Update 2/16/2021: We’ve updated our guide with details about the changes coming to the free version of LastPass in March 2021.
The last thing anyone needs right now is to have their Zoom, Twitter, Skype, Nest, or any vital account hijacked and stolen. Not only do you lose your connections and access to communication and community, but recovering anything with most companies is a nightmare.
The most common way account takeovers happen isn’t some kind of hacker-magic mystery. It’s almost always the result of re-using a password that you’ve used somewhere else, which was then exposed in a breach or hack attack on a different company. Of course, we seldom find out about these breaches until it’s too late, which is why us security nerds are always annoying you by saying “don’t reuse passwords” until you mute or report us for pestering you.
Password management is basically a nightmare. Making them, remembering them and having to create a new one when they expire when all you want to do is log in. Then there’s always some security disaster making us have to reset our passwords again. On top of all that, it seems like every time we buy a lightbulb we have to make a new account of some kind. Nowadays, remembering every single password is impossible.
This all feels overwhelming, which is why so many people give up on password security before they even start. And old (bad) habits die hard, like using the same password for everything (or never changing them). Worse, many people will make the simplest, most hacker-friendly passwords around, like "123456." This house of cards is destined to come down in the worst ways, like through hacked video call accounts, identity theft, drained bank accounts, or hijacked email and social media profiles.
It doesn't have to be this way. Turns out, you can now be lazy, cranky and stay ahead of account hijackers, thieves, and creeps just by using a solid, reputable password manager.
You have two choices when it comes to securing your accounts and apps: Use a reputable password manager app, or manage your passwords yourself. This guide will tell you how to do both safely and securely.
What password managers do
A password manager is an app for all your devices: phone, laptop, tablet and any browser you use. At the click of a button, the app securely autofills login information for all of your online accounts. It saves your username and password combinations in an encrypted vault and creates an easy, secure way to access all of your accounts on any device. Your 50 million passwords are all searchable and you can add notes for each account, like answers to your security questions. All you have to do is remember one master password that acts as the key to your password manager application.
Before we talk about choosing a good password manager and getting it set up, let’s look at what you’ll need to know if you decide to keep doing it yourself. Not everyone will feel comfortable using just one app for all their passwords, and that’s understandable. Many people worry that, while incredibly secure, having a password manager as a single point of failure in their defenses means putting more trust in the manager than they’re comfortable with.
DIY password security
Doing password management yourself isn’t an unusual choice. But it will take extra work to keep your accounts protected and up to date with security changes (like sudden prompts to change your password).
Make sure all of your accounts have the highest level of log-in security that’s available. If you can add security questions, activate two-factor authentication (2FA; also called multi-factor authentication or MFA), and take the time to drill down into each account’s security settings to make it as protected as possible.
Next, get your password hygiene in order. Do you use the same password on a bunch of accounts? Stop doing that. Go to each of those accounts and make a new password that is strong and hard to crack.
If you look around online, the long lists of “rules” to make passwords stronger and attack-proof can be confusing and overwhelming. It doesn't help that each dumb, little "enter your new password" box seems like it has a bizarre and sometimes contradictory set of rules. If you get stuck trying to make the “new password” box happy with a new combination or passphrase, try using a free password generator from a trusted security company, like LastPass or Norton.
How to make (and keep) strong passwords
Make passwords that are at least 12 to 16 characters long.
Don't use pet or family names, your address, Social Security number, birth date or other personal information.
It's annoying but you must never recycle or reuse a password.
Use password phrases (usually six or more words long) for the best security.
Include capital letters, numbers and symbols if the app or site allows it.
Change your passwords every three months or if there's a security incident.
Don't let Chrome, Firefox, Safari or any other browser save your passwords for you.
Once you've got your passwords set, you'll need to protect them by having good password hygiene. If you must copy them down anywhere, make sure they are difficult to access. Don't tell anyone your passwords, and block "shoulder surfing" by covering your screen as you enter a password to make sure no one's watching you.
Doing it yourself safely is possible if you don’t mind the extra work and can stay vigilant. But you can avoid doing all of that password legwork by letting a secure password manager do it for you.
How password managers work
It's important to understand that password managers are a line of much-needed self-defense for our own security. I probably don't need to remind you that most companies can't be trusted with your security or privacy. Companies get hacked all the time, and they don’t like to fess up about it. Many prominent sites that routinely collect consumer data have inappropriate or dangerously lax password practices. A manager helps you stay ahead of other people's mistakes.
Like I mentioned in a previous section, password managers protect your accounts by storing your login information in an encrypted vault, in addition to a secure backup location of your choosing, like Dropbox or an external hard drive.
No one can open your password vault or backup unless they have access to it (meaning the app's encryption keys) and know your master password. This makes it next to impossible for anyone to accidentally discover your passwords like they could if you saved them in a text file. These managers allow you to easily create complex passwords automatically, and the manager will remember them for you.
