in your password manager, and in your email system too if yours supports it (Gmail does). A Yubikey is a USB dongle device that you can use to prove you are really you. There is no other identical one out there, just yours. So if a hacker tries to pretend they’re you, it will ask them to insert your Yubikey into the USB port and touch the button – which they cannot do! You have the only one. Yes, it’s a little annoying that when you’re logging in, you have to use your Yubikey to get in — but there’s ways to make this easier for yourself.

When using your Yubikey, you can check the checkbox that says “accept for 30 days”. This tells your local computer to NOT bug you for the Yubikey for 30 days, as long as you stay logged in, using this computer to access your email account. Only do this if this computer & acocunt you’re using is dedicated to you – nobody else uses it. If you log in from anywhere else, you’ll need your Yubikey to get in. And, after 30 days, you have to find your Yubikey and plug it in, to reverify yourself for another 30 days.

Yubikeys also work with smart phones – they have NFC support, so if you hold them right up against the back of your smartphone, you can authenticate that way. There are different models of Yubikeys – choose the one that best matches the equipment you have. Like if your smartphone doesn’t have NFC, then the NFC feature is unnecessary for you, you’ll want something different.

But what if you lose your Yubikey? Or break it by stepping on it/rolling over it with your office chair? A good strategy is to get 2 Yubikeys, not just 1, enable both of them for each service you’re using them with (password manager, and email system – minimally) – and keep one safely tucked away in a secure location – another site or home, in a safe or safe-deposit box at the bank, etc. Someplace that you can get to it if you ever need to, but can’t be stolen/lost/broken easily if your main one is ever stolen/lost/broken.

I bought 2 of them for myself, and 2 for my wife. That may have been unnecessary though, I think you can use the same Yubikey for 2 different people, which may have been wiser. Or, at least, use the “backup” one for both accounts, in case she loses hers or I lose mine.

Services that can use Yubikey: Gmail, LastPass, Dropbox, Twitter, Facecbook, Docusign, some banks, and many other services (more and more every day). This is a very popular and powerful way of keeping your stuff secure.

You just don’t ever want go get to the point where you have “1 last working Yubikey”, and that one dies suddenly. Recovery when you have no Yubikeys will probably be extremely difficult.

#2 – Cell phone and laptop support

Any password manager you choose should be able to work with all your devices that you use to access computer accounts of various sorts. Because the strongest passwords are randomly generated strings of characters – which the password manager will generate for you, and which are basically impossible to remember. It’s important these days to use such strong passwords, and yes, it makes you completely dependent on the password manager you “remember” these for you and let you use them automatically to access your various web sites.

What kind of laptop do you use? What kind of cell phone do you have? Do you have a tablet, or other computers? Which password manager can work with all of these? Do people generally speak highly of that password manager when using those devices?

#3 – Weak Password detection

One great thing LastPass does is to analyze your passwords to see how “strong” they are. Once you get all your passwords into LastPass, this is a great way to harden your Internet presence – by changing passwords on all services that you signed up for a long time ago with a lame password. I don’t recommend using LastPass’ automated service for changing passwords – it doesn’t work for me, and doesn’t make sense to me. Don’t trust them to change it – go the specific website yourself, and use whatever “change password” feature that company provides. LastPass should detect that you changed the password on that site, and let you click a button to replace the old pw with the new one, in LastPass. On rare occasions it doesn’t notice you did that, and you have to go in and manually change your password in LastPass, after changing it on the destination web site.

I love LastPass’ scoring system, where your “security score” improves as you fix issues with your passwords.

Changing passwords can be an irritating experience, though, so only do a few of them in one sitting. Change maybe 4-5 different sites’ passwords, then take a break. Stop for the day, and do more tomorrow or the next day. Don’t feel too much urgency, you went this long with “weak” passwords, you can go a few more days, just keep making progress towards fully changing the weakest passwords, and boosting that security score a lot higher.

#4 – Duplicate Password detection

LastPass also helps you discover whether you’re using the same password across different web sites. This is important to fix, because if any 1 of those sites is compromised and hackers steal the list of passwords, and are able to decipher your password (which they have a high likelihood of doing, even if it was encrypted by the host site originally) – they can how “try” your password on every other web site out there, to see if they can get in to ALL your other accounts that use the same password!

Don’t give them this chance. Use a different password on every different web site. Let your password manager remember them all for you. It’s better that way.

Here’s the problem – what about companies that use a third-party password verification system? Your password manager will see that you use the password on site abcd.com, and also cool-password-verifier.com – however, those are the SAME SITE effectively, because abcd.com uses the other company verify the password for them! This is especially true with the difference between smartphone apps and web sites – very often two different services are used, for the same company or bank.

You need a password manager that lets you say “abcd.com and cool-password-verifier.com are the same company.” That way, when you use the “same password” on both sites, your password manager will stop bugging you that it’s two different sites. It’s actually just 1 password, despite it appearing on 2 different ways to log in.

I had to do this with one bank, their mobile app uses a different service than their main web site. And I’ve had to set up a number of other sites that are like this. Sometimes clubs and groups use external services like this. It makes sense for them to do that, and your password manager MUST give you a way to correlate 2 or 3 sites together as one, if it’s going to tell you about duplicate passwords across sites.

This way, by fixing all truely duplicate passwords across sites, your password manager will stop bugging you about it – and start bugging you again if a new one crops up for you to deal with. A poorly written password manager will continue to bug you about the ones you cannot do anything about – the “duplicates” that aren’t really duplicate. You don’t want that.

#5 – Darkweb Monitoring / company breach search

There are known lists of hacked accounts and sites, out there floating around the Internet. Many of those lists are publicly available now, anybody can get their hands on them. This means that if your email is “you@yourco.com”, other people can see the encrypted password for “you@yourco.com” on site abcd.com, as it was when the site was compromised – let’s say 6 months ago. They may even be able to see the cleartext password, if that site did a shitty enough job of protecting your password! You can’t control how bad/good sites are at storing your password (the real reason to keep COMPLETELY SEPARATE passwords between sites).

So now the question is — have youi changed your password at site abcd.com, since 6 months ago?

If not, your password manager should bug you about it – go change your password right now! But, if you already changed it since then, the password manager MUST NOT bug you to change it. So a good password manager does two things here: it knows about compromises of various sites and what time they happened, and, bugs you to change your password on those sites ONLY IF YOU HAVEN’T CHANGED IT SINCE THE BREAKIN OCCURRED. That’s a fine distinction that’s very important to look for.

Conclusion

I use LastPass. I know the company is getting a lot of shit these days for creating artificial restrictions with the free version of their app. It’s very ham-handed of them, and it sucks. But I don’t recommend leaving LastPass. Instead, how about just paying for it? Paying for the right to use it across all your devices, and maintain your security in a very good way? I still believe the security of LastPass is very good, I don’t think they have changed any of their algorithms or weakened their software (I hope!) I will continue using it until I hear otherwise.

I believe in paying for services that are vital to my safe operation of things on the Internet. You want to reward the companies that are doing right by you. If you don’t, they have to monetize some other way – that may be LESS desirable to you, when you find out what they are, like selling your personal information and behaviors to every other company they can. Pay for more storage, when the free-tier of storage you use is all used up. Pay for the office applications that you vitally need for your business. It’s the right thing to do, it’s worth it.

I am currently using the LastPass “Family Plan,” but I don’t see much value in spending the extra money for that service, honestly. You only really need the professional version, feature-wise. The “family” features of sharing specific passwords really sucks, the way they implemented it, in my opinion. I have tried using it, but it’s confusing and not very beneficial, so I gave up. All the other features are pretty good though.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: