I have many digital accounts, however I don’t know any of my passwords. I use a password manager to keep track of my digital secrets: website logins, PINs, bank accounts, etc. Here’s how I do it.
Why do you need a password manager?
Most online services (email, shop, bank, etc.) can be accessed by login credentials. This is required to make sure only the authorized person can access and modify their personal data and use the given service. Weak passwords, such as apple, YourName, mama1965, are easy targets for attackers. Using brute force techniques, an attacker can easily create a robot that picks dictionary words to attempt to hack into your account. Strong passwords, like UXSsITKeIGDa9xp1 or -WL?~NdicFQ0, will take more time for computers to figure out, but at the same time they are difficult for humans to remember. Even if you tend to use relatively strong passwords, the more digital services you use, the more likely that you will reuse passwords to be able to remember them.
The good news is that you can store all your secrets in a password manager software. You only need to remember a strong, so called master password to access your digital wallet. Now that you don’t need to remember your passwords any more, this set up will encourage you to generate random, strong passwords. A good password manager has integration to different software platforms so you can easily access login details of websites, get the credentials to your netbank on your mobile device, and so on.
It’s worth mentioning at this point that—from a security perspective—for most people the weakest point in their set up will be the password they choose for their mailbox. Most of the online services are tied to your email address. In case you forgot your login secret to those services, you can typically reset the password by receiving a link to your mailbox. If an attacker can access your mailbox, they can hijack your accounts. Therefore, besides setting a strong password for your mailbox, it’s highly recommended to choose an email service provider that allows two-factor authentication (2FA) and enable it. This will require you to verify your identity not only with a single password but with an independent method, such as typing an additional code received on your mobile device.
Install a password manager
I recommend KeePass, an open-source, free to use password manager that is available to Windows, Linux and Mac. You can find Firefox and Chrome extensions that can read your KeePass wallet to access your website secrets easily directly in your browser. For managing your password on a mobile device too, you need to set up a shared space where you will save your wallet. This has to be a storage that you can access both from your desktop and mobile devices. This can be as simple as a Dropbox folder, however you need to make a call if you trust Dropbox with your secrets.
For users who prefer command line based tools, pass is a great choice. It stores secrets in GPG encrypted files in a version controlled repository. In this case, the shared storage can be a private Git hosting. You need copy over your GPG private key to each device where you wish to manage your passwords. Pass storage can be read by many other software. There are browser extensions available to Chrome and Firefox, and there’s an Android/iOS client too.
Choose a strong master password
Following this approach will mean that you need to create a master password. 1Password has an informative guide explaining how to create a strong, yet memorable password. It includes a password generator too.