Password managers also have a cool feature where they can create a randomly generated, robust password for you with the click of a button. With one click, a password manager will make you an excellent new password, following current guidelines and conventional wisdom to make them secure.
They can also perform password-cleanup chores, such as when you want to eliminate re-used passwords. These handy apps help you find weak, old, or duplicated passwords and change them. Some managers will notify you when one of your accounts is part of a breach. Some, like 1Password and LastPass, will even tell you when a site you use has been breached or hacked so you can change your password before anything terrible happens.
Password manager key features:
Securely remembers all your passwords
Only you can access them
Creates strong new passwords
Helps you clean up bad passwords
Notifies you of compromised passwords
Browser plug-ins for easy log-ins online
Save notes, like answers to security questions
The best password manager apps
So you’ve decided to use a password manager, but where do you start? Well, first, decide which one you want to use. Make sure it's reputable and that it's one you pay for. Free password managers are shady; if it's free, there's going to be a catch like bugs, dirty data practices or a lack of support should anything go wrong. Think of it like insurance: a necessary evil, though at least it's only a few bucks a month, and password managers are certainly more reliable and directly beneficial than making a claim after a car wreck.
The only exceptions to the “beware free password apps” rule are password managers that come with companies you use and trust (such as Dropbox’s new manager) and Bitwarden, a free, open-source manager. When you pick one, do a little Googling for reviews and articles just to be sure it's right for you in terms of the features you want and need.
Both LastPass and Dashlane have free versions if you're broke, though those plans are less flexible. In fact, LastPass just updated its free plan with a new restriction: as of March 16, 2021, the free version will only include access on unlimited devices of one type — desktop or mobile. That means you’ll have to choose on which devices you primarily want to use your LastPass account, laptops and desktops or smartphones and tablets. Only if you upgrade and pay for LastPass Premium can you use the service on unlimited devices of any type.
Another free option is Bitwarden, and some like it more than the most popular paid apps. Make sure you avoid scams and only download the apps directly from the company's official website.
Full disclosure: I use 1Password, I have no affiliation with the company, and I am a paying customer. For me, 1Password offers a clean UI and a very streamlined user experience, and I’ve never had to go on an information scavenger hunt online to figure out how a feature works. Whichever device I am using, the app looks and behaves consistently. But it has one feature I prize highly among any and all tools I use: its reputation. 1Password has never been hacked. In addition, it’s a standalone company and not tied or beholden to a Big Tech corporation.
Password manager setup is a snap. Sign up for your account and do all the billing hoo-ha. If you're creating a family account, you'll invite everyone else after signing up, though if someone in your family has an account, ask them to invite you. Then download the manager's apps to your devices and make sure you get its browser extension too. When you want to fill in a password, simply click the extension's symbol next to your address bar and sign in.
Since you'll really only need to remember your master password after this, make that one a long phrase — a short sentence, with a number and symbol thrown in for good measure. For example, you can use a dollar sign ($) in place of an "S" or a "3" in place of an "E".
Then, start using and visiting apps and websites where you have accounts. The password manager will ask you to save your login, and from that point forward it will know when you're about to log in somewhere and prompt you for permission to fill in your credentials. That's one of the cool things: Password managers don't do things without your permission.
Most managers have "quick fill" shortcuts that do the work to log in for you after you enter your master password. If for some reason you need to enter a password by hand, instead of retrieving it from your memory, you can just open the manager and view it.
Some will also offer to store your credit cards and addresses. Which, by the way, is something you should never trust anything to do except a password manager. I'm not saying this to insult Apple's keychain or Chrome's autofill — those companies have incredible security teams. I just know the facts about how criminals can exploit and extract your credentials from browsers, phones and operating systems, and your trust is way better placed into a password manager. And they're way, way safer than letting any retail site save that information.
While only a total monster makes fun of someone who ended up in some company's breach for having "123456" as their password, you must make sure you're not "the one." Password managers help us with that, though we're not trying to tell you password management is fun. A different kind of monster believes that.
But try to think of it as a necessary chore like laundry or dishes, but best practices mean you should use your password manager to create and store unique passcodes for each site you care about. Some managers like LastPass know what a pain this all is, and has a security-challenge feature. This will identify old, weak or compromised passwords, and it prompts you to run the challenge every few months. Take the time to redo passwords that could be easy for hackers and attackers to crack — using password cracking programs, it's easy to break into accounts that have short and simple ("bad") passwords.
Change passwords that are reused on different accounts. The great thing about password managers is that they'll tell you when passwords reoccur, and they make it easy to find and change your duplicates.
Right now it feels like there are precious few things we can actually say are good, helpful and positive about our internet experience. Password managers are one of them. They really do provide a simple solution to a glaring and ubiquitous problem. And when it comes to ourselves, our friends, families and the communities we care about, something as simple as a smart password-security tool can save us a whole lot of unnecessary stress and heartbreak.