Password Managers: What they are, how they are used and what is the best?
Lately the security of our passwords has returned to the forefront of Celebgate and the leak of five million Gmail passwords. And as much as we try to go to other authentication models or look for additional security measures, the contrast is almost inevitability.
That’s why in we wanted to review the topic, explaining what is really a secure password and how we can create them ourselves. We will also review password managers, seeing which ones are most advisable and how they can help us.
Creating Secure Passwords
Starting with the first thing: What is a secure password? The answer is easy: a password that cannot guess neither computers nor humans. For example, 28712 is a password that will cost you guessing a person, although a computer would not take long making random attempts (brute force). On the other hand, it would cost a program to guess, but someone who knows me just takes two tries to find it.
The basic tips are often that we use passwords long enough (12 characters is enough for a brute force attack is practically impossible, now or in a few years), and above all that are not common. Here is a more or less complete list:
- The fewer dictionary words you use, the better. Yes, is a long password but three common words, simple to guess.
- Do not use personal data, or at least not directly. A computer will not guess that your password is “alamedilla85”, but just like someone who knows where and when you were born even if you get that password.
- Of course, do not use your username or real name as your password.
- Use symbols, numbers, and capital letters.
- Do not use common passwords, such as “1234”, “password” or “asdfg”.
- Use different passwords for each service. The most important advice, I would say.
- It changes from time to time the passwords.
At this point these tips are known by all, and surely anyone can pound the keyboard and get a password impossible to guess, as jhg7896 /% asd7asdgFA & 1.
The point is that it does not do us any good to have a secure password if we do not remember it. Searching on this topic, in fact, I came across a phrase that should be recorded …
Security at the cost of usability, is at the expense of security
Translation: For a password to be truly secure, it has to be easy to remember. There are two options for this. The first is to have an algorithm to create your passwords, so you only have to remember a series of steps and not forty passwords. One example …
- We take a phrase easy to remember: I play basketball with the number 15.
- We are left with the initial letter of each word: yjabcen15 . With this we already have a base.
- To make the password different for each site, we add a script and the name of the service in capital letters.
- To finish, we add later the number of vowels that have the service, but replacing it with a symbol.
In the end, we end up with a password of 17 characters, safe enough for both computers and humans. The only bad thing is that we expose ourselves to someone guessing our algorithm, so we can always add some “secret sauce”: for example, instead of using the number of service vowels, we add a secret number that only we know we are left with the last digit of the result. The point is to use a method that is easy to remember and not too easy for someone to guess.
Nor do you need to break your head with passwords. The types of attacks we are going to be exposed to as common users are two: brute-force attacks to the hash of our password (when an attacker enters a web and gets the list of user’s hasheads) and personal attacks of someone That you want to specifically enter into our account. For the first thing is enough not to have a common password: from a minimum of security the attackers are not going to invest so much time to find a few more passwords.
And for the second, it is usually enough that the password does not have personal data or is simple to guess for someone who knows us, so as soon as we complicate ourselves a bit we remove this possible scenario.
In summary, although it is obvious that the more security is better, as soon as we follow a few security tips (long and non-repeated passwords in different services) we will have the confidence that we will not be at the forefront of the most common attacks.
You may also like to read: Efficient System Clone and Backup Freeware – EasUS Todo Backup Free
Another possibility is to let password managers do the work for us: they generate random passwords and remember them for us. We simply have to limit ourselves to knowing the master password that gives access to our accounts. At we made several comparatives of style services.
In addition to generating the passwords, these managers are integrated in our browser to fill out the login forms of the websites, so that with the press of a button the user and password are copied. They are also able to automatically fill profiles when we log in, or to save passwords when we enter a site that we did not have saved. In many cases, we can also save other credentials, even if they are not linked to web pages.
Passwords are stored encrypted using our password (and in some cases additional data), so that no one but us can read them. Thus, we can create very secure passwords without having to remember them: the manager does it for us.
Right now, I would give three options: Lastpass, 1Password and KeePass
KeePass is an open source utility that keeps our passwords encrypted in a database. The advantage is that absolutely everything is under our control. The disadvantage is that we have to worry about installing plugins for browsers and finding a way to synchronize passwords between devices. Between official and unofficial applications, it is available for virtually any system.
1Password has the same idea as KeePass, but it is easier to use, to integrate and is also ready to synchronize through Dropbox. It has applications for Windows, Mac, iOS and Android.
The latter is my favorite and the one I would recommend: Lastpass. The main disadvantage is that your passwords are stored in the cloud, although Lastpass promises that they are encrypted with a password derived from your master password and mail, and that even if a hacker entered your servers could not see any password. In return, LastPass can offer more security controls : allow logins only from certain countries, prevent them from entering Tor, enable two-step authentication, or even close sessions on certain computers.
Why would I recommend Lastpass? Apart from the fact that I have already become accustomed to it, I think that if we are going to synchronize our passwords between devices it is better to do it with a dedicated service than to save our database in other clouds or to hang around with a USB. Anyway, in practice, any of the three services is equally safe if we use them well.
Can we trust a password manager?
As for the possible security problems, it is true that it is a single point of failure: an access there and they have all our passwords. But on the other hand, what is easier? Secure an account or secure fifty? We can increase the security measures in a single point and give more security to all our passwords. In addition, these products, as I said before, are dedicated to keeping your passwords secure and will probably do a better job than you would do alone.
A password manager can give us more security than most of us could achieve on our own.
It really is very difficult for someone to access your password manager’s data if you have a good master password. The data is stored encrypted and in the case of 1Password and Lastpass are transmitted over HTTPS. Even if someone were reading everything, you sent over the Internet, they could not see a password. Neither would an attacker who logged into Lastpass servers or access your database in Dropbox (or any other synchronization service) succeed: you would only see a lot of useless data, impossible to decrypt.
And we can always combine password managers with other methods. For example, leaving important accounts (mail, banks) with secure passwords that are not saved in the manager, for example, and giving those accounts an additional layer of protection with two-step authentication.
To conclude, in these things we must use common sense, minimize risks without forgetting comfort (it is no use having a super-safe method to manage passwords if we do not use it), and try not to rely on a single tool or method – much better to use a manager and your memory than just a manager: What happens if it stops working?