Quick tips on using password managers well
One of the first things we tell our customers is to use a password manager to store and manage passwords online. Though nothing will make any person hacker-proof, it’s one of the best ways to add an extra layer of security to protect your digital identity.
Benefits of password managers
Password managers do the following really well:
- Facilitate the use of strong passwords (as well as generating them).
- Prevent re-use of passwords across applications.
- Eliminate the need to memorize many long or complex passwords or phrases.
- Provide a more secure storage solution than using a browser’s built-in feature to save passwords.
There are some risks to which we expose ourselves when using a password manager. Most password managers rely on a single master password, which (if compromised) would give an attacker access to all of your other passwords. Despite that, most security experts agree the benefits of centralizing logins though a password manager outweigh the risks.
Tips for using password managers
Here is some advice to get the maximum protection from a password manager:
- Use a long master password/passphrase – the more characters you can remember, the better.
- Don’t rely on a master password alone; set up MFA for all applications that support it. Multi-factor authentication will ensure that even if your password vault were compromised, the attacker would still need that second factor to gain access to your accounts. Using a device like a YubiKey will add another layer of protection, too.
- Ensure that your password manager is disabled when not in use. This makes your credentials more difficult to get ahold of, adding another layer of digital identity protection.
- Ensure a zero-knowledge implementation. This means that the password manager solution should never store the master password in the cloud and that the encryption keys used to protect the password vault are only stored on your device.
- Disable your browser’s autofill and remember password functions. If your browser gets compromised, then your attacker can’t auto-populate logins to access sites stored there.