Do I need a Password Manager?
Yes and maybe.
Do you visit several websites that require you to login with a password? Then yes, absolutely, I would tell you to use a Password Manager. But maybe you are someone who visits a couple of web sites, maybe a banking site, and those are the only ones you need to use a login for? If so.. you answer is: Maybe. CAN you use a Password Manager? Oh, absolutely! DO YOU need to use one? That’s your preference.
And here’s why I say that… do you need a sledge hammer to kill a fly? Do you need a password manager to manage a couple of passwords? Sure, you can kill a fly with a sledge hammer, but is it necessary? Sure, you can use a Password Manager, but do you need to over-complicate things?
Password Managers have several purposes, one of which: They keep you safe.
But how? Security/Data breaches on websites or businesses you use, if they get breached, the bad guys may get your password. If they have that password, and likely your email address since that’s often used when logging into a website, they now can (potentially) gain access to other sites if you use the same password.
A Password Manager helps to remember different passwords. Here’s how it works… you have two websites and one password. BOOM – I have access to both websites if I know your password! A Password Manager will record the password for each site you have to log into. And the advantage of that is by using different passwords for each website.
This way, if the bad guys get your password for one website, they can’t use that site’s password to gain access to any other website.
Ever sign up for a website and they tell you that your password must have blah-blah number of UPPER case letters, so many LOWER case letters, a number, a special symbol, Egyptian Hieroglyphics, etc.? Your clever password of your pet’s name and your birthday, replacing the letter “o” with a zero, and an “e” with the number 3, can only go so far. I once had – what I thought at the time – a good password. A system cracked it in 14 seconds. Fourteen seconds. Needless to say, I changed my password. Those short, or what you think may be “secure”, password may not really be “secure”.
A Password Manager will generate a random set of letters, numbers, and whatever requirements the website needs, with an especially long password. Minimum is 8 characters? Not good enough. Personally, if a website allows me to have an extra-long password, I’ll take advantage of it. If it has a maximum of 20 characters, then my password will be 20 characters. The Password Manager will store the password for that website, and you won’t have to remember it (or write it down in a notebook).
And once it’s stored, next time you visit the site, the Password Manager – which is integrated into your web browser – will log in for you, supplying your username/email and password. Ta da!
Now, do you need a Password Manager? In my opinion: Yes. Do you need two locks on your front door instead of one?
So, which to choose? There are many Password Managers, each with their own set of features. There are some that are free (no strings attached), and some charge monthly or yearly. Is one better than the other? That’s like asking which is better: Chevy or Ford. Yes, both will get you from point “A” to point “B”, but get a Chevy fan and a Ford fan in the same room and ask that question, watch the sparks fly. 😉
The ones that often charge a fee offer the ability to sync to multiple devices. The one I use syncs to their cloud service, and keeps my laptop, desktop and phone in sync. WHY is that important? If you change a password or add a login on one computer, you don’t want to go through hoops to get the other computer (or phone) updated with the new info. That can be annoying if I change the password for Amazon and later my wife tries to log on the other computer and can’t get in (yes, that really happened once).
Now putting it in the cloud brings its own risks, and that’s where 2FA/MFA comes into play.
2FA stands for Two-Factor Authentication, and MFA stands for Multi-Factor Authentication. I can write-up another blog post on the differences between the two, but the purpose of this topic: it’s an additional form of security.
Many Password Managers, and some websites, offer 2FA/MFA security, but what does that mean? It’s something else, in addition to a password, that will grant you access. In the picture above, a USB key is inserted into the computer and then the person touches the circle “Y” in the middle. This is a Yubikey. It’s a hardware device that can fit on your keychain. You keep it with you and when you want to log into a website, or open your Password Manager, you would enter your username/email and password as you normally would, but then it would require you to supply this additional form of authentication. So even if an attacker/hacker/bad guy/kid-who-stole-your-postit-note-with-your-password, had your password, they still couldn’t get in without that hardware key.
Can you use a Password Manager without one? Of course. As for which Password Manager you use, look at the options they offer you and see if it’ll work on your computer – some work for Windows but not for Linux, one will work on Windows and a Mac but not on an Android Phone, etc.
Read up on them. There are (obnoxiously) many articles about them (um, including this one?), so I would suggest you read up on a few to see which offers the best set of features you would use. Many of the free ones will do everything you want.
Getting back to the hardware key… if you have one computer that never leaves the house (ie, a desktop), and you aren’t planning on syncing with another computer or phone, then no, you probably don’t need a hardware key like a Yubikey. I use one and most sites, and definitely my password manager, won’t let me in without it. Can it be frustrating if I don’t have it with me and need to login? Yes, very. But, if a breach occurred and someone else has your password, they’ll be just as frustrated as you, except you’ll be the one that’s safe.
Tags: password manager, yubikey