If you work in any part of information security, at least once a week someone asks you, “What is the most important thing I can do to protect myself?” There are lots of things to consider, especially if you are running a small business (here are 5 important ones), but if I had to pick just one thing it is effective passwords. That means passwords that are complex (special symbols, numbers), are long enough (think 8-16 characters minimum), and critically, only used for one website service or app—no duplication. If you are like me though, that means dozens (I’m probably over 100) impossible-to-remember complex passwords to keep up with. For most people, already busy actually getting stuff done, the whole idea of trying to keep this organized is bandwidth they don’t have to spare.
This means people—smart, well-intentioned, computer savvy people—end up using things like ‘password123’ or their dog’s name, which anyone serious about stealing your identity will start with. Pro-tip: Anything you have ever put on social media, like where you graduated, names of family members, sports teams, these are the first things a bad actor tries. If your bank password is ‘GoTitans’ you might as well leave a copy of your statement on the table at Starbucks. Especially if you also use that password other places, like sites that require you to create a password to complete a sale, even though you only went there that one time and then forgot all about it. Later when they get breached, the same password you use for your credit card is out in the wild, and you have no warning.
In my opinion, the only practical solution is a password manager. This is software (some combination of an application, browser extension and mobile apps) which provides a tightly-secured, encrypted list of all your passwords. You only remember one ‘Master’ password, which allows you to unlock the list
When I first conceived of writing this article, I intended to do something of a review of password managers, discuss the pros and cons, etc. But honestly, do you want to read that? I suspect that you are busy planning, starting or growing a business, and finding time to think about this stuff is hard enough. I want to make you time here as productive as possible, and I want to give you the opportunity to leverage my expertise, such as it is, so I’ve picked for you, and explained why
if you are concerned that I might not be giving you the full story, here and here are some in-depth comparisons of a number of managers, with a lot of information to digest. But if you want the work done for you, here are my favorites:
For Almost Everyone: LastPass
If you are struggling to stay interested, or already skipped down to this part, I hear you—this is all you need to know. LastPass is the largest password manager, and while it has very good competition (notably 1Password and Dashlane), it offers the best combination of features, cross platform functionality (it works with almost all mobile devices and all browsers too), and high level of features at the free level. When you decide to step up to (paid) premium service, it’s only $12 for an entire year. Some of the most notable features include:
- Highly secure: Like most password managers, LastPass stores your data with strong encryption, and only you have the master password, which is needed to decrypt it. So even if someone steals data from them (which happened), they will have useless encrypted strings that would take centuries to brute-force decrypt without the key.
- Even at the free level, you can sync and auto-fill in passwords on all your computers (via browser extension), and your mobile devices (via app): You can also store important documents or ‘secure notes’ (things like that PIN number you can’t ever remember, or a scan of your car insurance policy), and access those safely across devices.
- For a number of common sites (about 75 at least count), including things like banks and credit cards, you can change your password with one click from the LastPass dashboard, and their software will automatically execute the change: You don’t have to go to the site and log in and search for the account page and so on.
- With paid service ($1 a month!) you can share passwords with other users, instead of sending them the new password in an unsecure email, which happens all too often: Of course if you make changes those automatically propagate to everyone, too.
As I mentioned earlier, I suspect that if you are coming here for InfoSec advice, you aren’t that interested in a prolonged comparison, but here are two alternatives that I want to mention for specific use cases:
For the Apple Superfan: 1Password
If you live and breathe Apple, then 1Password is probably the sharpest and most feature-rich password manager out there. However, a lot of features are not available on Android or Windows machines right now. Additionally, at $36 per year, it is three times more expensive than LastPass. Of course, if all you use is Apple, the idea of paying more for everything is something you have already gotten used to, right? (BURN!)
For the open source enthusiast: KeePass
If making the choice to use open source software is deeply important to you, KeePass is definitely an option. The software is totally open source, and the code can be reviewed in full. A lot of the standard features, like auto-fill for instance, are also available here through add-ons, but not all of them are supported for all operating systems and browsers. Compared to other options, this will definitely require more tinkering to get it set up. However, it is totally free, and so lightweight is can be run from a USB stick, allowing zero footprint on a public or school/work assigned computer. Plus, unlike the commercial options, your passwords are stored locally, which some people may feel safer about.
I still think LastPass is the best option for the most features—for the record, I use it, and I have no relationship with them, so I get nothing for this endorsement. I just think it is the right combination of working everywhere, being cheap, and being easy to get used to. But bottom line, pick one, right now, and go get started. This is the one best thing you can do to make your data safer, so go do it.