Why you need a password manager
I'm the tech guy. I'm supposed to be on top of things. But frankly, I've been taking great risks online. Some crucial passwords leave me vulnerable to hacking. I'm resolved to have this fixed by the time this column appears in print.
I remember my original internet password. It was in 1993, and I was the first person on campus to be connected by the IT department to a jury-rigged AppleTalk network. I could see the internet was going to be important and wanted to teach it to my students.
The IT person set me up and gave me a password to my account on the mail server (thanks, Ron). It was a 6-character password that consisted of a four-letter word along with two numerals.
As new online services came along, such as Amazon, I did a no-no: I used the same password. Everybody did. There wasn't much hacking back then.
But I began to hear about hacking and realized I should be more careful. So on new signups, I would make simple changes to my basic password.
This got complicated. I have a file on my computer that lists hundreds of passwords going back years. And that's only a portion of them.
My original password was eventually exposed in one of the notorious hacks. By then I wasn't using it on any important sites. But had still occasionally been using it on less important sites.
You can find out if your personal data has been exposed by going to Have I Been Pwned? (haveibeenpwned.com).
Thankfully, the Mac OS has had a built-in password manager in recent years. If I set up a new login on a website, my Mac will ask if I want it to enter a secure password. If I click yes, it will enter one that's nearly impossible to crack. And then it asks if I want to save that login information.
The next time I go to that site, my Mac or iPad or iPhone can automatically enter my login info.
In addition, if I go to a website for which I set up a username and password in the distant past, my Mac will ask if I want it to save that login information. That's why my Mac's password manager, called Keychain, has a mix of secure and weak passwords.
Recently when I went to a site where I had used my original password, my Mac alerted me, telling me that the password had been compromised and suggesting I change it. Which I did.
Subsequently, my Mac alerted me that I still had a bunch of sites in Keychain that had this original password. I clicked on the links in Keychain and changed those passwords.
Then it alerted me to the weak and easily guessed passwords that I still have in Keychain. Thus, I have work to do.
But one reason I still have weak passwords is that I have a couple logins I use on my Chromebook and Android tablet. Neither of these has access to my Mac's keychain, so it's easier to have a password that I can remember.
But the real solution would be to use a cross-platform password manager such as 1Password, which gets top billing by Wirecutter, a service of the New York Times that spends months researching their comparative reviews.
People, this is important. I occasionally see Facebook posts in which friends say their account has been hacked. I've had acquaintances who've had their email hacked. And in today's news as I write this, there was a report that Russian hackers are using a database of compromised passwords to try to access thousands of government, corporate, and think-tank computer networks. And they've been successful in a number of instances.
Yep, some employees had still been using the same old same old to log in to their networks.
With a password manager, you create a single, secure password that you can remember, and then use that to allow your password manager log in to each site you visit.
Security experts say everyone should be using a password manager, and that it's much more important than using virus protection software.
Wirecutter evaluated dozens of paid and free password managers and extensively tested four. They determined that 1Password (1password.com) offers "the best combination of features, compatibility, security, and ease of use." There are good password managers that are free, but they feel 1Password is worth the $36 per year.
The free version of Bitwarden (bitwarden.com) was their pick for the best free password manager. They write that it gets the basics right but lacks features such as password checkups and breach reports.
Thank you. Writing this column was just the motivation I needed to finally make all my passwords secure.
© 2021 by Jim Karpen, Ph.D.