Over the weekend, Wired editor and former Gizmodo writer Mat Honan faced a problem every Internet user dreads: He got hacked. Big-time hacked. Thanks to a flaw in Apple’s and Amazon’s security systems, the hacker (or hackers) was able to gain access to his iCloud account. From there, the dominoes began to fall: His iPhone, iPad, and Macbook Air were all wiped. And the intruder was even able to gain access to his Twitter account, and Gizmodo’s Twitter account.
While Honan did not do much “wrong” security-wise — frighteningly, the criminal tricked an AppleCare employee into believing he/she was Honan through information obtained from Amazon technical support, allowing the as-yet-unknown person to change his Apple password — his nightmare perfectly exemplifies the dangers of the digital era: We are all vulnerable to attack.
A few good ways to minimize your vulnerability to attack is to make sure you use a unique password for each and every service you log into, change your passwords often, and make each of those passwords is as secure as possible. (DT’s Geoff Duncan provides a solid overview for how to create a strong password yourself.) But that can become a burdensome task. Luckily, software exists to help carry some of the weight. Here, a quick overview of password manager apps.
What does a password manager do?
Basic password managers have just one function: they save your login information for different sites so you don’t have to. This is a feature available in any modern Web browser. While such a feature may be handy, this type of password management isn’t going to do you any good — in fact, it could even make you more vulnerable, since browsers are often anything but secure. (Note: Firefox’s password manager solution is known as quality, free option.)
The type of password managers you should look into have a few far more helpful features. First, they encrypt all your login information and other types of data that you might often hand over to a website, like your address, bank or credit card information. This allows you to not only keep your personal data secure, but to also organize the dizzying array of passwords that many of us have to manage. Second, many password managers generate unique, complicated passwords that are extremely difficult to crack. Through these two functions, password managers ensure that you have the strongest possible password, and do the hard task of “remembering” your passwords for you. Any password manager you use ideally performs both of these security functions.
Many quality password managers also include password ranking, which will tell you which of your passwords are weak and which are strong, and give you the ability to easily change the puny ones out for something more robust.
How do password managers work?
Without getting into technical jargon, password managers save your information in an encrypted file, which is only accessible through the use of a “master password.” By doing this, all of you various online services are secured, but you only have to remember one password. In turn, it is extremely important for you to make sure your master password is extremely high quality. (See here for how to create a great password.)
Are there different types of password managers?
Yes — quite a few, actually. A few of the most popular include desktop applications, which often store your personal information on an encrypted local file (as opposed to on an external server); Web- and cloud-based apps, which store your information on their servers; and “token” managers, which require the use of a secure USB flashdrive or other physical, external device, which must be used in conjunction with an app. Many password managers are a combination of these categories. There are also quite a few password managers for smartphones, many of which come with paid password manager apps for your computer.
Which password managers do you recommend?
LastPass: LastPass 2.0 is one of the best password managers available. And to sweeten the deal, it’s free! (A pay version also exists, which gives you more features for $12 per year.) LastPass is available for Windows, Mac, and Linux (and iOS and Android — more on that later). Once you’ve set up your master password, LastPass will import all of your saved login credentials (usernames and passwords) from Firefox, Chrome, Internet Explorer, Opera, and Safari. It then allows you to delete all of this information from your computer to keep it secure. After that, all you need to remember is your super-secure LastPass password.
Other free LastPass features include form autofill (for things like shopping online); multiple identies for work, school, and personal use; secure password generation; and even free credit monitoring to keep track of any suspicious activity on your financial accounts. And because LastPass stores your information (in an encyrpted form) on its cloud servers, you can use LastPass on computers other than your personal PC.
LastPass also allows for two-form authentication for added security, such as the use of YubiKey. LastPass Premium gives users the ability to further enhance their security with a fingerprint reader. Use of its iOS and Android apps are also available for paying customers.
1Password: Another exremely popular and reliable password manager is 1Password. In fact, many people now prefer 1Password (“1Pass,” for short) over LastPass due to a rumored security breach of LastPass in 2011. (Many still swear by LastPass, however.) The only downside here is that 1Password will cost you $50 for one license, $70 for both a Mac and a Windows version, and $70 for a “family license” for up to five people. It’s not a lot of money if it saves you from being hacked or having your identity stolen — but it is more than the $0 you’ll spend on LastPass.
That said, 1Password does come with some added perks. In addition to all of the features available through LastPass — Mac/Windows compatible, iOS/Android apps, password generation, etc — 1Password also has an extremely easy-to-use UI. More importantly, however, is the fact that, unlike LastPass, 1Password does not store any of your information in the cloud, which may be less secure and is completely out of your control.
KeePass: If you’re looking for a good middle-of-the-road solution, you might try KeePass, which is free, open-source, and stores your encrypted data locally. It also uses the highly secure AES and Twofish encryption algorithms. The downside here — there’s always a downside — is that KeePass’s UI is far more basic than 1Password, it doesn’t always integrate well with all browsers, and
there is no mobile solution available. (Update: A reader points out that mobile options do exist for KeePass; see the comments below.) But if none of those things matter, then KeePass is your password manager.
Update 2: Per a reader’s suggestion, RoboForm Everywhere is another fantastic password manager, and is often preferred over any of the previously mentioned options. RoboForm is available for PC, Mac, iOS, and Android. And, like KeePass and 1Password, RoboForm stores your information locally, rather than in the cloud. If you’re on a PC, I recommend the RoboForm2Go version, which installs on a USB drive rather than your computer’s hard drive. This will allow you to easily take RoboForm with you, and provides an extra level of security as the USB drive must be installed for the encrypted information to be accessible to anyone.
Are password managers still vulnerable?
Absolutely. Any computer or system is vulnerable to attack, just by its nature. And because you must use a master password for most password managers, an obvious entry point remains for all these types of services. If someone gains access to your password manager, well, then you’re wide open for attack. Also, as mentioned, password manager systems that store your information in the cloud (like LastPass) are potentially more vulnerable than those that store the data locally — but even that is not a guarantee.
That said, if you create a high-quality password as your master password, don’t keep that information stored anywhere but your brain, and make use of multi-factor authentication, then the chances of someone being able to hack you are far less than they would be without the use of a password manager, cloud-based or otherwise. Unless, of course, someone just calls up Apple and pretends to be you. If that happens, well, good luck…