Digital Security 101: Time to start using a password manager
I’ve written this post as a result of my frustrations with people from all walks of life using terrible password practice. If this post ends up changing one persons way of managing their passwords then it has served its purpose.
It’s time to take back control of your internet security. Breaches are becoming more common and one day you will get caught. You may see it as insignificant as an old email address you used at secondary school or an old social media account that you’ve not logged onto for about 10 years but I will go on to explain that it is much more significant than you might think, hopefully before it becomes an invasion of your privacy.
These breaches are currently worth the hackers time and this is largely down to peoples poor password practices. Whilst you may think your password is a good password all it takes is one breach to make that password a bad password. You probably use that password everywhere from your online banking to your social media accounts. You may think having two or three passwords will outsmart them but I can assure it will not. There is a practice called credential stuffing where hackers will use your username and password from a breach and test it against multiple websites to gain unauthorized access to your accounts. You can check if you’ve been part of any breach using HaveIBeenPwned. Don’t be alarmed if you find you’re part of a breach just ensure you take the necessary action to protect yourself now you know your password could be exposed.
The best practice is to use one password per account built up of letters, numbers and symbols. The longer the password the better. Now this is absolutely impossible to remember for every single account you own and this is where a tool like a password manager proves to be very useful. You use a password manager to generate strong passwords for your multiple accounts and store them in an encrypted password database. Think of it as a vault for all your passwords. This vault is protected by a strong master password which you can remember. Make sure this password is strong and is only used for your password vault. This interview with Edward Snowden on Last Week Tonight with John Oliver will show you how to think of a strong master password.
Now the choice of password management software. There are plenty of choices to go with here. Some examples of such popular commercial offerings are 1Password and Bitwarden with their cloud based solutions meaning you can access your password from anywhere on any device so long as you have internet connectivity. These are certainly viable solutions and are worth considering if you’re looking for convenience.
I personally use KeepassXC on my laptop and KeepassDX on my Android mobile phone. These are both compatible with accessing my Keepass password vault. I find Keepass a very good solutions due to its optional two step verification meaning you can protect your vault not only with a strong password but also with a key file. The key file is a separate file which you would need to provide to access your password vault. This would mean if your strong password ever got breached they should not be able to access your password vault without the key file and vice versa. Keepass is also an offline password manager so should you find yourself without any internet connectivity or a service is down you can still access your passwords. Also with a password manager being offline this means the likelihood of you losing your password vault as part of a breach online is incredibly low. KeepassXC is also open source meaning that you can verify yourself that there is no malicious code going into your password management solution by reading the software’s source code should you wish. Also should the project get abandoned or development halts someone can fork the software and continue to contribute to the application as part of a separate project, after all KeepassXC is a fork of KeepassX when development stalled in 2016. KeepassXC is also excellent value for money as there is no charge for usage. Its also worth noting that if you are an iOS user there are plenty of Keepass compatible password managers in the app store, however as I do not use this on any iOS device I can not comment on the usability of the applications.
Whilst the idea of keeping your passwords offline is great from a security standpoint there are some inconveniences, such as accessing my most up to date password vault on the go. You can achieve similar results to the cloud based password managers with Keepass by storing your vault in a cloud storage solution such as Dropbox, Google Drive, Microsoft OneDrive etc. Now doing this does increase the risk of unauthorized access to your vault but the risk is reduced by using a strong password and a key file to your vault. Under no circumstances should you store the keyfile in the cloud, only store your vault there. Keep the keyfile local on your laptop and devices and transfer it locally using a USB Cable or another solution that does not involve the internet. Its also strongly encouraged that you keep this backed up somewhere safe. Data corruption can happen and it can be hard work regaining access to all your accounts.
Now to begin on changing all your passwords. I would start off with all the accounts that could impact your life should unauthorized access happen such as internet banking, email, social media etc. There is no question that this is a tedious task and whilst its strongly encouraged to change all of your passwords right away, it may also not be feasible. Get the critical ones done first and then just change the rest when you can. I also strongly advise whilst changing your password that you enable two factor authentication where you can for that extra bit of security. I hope to write a post on this subject in the near future.
Now when the next breach occurs no matter how big or small you’re prepared. You will just need to change that one exposed password instead of every password you have. This one initial effort of changing all your passwords has now paid off saving you time, effort and stress.
Update on 9th August 2025: A small update to this blog post was made to refresh the commercial offerings and correct some spelling mistakes. The majority of the content has not changed since the original blog post on 28th March 2021.