Why you should use a password manager
I have been resistant for a long time when it comes to Password Managers. Like many people, it feels like putting all of ones eggs in a single basket. For various reasons, I finally signed up to one.
When I signed up, it imported my details and then offered me the chance to get a grading for my security status. It reviewed my passwords, my login password and various other elements and have me three scores. Security Rating. Ranking. Master Password rating. I scored 22%, bottom 50% and 50% for my security. I was shocked. After much work I now score 99%, Top 1% and 100%
Like many people, especially those working in the industry, I assumed I had a solid approach to security on-line. I had reasonable passwords, and had about six or eight of them that were used, and a few password templates. The security score showed me how, over the 200 or so sites I used, that this was a very vulnerable situation. What made it worse is that I regularly did not save the passwords for more important sites, but still reused one of my core passwords or password templates.
After seeing that, I spent the evening reviewing my sites passwords. Once I started moving a few to 45 character randomized passwords, I realized the value. Each site was unique and so complex as to be meaningless from a brute force or rainbow table. Additionally, should the site be hacked and be poor enough in its security to leak data it would not compromise me as I had a clear list of if and when passwords were reused, and it encourages us to not reuse
After a very short time, I moved all of my passwords into the password manager. All bar a very few were made randomized unique passwords. One complaint is that you cannot mark a site as being IP restricted. Some of our simple internal systems have shared passwords. Whilst saved, they are also secure as they can only be accessed in the office.
Why people avoid password Managers
I don't trust a single point of entry: This is the best argument against password managers. If you break the primary login, you have access to everything. The counter is threefold. 1) Use two factor authentication. If you do this then even guessing the password isnt enough as the USB key, thumb-print or authentication token acts as protection 2) Keep the particular manager you use secret as that adds to the break-in complexity. 3) Be aware of the danger of repeated passwords: When you have one password to remember you can make it strong with multiple character combinations. When you have two hundred you take shortcuts and one weak password opens to door to your identity, because it gives access to other accounts.
I can't remember my passwordsThis is the easiest to answer. Everyone needs to remember a number of passwords, email, Facebook, whatever. Reducing these down to a single password means you can make it more complex and yet you can increase the security on everything else. If it supports it, have a 100 character randomized password that will take 5.61 hundred billion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries with a massive cracking array to break.
I can remember my passwordsTell me. Can you remember “9sIsU3Dum1” That is just a ten character password. Can you remember discrete versions of this 200 times? Congratulations if you can but You are still less secure than someone using a password manager who could use up to 100 characters per password. Can you remember “wHYNWW3qfeMSgtPUk6QbyYMmbBSEFp6mRvxuK9CTvt3yz9bGq368mKSGEb288JYmmFuzuRCRVwdMw23JyWqRD6DqcmDNeM2nszZ5” 200 times? Augmented, I can.
What if the Password Manager is hacked? This is a concern. But it is a single entry point, defined by its security, required by its nature to be secure and encrypted in its data (unless you are doing something bonkers like using Cloud Office Word to store passwords as your password manager) Always upgrade your primary entry point with two-factor authentication and you make hacking your data a very low likelihood. Consider using an alternate for your own backup vector.
I don't have timeMake time. It is much easier to do it on a dull sunday evening with a glass of wine than deal with the time you might spent in court for fraud, bankruptcy or a much more sordid issue.
I write my passwords downGood job Fred Flintstone! Aside from the legal issues in various nations mandating access to a a written key against one only stored in your head you are somehow claiming that a easily steal-able and identifiable list you keep by your computer is more secure than a industry best practice encrypted data store on-line? Just no.