Why Use a Password Manager When the Browser Saves Passwords?

Last month, a hacker breached an online police forum to sell over 700,000 pieces of data from US security enforcement agencies on the dark web, including the FBI. If these security professionals can fall victim to hacking, it’s a warning sign for all of us to boost our own password security.

The password management problem is simple: as you browse around the web, opening accounts on websites, you’re asked to create password after password. The average person has 100 passwords, though most probably have between 100-500. How could anyone remember that many pairs of usernames and passwords?

Forgot-password-Fotolia_137263233_S

Most people don’t. They either use the same password for every site, maybe with slight variations, or they just keep using the “Forget Password” link that most sites provide. It’s usually a combination of both tactics. Then, if security breaches happen and their username and password is leaked, they blame the companies who’ve been breached, even though they failed to create and manage a safe password.

Unfortunately, when your password gets breached (stolen by a hacker), and you’ve used that same password on any other site, your accounts at all of those sites are now also at risk. The hacker can access those other accounts without having to do any more hacking.

Now the chances are low that this will happen, but if you’re somehow targeted for an attack and people have some of your passwords, they might now be able to get into your most sensitive accounts such as email, financial sites, and health sites, where they could potentially carry out malicious actions.

At NewPath Consulting, our customers typically take on anywhere from 1-20 new passwords for cloud-based services (e.g., PayPal, Mad Mimi, Wild Apricot, website hosting), and most of these are critical to their operations and keeping their financial data and customer information secure. Sites like these require the most complex passwords that will be difficult to hack.

What is a safe password?

The safest passwords are ones that:

  1. Are only used on one site
  2. Contain at least 8 characters
  3. Contain a combination of letters (upper case and lower case), numbers, and special characters (!%@#)
  4. Contain no dictionary words or proper names
  5. Change every six months or a year

Now we come back to the central question of how to remember all of these safe passwords, which are purposefully hard to remember or guess. Some people try writing them down, maybe on sticky notes attached to the computer (very risky if your computer is lost or stolen), or scraps of paper around the office or house (difficult to keep track of or find when you need).

Enter the password manager, a software application designed to help you accomplish three key goals:

  1. Create a new password for every site
  2. Generate and manage safe passwords
  3. Fill in your passwords for you without you needing to know or remember them

Why not just save passwords in your web browser?

Web browsers like Chrome, Safari and Opera all offer the option to save your passwords for you. They say they are encrypted, but many security experts have questioned whether storing your passwords in a web browser is truly safe. If your computer is stolen, your passwords can likely be easily extracted from your web browser.

Another big drawback of using the browser to manage your passwords is there is no requirement to choose a safe password. Password manager programs, on the other hand, automatically generate safe passwords, and if you create or enter your own they give instant feedback on whether it is strong enough.

Remember that a browser’s goal is to help you search the web, while a password manager’s only job is to keep your passwords safe. In fact, when you install a password manager, it will usually disable the built-in password manager in your browser.

Which is the best password manager?

At NewPath Consulting we use and recommend LastPass. It creates a vault with one master password – this becomes the last password you’ll ever have to remember again.

LastPass boasts strong encryption algorithms and no one at LastPass ever has access to your data. You have the option of two-factor authentication for extra security. With two-factor authentication, even if someone breached your master password, they still can’t get into your account without entering a second piece of information, such as a code that LastPass sends by text message to your mobile phone.

LastPass helps you easily accomplish all three password management goals:

  1. Create a new password for every site
  2. Generate and manage safe passwords
  3. Fill in your passwords for you without you needing to know or remember them

LastPass encourages good password management by actively monitoring to make sure you’re not using the same password on all sites, and by giving you a score for how safe your passwords are.

Like any software tool, using LastPass does have a bit of a learning curve, which is why we help our clients set up and learn to use it. Once you get used to it, however, it is truly quick and easy and gives you much more security.

How much does LastPass cost?

LastPass is free, with the option to upgrade for $12 a year for premium features such as family password sharing, 1 GB encrypted file storage for notes you want to save, priority customer support, an ad-free vault, and more.

What are some concerns people have about password managers?

Some people aren’t comfortable turning password management over to an outside organization. Others worry that if their master password is compromised a hacker will have access to all of their sensitive information at once (two-factor authentication is the solution for this).

Other people just don’t believe that password security is important or worth the time or money. Yet this infographic of data breaches over the last few years shows just how widespread data breaches are, how frequently they occur, and that we can expect this to continue.

Password security is one of those things that’s never a problem until it’s a problem. But as we learned from the Police.com breach this month, if security professionals can be hacked, why can’t you?

Want to secure your data and start surfing more safely online? Contact NewPath Consulting today for a complimentary demonstration of how we use LastPass, and how it could work for you.

[Update – March 20, 2017: Listen to The Russian Passenger, Reply All podcast episode #19, for a frightening story of how easy it is to be hacked, and charged for services you never used.]   

About the author

Alex is a pioneer in using the cloud to meet the needs of small and medium sized business (SMBs) and membership-based organizations. He has a BSc in computer science from the University of Michigan and has worked as a product manager at two Internet startups. Alex is a father of 2 and plays the trumpet for fun. He is the founder and the president of the University of Michigan Alumni Club of Toronto.