J20 minus 61 — install a password manager

There are four pieces of advice I give to anyone looking to begin improving their digital safety:

• use a strong phone password and disable biometrics;
• keep your operating systems up to date;
• use a password manager;
• use Signal.

Today, I'm going to talk about the third bullet point. Over the years, best practices for passwords have evolved, but in the last few years the recommendations have started to converge. New research based on data analyzing data breaches has revealed that passwords and stolen credentials are frequently to blame.^[1] And earlier this year, NIST published its latest recommendations regarding password policies.

NIST's guidance reveals that the "conventional" wisdom regarding passwords is largely obsolete. The new recommendations favor length over complexity and suggest against requiring regular password rotations. The most common threat to passwords doesn't come from a password being cracked, it comes from passwords being reused. In other words, if you use the same password in two different sites, and one site has a data breach, then attackers who can access your password on one site automatically have your password on the other. This is more common than you think. Go ahead and enter your email in the data breach site Have I Been Pwned and look at how many data breaches you have been affected by. Though some of these breaches have only managed to exfiltrate^[2] hashed passwords^[3], many sites still use obsolete hashing algorithms and it is a matter of time before these passwords are broken.^[4] You should assume any data breach that has resulted even in a hashed password leaking has tainted that password for you forever.

However, most of us today use dozens if not hundreds of services. Memorizing a new password for each service is infeasible. Enter the password manager.

Password managers are applications that run on your phone or computer that help generate and store credentials for you. When you use a password manager, all you need to do is remember the password for the password manager itself. The password manager can usually generate a unique, random password that meets a website's requirements and stores that for you to copy and paste in anytime you want to log in. Password managers are great because they allow you to generate a new, random password for every site you use. This eliminates the biggest security threat the average user faces.

Password managers are not without downsides. They do create a "single point of failure" concept, where if anyone has access to your password manager's password, then they can get to all of your passwords.^[5] And not every website implements modern password policies: some block pasting of copied passwords, a foolish choice that detracts from and does not add to user security. Most password managers also charge a small fee, which puts a security burden on the user. I'm not a fan unless the fee adds convenience functionality that isn't strictly necessary (and some applications do.) One such functionality that is really nice is a family plan: you can subscribe for a slightly higher monthly premium and get multiple licenses for the software. And they're a real pain in the ass when you have to enter a password in on a TV or gaming console with a remote controller.

However, right now there are a lot of Black Friday and Cyber Monday sales going on. That means the best time to get a password manager subscription is now. On average, I see between $35-50 yearly for decent apps from reputable companies. That might be a lot to swing for some people, and I'd love to see more community mutual aid efforts helping to buy password manager subscriptions for vulnerable community members.

It's important when choosing a password manager that you get one from a company with a good reputation in security. Unfortunately, not every company has a good record here. In 2022, LastPass had a security incident^[6] that resulted in password vaults being leaked. This was the third breach the company suffered since 2015, and there was ample critcism about transparency and engineering prowess that the company displayed in handling the breach.^[7] I cannot recommending using LastPass at the moment.

However, there are plenty of other options:^[8] I personally use 1Password with a family plan that has seved me well for a number of years. I'm able to create different vaults for work and personal accounts, and I can create a shared vault to share passwords with my wife. 1Password also has functionality for more than passwords. For instance, you can store secure notes for things like like safe combinations, generate and store SSH keys, and so forth. 1Password has a browser extension to make it trivial to use in practice, as well as apps for the iPhone, Android, Windows and Mac. This allows me sync my passwords between my devices. On the negative side, the app is sometimes pretty clunky. It doesn't always detect when I'm generating a new password, and really struggles when I have a single service with multiple accounts.

Another option is ProtonPass, from the same security-focused company that does ProtonMail (I am a user of ProtonMail, but not of ProtonPass). Proton has a good reputation for security and being based in Switzerland, they also have a lot of legislation helping protect their users from foreign law enforcement snooping. Since I haven't used ProtonPass, I can't speak to the quality of the features. Leave a comment if you use it and let me know what you think!

Finally, if you don't want to go third-party with a password manager, then it's possible to use a device's or a browser's keychain for storing passwords. Apple has options that come with both iOS and MacOS for generating and storing secure passwords, and I've used these options with regularity. They lack the simple portability that 1Password gives me out of the box, so I only use them for accounts I know I'll only access from one device.^[9]

But enough. The lastest professional best practices are to use and support password managers because they allow users easily to generate strong, unique passwords for every site and every account they use, thereby cutting off the most commmon causes of data breaches happening today. It's one of the simplest things you can do to improve your digital safety. So my call to action is to take advantage of a Black Friday deal today and set up a password manager. If you already use one, buy a license as a gift for someone who can't afford one, if you can swing it.

Once you have the password manager set up, start going through your accounts and changing your passwords (if they're not sufficiently unique) and adding new, stronger passwords generated with the password manager. You don't have to do everything right away. Just start moving things over naturally. Just make sure you remember your password manager's main password! It might help if you practice logging in for a few days to get the muscle memory for it developed. Securing your accounts is one of the most important things you can do to defend against twenty-first century authoritarianism. There's no better day than today to get started.