Tue May 17 2022
Let’s start from the beginning. Why is a reusing the same password harmful? Reusing one pass on multiple websites is dangerous because if any of these get hacked, all your account become at risk. Criminals will try to log in with the stolen credentials not only on the hacked website, but on thousands of sites all over the internet on which you may have an account. Using automated programs, they can do so in seconds.
But wait, doesn’t European GDPR law requires passwords to be securely stored in a database? Yes, but even if we make the unrealistic and dangerous assumption that every website handles your personal data with care, and hashes the password, there is a problem. If a password is hashed, it is transformed into a seemingly random bunch of characters, which cannot be converted back to the original string.
That is- until advancements in quantum computing will enable to decipher all passwords encrypted using today’s standards. But even without quantum computing, password hashes can easily be cracked. Two of the most popular methods to do so are brute-forcing and dictionary attacks. A brute-force attack tries every combination of characters possible, while a dictionary attack loops over all the words in the dictionary and tries combinations of those as passwords, beginning with a list of the most common passwords (such as, indeed, password). Hybrid methods exist as well. That should explain why nowadays most websites require you to have a strong password: the longer it is, the more random characters it has and the less common, the harder it is for criminals to decipher encrypted passwords. Of course, this makes it harder for us to remember them. And this might shock you, those requirements are not that useful at all. As the XKCD cartoon below explains, a longer password is usually stronger, resulting in a situation where non-common real word sequences perform better than special-character strings.
A password manager addresses the aforementioned issues by centralizing unique, complex passwords in one, secure place. It helps you by automatically generating secure passwords when you sign up on a website and might even help your beneficiaries when you pass away. Most importantly, although setting everything up might take a while, a password manager saves you time.
How do password managers work? Web-based password managers store your passwords on a server (“in the cloud”). It allows users to access passwords from everywhere anytime, without the need to install the complicated offline software: a simple browser extension and/or a mobile app suffices. The provider cannot view your passwords either: all reputable online password managers encrypt your data on your device before sending it to the server. Built-in browser password managers are not safe since they store the passwords unencrypted on your device. This is called zero-knowledge technology. Multiple providers exist, the most well-known password managers are: LastPass, Dashlane, LogMeOnce, Bitwarden, RememBear, 1Password and Keeper. Opposed to web-based services, there are offline password managers as well.
In the following steps, I will show you how to start using a password manager. For this tutorial, we will be using LastPass. Note that you can choose any other password manager if you like, as the process will be quite similar.
Setting up LastPass is very straightforward: simply create an account on https://lastpass.com/create-account.php . Choose a hard to guess, but easy to remember master password. Avoid short passwords and try to include some special characters. For example: mY favOr!tE mOv!E !$ thE rOOM .
Once you created an account, install the application or browser add-on. Import your passwords from Chrome, Firefox or another browser. By following the steps described in Account options > Advanced > Import. To illustrate, this is how you would import saved passwords from Firefox.
Password managers are considered safe by cybersecurity specialists. However, all security measures mean nothing if there is malware on your device -such as keyloggers, and you’re not using two-factor authentication. I highly recommended to set up Multi-Factor Authentication (also known as MFA or Two-Factor Authentication (2FA)). In LastPass you can do this by going to your vault, clicking the gear icon, and selecting the Multifactor Options tab. Moreover, you should enable 2FA on all websites that support it. In this article, I explain how to do so.
Switching to a combination of password manager and multifactor authentication increases your safety online. Setting it up is easy and will eventually save you time.