How to choose a password manager

How to choose a password manager

Passwords are like taxes, you simply cannot avoid them. They are the small mental tax you pay when you create a new account or login into an existing account. To avoid remembering and retyping you should choose a password manager. Websites and systems need a simple way for you to prove your identity. And having a combination of username and a hard-to-guess sequence of characters. While there are other, better ways of doing this, at the moment passwords are the lesser evil. Love them or hate them, they and have become ubiquitous with the modern internet. 

I will repeat what most of the web repeats, use complex passwords. And never, EVER, repeat your passwords or create patterns of similar passwords. There are literally lists of bad passwords, it’s a good idea to also never use one of them. Losing accounts costs time, money, or in worst cases can hurt you, your family, and your company. Not to mention the risk of authorities knocking on your door because some hacker used your account for shady business. 

How to choose a password manager.
While quite on point this cartoon is slightly outdated and incorrect. You need atleast 6 random words to be safe (more info).

Another thing is that you shouldn’t try remembering all your passwords. Human memory is notoriously bad, and you have to keep in mind that sometimes you’ll need to login into websites you didn’t touch for years. And it’s usually quite annoying to have to go through the reset process (if it even exists). Using a password manager allows you to have one strong password to remember and offload all other passwords to the manager. 

Now I won’t try to sell you a particular password manager. This post is only presenting a few things to look for when choosing a password manager. 

Questions to ask yourself before you choose a password manager

Recently I changed my password manager, but before doing that I did a bit of research and came up with a few criteria to help me choose a password manager. If you’re a security specialist they might seem a bit bog-standard. But this article should also be useful for people who are not IT specialists.   Let’s go over a list of questions to ask yourself before picking a password manager. 

How are your passwords stored?

All data has to rest somewhere. It can be your brain, a notepad, a text file, or some more complex storage system. Here you want to protect yourself from two things: data loss and stolen data.

Data loss

Data loss is the risk of losing data and not being able to recover it again. If all your passwords are on a single file in a single hard drive, there is a good chance of you losing the data in the next 10 years.  You are much more secure if the same data is distributed among many systems or stored in a professional redundant data center setting. You never want to risk critical data being on a single location.

Stolen data

What happens when a bad cat gets hold of your password data? If it’s properly stored they still shouldn’t be able to access your passwords. This is usually done by encrypting the file with one or many passwords and a strong encryption algorithm. Modern cryptographic algorithms such as AES 256 would take billions of years to crack even if you had all the computing power in the world. This makes them sufficient for encrypting mission-critical secrets such as passwords and access keys. 

Of course with the caveat that your data is as protected as its weakest link. Meaning you! You can choose a bad password (check the comic above) or bleep out your secrets. Just the other day I heard this nice old lady recite her credit card pin to the cashier in front of a packed line of customers!

Where are your passwords stored and how can you access them?

The related question is where the passwords are stored and how you can access them. Is it a cloud-based service that handles syncing, or do you manually have to keep all systems with password manager synced?  Try to look at how well the system works for other users. A related question is what happens if you lose internet access or the provider has server issues? In the ideal world, you should still be able to access a slightly stale version of your passwords. 

How and where do you plan to use your passwords?

Where and how easily can you access your passwords. Which devices, platforms, and systems do you plan to use them with. 

This one is quite simple, how do you want to use the password manager. Autofill in browser? A desktop app? Command-line interface? Mobile app with autofill? When you find one you like just go the extra mile and ensure it works with all devices, operating systems, and browsers that you intend to use it with. 

What happens when the product owner goes bust?

What happens when the company or organization supporting your password manager goes down under or discontinues the software? This is a fairly important question as you need to avoid vendor lock-in and at the very least ensure that there is a viable working way of exporting the passwords. This way if they go down, or if you want to change the password manager you will atleast have a way of migrating the data. 

What if they get hacked?

Password managers are very interesting to hackers because they …. contain passwords! Your provider should have a clear policy of what happens when they get hacked. Check past exploits and what information got leaked through them. In the ideal world, they should publicly disclose any known security breaches and inform their users if they got compromised. 

How much are you willing to pay or endure to avoid paying?

Last but not least is how much the password manager will cost you. Keep in mind that you’re not buying a house and that you might want to consider having some tradeoffs and start with a cheaper or free password manager. Famly plans and the number of devices also come into consideration here. 

Last notes

I will leave you with a little note on the common reason why people choose not to use a password manager. It goes like this: I like the idea, but I don’t want to bother writing all my passwords somewhere, it’s too much work.

The trick is that you don’t have to. Most of them have browser extensions that detect passwords you filled in. So you just go along with your day, and whenever you login into a new service they will prompt you to save the password. Some even have a way to automate changing passwords which will help all you reusing passwords or using bad passwords (go back to the image at the beginning of the article).

More reading:

A comparison of password managers

Example security breach policy

AES 256 cryptography standard

GitOps – password automation can help here too

Back to top