I do not mean a notebook with handwritten passwords or even a spreadsheet. I mean software designed specifically to generate and safely store your passwords. We have all heard about sticky notes under the keyboard, or even worse on the monitor. The current browsers can store your passwords for you and, assuming you have an account with the provider, (Google, Microsoft, Firefox, etc) they will actually sync your password across multiple computers. They can also help you generate a stronger password. These are all good things, and if you do nothing else, please do this. However, please take into consideration, anyone that has access to your computer can display all your browser’s stored passwords. It also holds if someone phishes your Google account, not only would they have access to your emails, contacts, docs and calendar, but they could just sync your passwords to a machine they own.
For these reasons, I recommend a third party password manager, as mentioned, one designed specifically to manage passwords. There are a wide verity of programs available, some free, some commercial. I am not going to recommend a specific manager, but I will provide the following recommendations for things to look for:
- The availability of the source code would be a positive. Even though most of will not be able to understand it, the community will and be able to catch any shenanigans. Mind you, posting the source code on GitHib does not guarantee that the executable you download is from that exact source code (again, the community would catch on sooner rather than later).
- In the absence of being able to compile it yourself, there must be an attestation from a third party. They have reviewed the manager’s source code and they found no back doors nor other ways the developer could know your password.
- It must be easy for you to generate a strong password, as strong as the site in question will allow.
Those are my must-haves. Here are a few more that I personally like:
- Storing the passwords in the cloud. Yes, I said passwords in the cloud. Obviously, you need to understand:
- how they are stored
- more importantly how and where they are encrypted/decrypted
- how they are transmitted/received
The one I use encrypts all passwords with a passphrase that only I know. Once encrypted on the local device it is securely transmitted to the cloud and the provider cannot view my password even though they know how it was encrypted, because they do not have my passphrase. This allows you to retrieve all of your passwords on any supported device with just one passphrase.
- Some method of allow emergency access should the account owner be incapacitated. None of us wants to think about this, but if something does happen, we sure do not want our loved ones to suffer even more because they cannot access the credit card statements.
- A browser add-on/extension that will fill in your passwords when you ask it to.
- The ability to share passwords. We have all given our Netflix account and password to someone, we often do it via an email or a text message, please stop. I would not even do it over a phone.
- The ability to store other important things like WiFi passwords and software licenses.
In conclusion, please use a third-party password manager. Any of them will provide more security without giving up convenience. Feel free to post your favorite password manager in the comments.