Password Managers

Password managers. You want one. Let’s do this in Q&A format, shall we?

Q: WTF is a password manager and why do I want one?
A: Have you ever forgotten a password? Do you use the same password on every site? Is your password “Ihave2manypasswordsOMGWTF!” or something like that? 😉 If so, you want a password manager. A password manager is a secure place to store all your passwords.

Let’s break that down, shall we? (A: Yes!)

Q: How does this help me if I’ve forgotten a password?
A: If you’ve ever forgotten a password, you know how OMGANNOYING that is. It happens. A lot. And most sites have “password recovery” options, but if you’ve forgotten the password to your recovery email, that doesn’t help. If you have a password manager, it remembers your passwords for you and you can just fish it out and paste it in, or, in some cases, get it to autofill. (Of course, you need to put the password in the password manager before it can remember it for you.)

Q: Yes, I use the same password on every site. What’s wrong with that?
A: If hackers manage to compromise your password on one site, they go to other sites and enter your username and password on those sites, too, trying to hack them as well. (Go here and enter your email address. They’ll tell you if your email address is associated with any hacks. Then change the password in the pwned place and every other place you use the same password. UGH!)

Q: Okay, okay. I see what you’re talking about. Is this hard or annoying?
A: Not really. How you get started depends on what password manager you’re using.

Q: Uh. I have a choice? How do I pick?
A: It depends on several factors, including what operating system you use on your computer (Windows, Mac, linux, iPad) and how you use your computer.

Q: How I use my computer? What?
A: Yep. If you mostly use a web browser, you might want a password manager with browser plugins. If you use the computer lab at college a lot, you might want something portable. If you’re like me and hiding sql account recreation scripts and crap in your password manager, you probably want something that does attachments. If you want it to sync to your phone, or across devices, that’s something to consider. If you’re super-paranoid like me, that might be a factor in what you choose. But seriously, most well-known, reputable password managers are good (you probably don’t want to download Bill and Ted’s EXCELLENT Password Manager). LastPass, KeePass, 1Password, and Dashlane are probably the best known. I’ve also used SplashID because a former employer bought me a copy. They’re all fine.

Q: Whatever. Pick something for me?
A: Okay, the two I’m most familiar with are KeePass and LastPass. If you use other people’s computers a lot, or the college computer lab, or don’t have admin rights on your computer and/or aren’t allowed to install things on it, or are just a paranoid weirdo like me and/or enjoy tinkering, you want KeePass. Otherwise, you probably want LastPass. LastPass is a browser plugin that automatically syncs across your devices, including your phone. (You can sync KeePass manually using Dropbox, a thumb drive, or a cable to your phone, or even install third party browser plugins and the like, but it requires more human intervention. LastPass is dead simple.)

Q: How do I get started with LastPass?
A: Download and install the browser plugins. Come up with an amazing password. I recommend going here for something easy to remember, and then writing it down on a piece of paper (I know) and hiding it somewhere secure after you’ve memorized it. Then go to a bunch of sites and log in. If you’re using the same password everywhere, take this opportunity to change those passwords to a bunch of random character strings that LastPass will generate and remember for you. Install the browser plugins/software on all your devices. LastPass will sync all your passwords and back them up for you. Don’t forget your LastPass password! LastPass doesn’t know it. (That’s why I said write it down on a piece of paper and hide it somewhere secure.) There’s a recovery procedure, but you need access to a computer that was running LastPass before.

There are other security features, like two-factor authentication and lockout by country, which I highly recommend enabling. (By the way, for two-factor authentication I like Authy, which is available for Android and iPhone and more and backs up your secrets for you–give Authy a good password that your password manager generated for you.) But if you were using the same password for every site, you’re already a million times more secure than you were. Security is a continuum, not either/or.

Q: How do I get started with KeePass?
A: Download and install the software–the main site is Windows but there are ports for Mac and Linux, as well as Android and iPhone/iPad. (If you use school computers a lot, or other computers you don’t own, or if you’re not allowed to install software, or if you share your computer, use the portable version and a thumb drive. Otherwise, the full install is fine. They’re pretty much identical. If you have a Mac at home and use Windows at school/work, the various ports can read each other’s databases so that’s fine.) Come up with an amazing password. I recommend going here for something easy to remember, and then writing it down on a piece of paper (I know) and hiding it somewhere secure after you’ve memorized it. Launch the software and create a new database using that amazing password you just came up with. Then start entering passwords (boring, I know!), taking this opportunity to change them to random KeePass generated strings if you’re using the same password everywhere. My KeePass is super-organized in subgroups (because I imported entries from four different password databases, yikes, and also because I’m just like that) but you can just throw them all in there willy-nilly if you prefer. It’s up to you.

DO NOT FORGET YOUR KEEPASS PASSWORD. There is no higher power that can recover it for you. (Like I said, write it down, memorize it, hide the written down password somewhere secure.)

Now you need to worry about backing it up. (Because you don’t remember any of those random strings, yes.)

If you’re already backing up your computer, make sure your password database is in a location that’s being backed up and you’re done. If you’re not, consider backing up your computer. In the mean time, you might want to set up a thumb drive with the portable version, copy the database over, and use the synchronize feature to keep them the same. (Tip: You probably want one database, not a work database and a home database, because then you need to remember what’s stored where, and if you end up working from home or taking a break at work you might end up with the wrong database. KeePass has a “synchronize” feature that helps.)

There’s more here–this is an excellent guide. I personally don’t use Dropbox or other cloud providers to sync files because I’m a paranoid freakazoid I have super-secure scary ass shit in mine. But if the livelihoods of everyone employed at an entire company and the financial lives of many customers don’t depend on the security of your passwords, and/or something happening to your passwords wouldn’t be, as they say, a Resume-Generating Event, it’s probably not as big a deal. Security and convenience are enemies, and you need to find a balance that works for you so you’ll stick with it.

Q: What if I try one of the password managers and don’t like it?
A: Try a different one! (Import from LastPass to KeePass/Import from KeePass to LastPass, although if you have a very small number of passwords it might be easier to just install the plugins and log in.) Think about what, specifically, you don’t like and go from there. (If it’s ALL TOO HARD OMG try LastPass.)

Q: Security and convenience are enemies?
A: Yes. Enemies. They really hate each other. They’re not, like frenemies that have the occasional hatesex or anything, they want each other to die. (You probably don’t want one of them to die, alas.)

Leave a Comment

Filed under written for nontechnical friends

Leave a Reply

Your email address will not be published. Required fields are marked *