As more and more aspects of our lives become digital, we start racking up different passwords for different accounts. What's the best way to keep up with all of them?
Security experts recommend using a password manager as one of the top safety steps consumers can take. If you aren't using one yet, though, you aren't alone: Lorrie Cranor, former chief technologist for the Federal Trade Commission, did not begin using one until late 2016.
"I've been advocating password managers for years but I'd never actually tried one," Cranor said.
Password managers defend your information from criminals for creating and storing a different password—a long, complicated password—for each online account. But they can be confusing for people who have never used one, and they may wonder about things like how to set up the manager, where the passwords will be stored, how to share passwords with a spouse, how the manager works with smartphone apps, and others.
If you have questions like these, don't worry! Everything you need to know about password managers is below.
What Exactly Is a Password Manager?
Most people either use weak passwords or reuse one or two passwords with many accounts. These practices leave us more vulnerable to crimes like identity theft. Password managers generate, retrieve, and collect long, random passwords across countless accounts while at the same time protecting all of your online personal information—not just passwords, but PINs, credit card numbers and their three-digit CVV codes, answers to security questions, and more—using such strong encryption that hackers may never be able to crack them.
To get this security, you need to remember only one password—the one to the manager itself.
Although these are excellent benefits, you should still take other security measures too. For example, set lock screens on each of your devices, set up two-factor authentication for important accounts, and use only computers that you trust.
"Password managers are not a magic pill," said Lujo Bauer, who works as a security researcher and associate professor at Carnegie Mellon University, "but for most users they'll offer a much better combination of security and convenience than they have without them. Everyone should be using one."
What Will It Cost?
Some password managers cost money, and others are free.
If you choose Dashlane, you'll pay $40 per year to sync one Dashlane account across all of your devices. 1Password charges $2.99 per month to do the same after a 30-day trial period.
Cloud-based manager LastPass recently waived its $1 monthly fee and offers many of the same features as Dashlane and 1Password, including syncing across all devices. However, if you want features like priority technical support, one gigabyte of encrypted file storage, and up to five users on one LastPass account, you'll have to pay $12 every year.
Finally, KeePass (or KeePassX, for Mac users), is a free, open-source manager. It uses the same strong encryption as the other managers to protect your passwords. However, it's geared toward tech enthusiasts, so if you aren't a fan of do-it-yourself projects, you might want to choose another manager.
How to Set Everything Up
With the exception of KeePass, the process for setting up password managers is generally the same. Some will require you to download and install software and a browser extension, though others require only the browser extension. Apps for tablets and mobile phones are also available.
You'll use an email address to set up your account, and you'll also need to create a long, random, complicated password.
Then you need to tell the manager about all of your online accounts. You can either import passwords you've previously stored in your browsers or store your username and password when you next log in to a given site. Alternatively, you can enter the information manually.
Can Password Managers Change Old Passwords for Me?
Unfortunately, you'll have change most of your passwords manually. To do this, log in to the site in question, go to your settings/account information, and allow your chosen password manager to create a new password. It is also a good idea to change the answers to your security questions to nonsense character strings (which your password manager can also store).
It will take time to replace all of your old weak or recycled passwords, especially if you've got numerous accounts. However, remember that you don't have to change the passwords for all of them at one time. In fact, security experts says that it's better to change the passwords for your most important accounts first, then get around to the other accounts whenever you can.
"Even if you've changed your password to only a few sites—like your email, your bank, cloud storage—you've significantly increased your security," Bauer said.
As you start to add accounts to your manager, you'll notice a very useful security feature: password managers also store the URLs for sign-ins. This is useful because many phishing attacks attempt to trick users into providing account information by sending them to fraudulent websites that have slightly different web addresses. Always either use the link stored in your manager or type the URL yourself.
In addition, browser extensions for password managers can fill in forms with your user information. They can also log you into accounts automatically, though security experts warn users to be cautious with this feature. It is generally safer to disable auto-logins in the manager's settings.
"Web browsers are huge pieces of software with complex functionality," Bauer said. "With automatic logging-in, you're effectively forced to trust web browsers not to trick the password manager into divulging your password. It is much safer to have a prompt so that you have to actively agree before your password manager sends a password to a website."
Where Are the Passwords Stored?
Different managers take different approaches when it comes to storing passwords. It's a question of storing them locally or in the cloud—you can choose to either keep all of your passwords on a computer or storage drive at home or keep them elsewhere on a company's servers.
Some managers store your passwords remotely on their servers by default. There are two benefits to this approach: it allows users to easily sync data across all of their devices, and they will not lose all of their passwords if their computer crashes.
However, some people are uneasy about storing all of their passwords remotely on one site. Though they claim to have excellent security, password manager servers are targets for hackers. If this makes you worry, you can store your passwords locally.
How to Sign In to Apps
Managers work well on laptop web browsers. Chances are, however, that you will also want to log in to your accounts from apps too. The way in which you'll do this will depend on the kind of phone you have.
You will encounter few problems with Android phones, but iPhones are a different matter. It is likely that many of the apps for your accounts are not supported for autofill on iOS.
However, that doesn't mean that you won't be able to log in to those apps. The worst-case scenario is that you'll have to copy and paste your username and password from your password manager's app into the app you want to access, such as your banking app. This will log you in after only a few taps, and you will never again have to enter in your long, complicated password.
What Happens If I Forget the Manager Password?
If you use LastPass, you'll get a password hint or, if you're using a device that you've used in the past, a way to reset the password.
Unfortunately, if you're using one of the other passwords, you're locked out of the manager forever. But take heart! Locking yourself out is inconvenient, but not the end of the world: you'll simply have to go to all of your accounts and reset all of your passwords.
Just in case, make sure to write down the password to your manager and store it in a safe spot.