Simple instructions on how to use Password Manager - and why

Generating weak passwords or reusing the same password across different services is a real problem. If there is a leak on any service where you reuse a password, it is compromising the security of every other service where you use the same password.

Weak passwords can be for example short and/or easy to guess. It could have characteristics like a word found from a dictionary (or a word spelled backwards), less than 8 characters, a name of a pet or a family member, a meaningful date or include patterns such as numbers 1234 or alphabet abcd.

Probably everyone has heard these warnings, and know that strong passwords are long, contain upper- and lowercase characters and have digits and/or symbols, but still people go against the advice, because these are difficult to remember. I was like that too!

I had heard about password managers back then, but it felt too intimidating to start using one. And that's why I want to go through some of the worries I had before I started to use a password manager and hopefully I can convince even one person to give it a try!

What is a Password Manager?

As the name suggests, a password manager helps you to store passwords securely. The idea is that the user sets one master password, which is then used to log in to the service, and can use the service for storing and using all the other passwords.

Available features depend on the service, but there are for example browser plug-ins that allow automatically filling the usernames and passwords to the login pages, a possibility to copy the password to a clipboard (and automatically deleting clipboard history after ~minute) and automatic updates when changing a password on a site.

Why does it feel intimidating to use a password manager?

Here I go through some of the questions I had before I started using a password manager.

Question 1: How Password Managers make sure the data is safe?

As long as you don't use your master password anywhere else, and you create a strong master password, it's unlikely for someone to get access to the service. The master password is not sent to the service, so only you know it.

It's also recommended to set up a multi factor authentication, so even if someone would get your password, they would still need to confirm the log in before actually getting in the service.

There are different ways password managers secure their service but usually they encrypt the passwords on the device, before sending it to the server. Encryption means the data (in this case password) is converted to an unrecognizable (encrypted) form, which cannot be read without knowing the decryption algorithm and your master password is needed for this.

Question 2: Isn't it easier to get hacked if you have everything stored in one service?

It's unlikely anyone gets access to your password manager, because of the points mentioned above. It's more likely a hacker will either guess your weak password or they get it using other methods like phishing (tricking you to give the password to them by using for example an email scam).

And because using a password manager removes the need to remember passwords, you can use strong passwords and you also don't need to use the same password across different services. So all the other services are safe even if one of your passwords would get compromised.

Question 3: What if I lose access to the password manager?

This is something that I was really worried about. The service doesn't know your master password so if you lose it, you will lose access to the service. So make sure you remember the password.

However, many of the services will anyway give you an option to change the password by sending you an email, so as long as you have access to your email, you will still be able to restore the different accounts. So what I did was that I decided to keep two passwords saved in my head: the master password and my main email address password. Both are secure passwords paired with multi factor authentication so if I would lose the access to the password manager, I can still restore at least some of the services using my email.

I also first decided to only add accounts to the password manager that are not that important to me. Like an online store where the worst thing that would happen if I lost access to it would be that I would have to create a new account and add my contact details again. After I got used to using a password manager and understood how it works, I added the rest of my accounts there.

You can also write your master password to a paper and keep it in a safe location (don't write what service it is for) if you are worried, and this could be a good idea at first when you are not sure you will remember it.

Popular password managers

There are many different services available that provide safe storing of passwords, so it can be difficult to choose which one to start using. Some reliable and well reviewed services are:

1Password
Bitwarden
Keeper

I haven't used all of these, so make your own research before choosing a service!

Summary and general tips

• If you feel insecure to start using a password manager, start by adding only a couple passwords and test how the service works!
• You can write the master password to a paper at first before you are certain you will remember it. Just store it in a safe location and don't write which service the password is for.
• Setup a multi factor authenticator to make using the system even more secure.
• The service might ask if you want to use a fingerprint sensor for logging in on mobile. I don't recommend this, because that would make you probably forget the master password eventually. It's better that you have to repeat it often!

I hope this blog post helped you to understand how password managers work! Feel free to add more tips or suggestions in the comments.

You can also follow my Instagram whatminjahacks if you are interested to see more about my days as a Cyber Security trainee and learn more about cyber security with me!