I frequently have the password manager discussion with friends and family—so frequently, that I think it is about time that I write a blog post about it so I can just throw this link at people instead of having to reiterate all of the reasoning over and over again.
The truth is, everyone should be using a password manager for every online account they have, no exceptions. There are two primary reasons for that:
I'm actually going to address these in the reverse order because a shocking number of people actually don't care about security much at all; opting almost always for what is more convenient instead. Luckily, password managers are both more convenient and more secure, so even if you do care about security—and you should—it is a win-win situation.
I'm not going to recommend a specific password manager; there are plenty of resources online for choosing a password manager. I personally use Nextcloud Passwords, which seems to work quite well, because it is self-hosted and it has a reputable browser extension that pairs well with it. The point of this post is simply to convince you that using a password manager is better than not using a password manager. If you don't use a password manager, this post is for you. If you do, then let me know if you have any recommendations for how I can improve this post and make it more convincing.
Once you have all of your passwords in a password manager1, it is extremely convenient to log in to your online accounts. You no longer have to try to remember which passwords and usernames go with which online account. Instead, everything is stored for you so that you can easily and quickly log in without even thinking about usernames and passwords at all. This saves valuable time.
You might remind me that your browser's built-in features can already do this for you, but that is only short-term convenience. At some point, you are bound to use a different computer or operating system than the one all of your passwords are stored on. Or, you may wish to switch browsers or re-install your browser. In any of these cases, the convenience goes away, because unless you backed up your passwords in a well-recognized, standard format, then you lose all of them, and have to deal with the inconvenience and sometimes impossibility of resetting all of your passwords.
A password manager, on the other hand, is by nature cross-platform. You can use it on all of your devices and browsers, and you aren't locked down to any one browser or service provider. What if you use Google to sync your password between devices, you ask? Quite simply, don't. Given the history and nature of the company behind Google, I would not trust a Google product with all of my online accounts, because Google can close your account for any reason, and if it does, you loose all of your online accounts.
You might also tell me that you have all of your passwords written down on an (un)organized piece of paper, and that is also cross platform because you're not entirely sure what a "platform" even means in this sense. Maybe that is true, but I doubt you really believe that having to hand-copy your passwords from paper into your computer each time you wish to log in is more convenient than having your computer automatically fill them in for you, so that point is moot. Manually copying passwords is error-prone, and also just plain annoying.
Most password managers are implemented as browser extensions or websites that allow you to either copy and paste your password into the website, or will insert the password for you automatically. It really doesn't get much more convenient than that, so if you're sick of having to recall your passwords to memory and type them out, then you should be using a password manager.
Some members of my family don't even bother with remembering their passwords at all; they simply go through the password reset process each time they want to log in to an online account. I guess, provided that your passwords are sufficiently long and unique, this isn't the worst practice ever, but it is certainly very time consuming and annoying. It's a sure way to ruin your day, or at least all of the time you're spending on your computer. It makes you hate computers because they're just so difficult to use, you have to go through all of these annoying steps before you can do anything. If that resonates with you, you should be using a password manager.
That also doesn't help you much if you forget the password to your email account. Then you're quite possibly in real trouble.
I personally really don't care much about the convenience of password managers. Sure, it is nice and it is hard to turn down convenience, but the real reason you should use a password manager is because it is much more secure than the alternatives, plain and simple.
Your alternatives are either to write your passwords down, either in a text document on your computer, or on a piece of paper. You can also just let your browser save your passwords. We established that paper is not even that convenient, but all of these methods are also insecure.
First, your text document on your computer is probably unencrypted. This means that any software on your computer can read this file with or without your permission, which is bad for security, because the goal of passwords is to ensure that only you can get into your online accounts, and for that to work, only you should be able to access your passwords, not the random programs you have installed on your computer. A simple text document also increases the risk of losing all your passwords, either because you accidently delete or misplace the file, or some digital disaster strikes you—be it a hard drive failure or ransomware attack. You may have a backup of your passwords file for emergencies like this, but let's be honest, if you aren't even using a password manager and are instead opting to store your passwords in a regular file, then the chances of you actually backing your stuff up are also pretty slim because storing passwords in a file indicates poor digital hygiene. And even if you do have a backup, it's probably outdated.
You may be thinking that it doesn't get much more secure than paper because paper can't get corrupted and is harder to misplace. If you really think that, you are wrong. It's easy to lose or misplace paper, and someone could easily swipe it off your desk or peek over your shoulder or look when you're not around. Your paper could also be eaten by a pet or ruined by a cup of coffee. It could get lost in a flood or fire. So paper is not really that secure, both because it is easy to ruin, and because people can read your paper and swipe your passwords that way.
You're also unlikely to use secure passwords if you aren't using a password manager. Whether you write your passwords down or bravely try to keep them in your brain, you're likely to do one or both of the following:
Both of these are very bad. If you use the same password everywhere, then if one website gets compromised, all of your online accounts are potentially compromised because attackers can now try your password for the breached website on other websites. You may say that it is unlikely that a website would be compromised, but that is simply untrue. Websites are under constant attack and as a computing professional myself, you should not trust that the company or organization behind the website has properly secured their digital infrastructure. It is likely they have misconfigured something or are running outdated software simply due to the sheer complexity of the hardware and software required to run a website.
Using short passwords is also a bad move because they can be easily guessed, either by a human or a computer. This allows malicious actors to take over your online accounts, which would be very dangerous. You obviously don't want that. I don't really need to say more on that. You have to use long and complex password, or you put your identity at risk.
A password manager allows you to use strong and unique passwords for all your online accounts because you don't have to try to remember them and type them by hand. You only have to remember a master password for your password manager, and that's it! This password can be strong because it is the only one you have to remember. All of your other passwords can be randomly generated, which is far more secure than any password you would come up with yourself. This ensures that all of your online accounts stay safe, and even if one of them is compromised, none of the others will be affected.
For these two main reasons, there really is no reason not to use a password manager. First and foremost, they are more secure than their alternatives. But they're also more convenient. If you care about convenience and don't want to deal with passwords at all, if the very thought of having to dig up an old password annoys you, then you need to be using a password manager. There aren't any excuses. It is extremely frustrating to me when people express their anger surrounding passwords to me when the solution is so easy.
I do concede that this is no small feat for some people, but that is no excuse given the significant advantages password managers offer. ↩
© 2019-2023 Jordan Bancino.