Password Manager Versus the Alternatives

Scope of this Post

This post will show how using a password manager compares in security and convenience to the other major ways of managing account credentials: the password manager is the winner in both categories.  This post will also cover some common objections to using password managers.

For some background, there is my previous post on account security risks.

The bottom line is:

• The case for password managers is strong.  Security experts use and recommend them.  The biggest choice is which password manager to use, whether to use browser integration, and whether you want to use a physically secure notebook for some of your accounts.

Note: by "password manager", I mean a standalone program dedicated to managing account credentials (username, password) and stores them in encrypted form, protected by a master password.  Web browser password managers will be addressed in their own section.

Also, I'd like to recommend 2FA for all accounts you have that are of even mild value. The security benefits are large and the inconvenience is small, regardless of whether you choose to use a password manager.

Author's Note: TODO, weave in https://medium.com/@stuartschechter/before-you-use-a-password-manager-9f5949ccf168

Account Security Risks and Reasons to Use a Password Manager and 2FA

Scope Of This Post and Some Basic Recommendations

I consider switching to using a password manager to be one of my best life decisions in terms of costs and benefits.  The security and convenience benefits are immense, and the costs (setup effort) are small.  Yes, using a password manager made managing and logging in to my accounts much easier, faster, and less stressful, but this post will focus on security issues.  My thanks to Troy Hunt for influencing me to make the plunge.

Without a password manager, it borders on impossible for a human to do passwords correctly.  By "do passwords correctly", I mean having strong, unique passwords for all of your accounts.  To illustrate why it is good to have strong, unique passwords, I will go over several of the account security risks most humans face, with special emphasis on passwords.  Maybe this will directly persuade some people to start using a password manager, but also it will establish some background for another post that will discuss why password managers are big security improvement over the alternatives and are overall the best choice.

For generating strong passwords (with the goal of surviving offline attacks), I recommend:

• For passwords you want to remember, such as your Google password and master password: choose 6 random words from the Diceware word list (pdf).
• For passwords managed by your password manager (you don't have to remember them and it's very rare to actually type them): have your password manager randomly generate at least 16 random lower case letters, upper case letters, and digits.

Also, I highly recommend enabling 2FA on all of your accounts of even mild worth.  A very common form of 2FA is that when logging in from an unrecognized device, the login attempt will also require a verification code sent to the account's associated email or phone.  This additional layer of defense may protect you even when bad people know your password, and 2FA is only a minor and rare inconvenience.

Steps to Set Up KeePass

Scope of this Post

The following instructions are for how to set up the KeePass password manager on your Windows PCs, iPhones, and Android devices.  This post also covers the one-time process of creating a password database and putting it in Google Drive.

If you are hoping to use KeePass on Linux or MacOS, I haven't done it myself, but you might have success using KeePassXC or one of the KeePass packages that has made it into Mac OS X and several Linux distribution software repositories.  See this page for download options.  Also, there's the option of running KeePass under Mono on your MacOSX/Linux system.

If you use the following steps, you'll be able to access your always-up-to-date password database from all of your devices that you've installed KeePass on.

This post assumes you are comfortable using KeePass Plugins and also browser plugins which make using KeePass extremely convenient.  Future posts will cover if you want to be paranoid and trust only KeePass itself and Google.

The most notable links, folder locations, and component names are bolded.

Note that the version of KeePass we'll be using is KeePass2, so don't be afraid when folders or apps talk about KeePass2.