Introduction to Password Managers

Introduction to Password Managers

Given the ridiculous number of high profile hacks, password security is more important than ever. Proper password etiquette can be summarizes to two rules :

  • Use strong passwords (composed of characters and digits, no dictionary words)
  • Do not reuse passwords in more than one place

The problem is that passwords are difficult to remember because of the first rule, and you need a large number of them because of the second rule. Thus, password security is completely unituivite. Luckily, password managers exist to make our lives easier.

The idea is simple: password managers provide a safe way to store passwords by protecting them behind a single unlocking password or pin. Thus, users only need to remember one password or pin. Password managers facilitate the use of difficult passwords by eliminating the need to remember them. This in turns reduces the likelihood of an online account being compromised. Different passwords can also be assigned for each online account, mitigating the effect of a compromised account.

Ultimately, password managers represent an inconvenience, as every login requires an additional step to retrieve a password from the manager. Recording passwords is even more time consuming. This makes integration into a user's workflow critical: an inconvenient password manager will be a source of friction to the user and will quickly be abandoned.

Several password manager solution are available. They can be broken down into three category : built-in, online and file-based.

The built-in password managers are integrated into a computer's operating system. One good example of this would be MacOs X's keychain application. These solution have the advantage of having the best user experience, because of the tight integration in the system itself. However, these solutions are also restricted to their platform. For example, keychain is only available on Mac and iOS devices (iPhone, iPad, etc.). This is rather limiting if you have a Windows computer or a Android mobile device.

The online solutions store passwords on secure servers on the Internet. They offer the greatest level of availability, as password can easily be transferred between computers and mobile devices. Browser plugins are used to integrate into a user's workflow, with some limitations. Unfortunately, the convenience of an online solution makes it useless when offline. In addition, online solutions are attractive targets for hackers, as they represent a treasure trove of personal information.

Filed-based solutions store passwords in an encrypted file, protected by a master password. Although the file itself can be stolen, it is useless without the password. Integration into a user's workflow varies greatly by solution. Unfortunately, accessibility on different computers is left to the user, either by copying the file around or sharing it on some kind of network drive.

Some solutions fit in more than one category. For example, Keychain combined with iCloud is both a built-in and online solution. Storing a password file on a shared file service (Dropbox, etc.) add online convenience to a file-based solution. Ultimately, the selection of a password manager is a combination of convenience and trustworthiness : a user should chose what works for them among a set of reliable solutions. For me, that solution is 1Password.