There’s no shortage of password management sites and applications. Chances are you’ve got one built into your web browser right now and there are also a plethora of standalone options. However, there are pros and cons to each type. Below is a breakdown of each as well as long-known alternative I recommend.
While we often hear about the need to use a password manager, it’s not necessarily clear why. It’s important to note that regardless of the strength of a password, using the same one on multiple sites means that when even one of those sites is compromised your stolen credentials can now be used by attackers to log onto the other sites that use the same password. This process is called credential stuffing. Troy Hunt’s HaveIBeenPwned service demonstrates this problem clearly as it can tell you whether your email address [or your password] has been encountered before in a breach.
Option A) In-Browser Password Management
This type of password manager is built right into Chrome, Firefox, and Safari. Hell, it might even be in IE/Edge for all I know. This style of password manager displays an in-browser prompt asking you to save or update your credentials when you enter them.
- Built into your browser and offers a reasonable level of security. There’s nothing to install – it just works!
- Integration level is excellent – username and password fields are automatically filled in without intervention and you are automatically prompted to save or update credentials as you use them.
- In regards to Firefox Sync and Google Chrome Browsing Profiles – password syncing. For example, if you use Chrome on your phone and on your PC you can save and have your passwords, bookmarks, and even browsing history synced between all of your devices.
- By default, built-in browser password managers auto-fill stored usernames and passwords, which make them vulnerable to third party tracking.
- They don’t offer a password generation feature that can choose random and unique passwords for every site.
Option B) Typical Standalone Password Manager
This style of password manager is either a standalone application or a browser extension. LastPass, 1Password: the list goes on and on.
- Strong, unique password generation features discourage password reuse.
- Syncing features to keep your credentials stored beyond just having them on a single device.
- [Generally] some level of browser and app-integration for inserting saved credentials more easily.
- Costs [potentially]. This may be a one-time fee or a recurring cost ala LastPass.
- Third party dependency. How long will a given password management service be around, and once they are defunct what happens to the passwords you’ve stored with them?
Option C) My Recommendation
This system is technically a standalone password manager from Option B [though it is free and open source] and is paired with the cloud storage/syncing platform of your choice [Dropbox, in this example]. With a small amount of setup you can have a robust password management system that works everywhere.
- Strong, unique password generation – just as with Option B, the Typical Standalone Password Manager.
- Password syncing is available through any file sharing service. In this example I’ll use Dropbox.
- Works on every platform.
- Lack of browser and app integration for inserting credentials.
- Minor limitations in the syncing of the password database.
KeePass is used as the password manager guts of this system. It has variants that work on Windows, Mac OS, iOS, Android, and Linux.
KeePass lets you securely store passwords as well as any secret info [perhaps the gibberish you entered as the answers to some sites’ mandatory security questions?] in a single encrypted database file. It can [and should] be secured with a password and offers password generation features that will work for obscure password requirements; i.e. “8-16 characters with exactly one number and no more than two special characters”.
Dropbox provides the file syncing capability for the KeePass password file in this example, but any private file syncing site like it will work. Go ahead and sign up for a free account – the limited storage is more than enough for storing the tiny KeePass database.
- Sign up for Dropbox [or the file syncing site of your choice] – this should be self explanatory, but choose an excellent and unique password for this account since it will contain a file with all of the credentials for your digital life in it. Install it on all of the devices you need to sync passwords to and log in with the account you created.
- Download and install KeePass on all the devices you’ll be using it on. Choose the same version across-the-board to eliminate any compatibility issues. In this example I’ll use KeePass 2.x.
- Create a new password database and store it on your PC in the Dropbox shared folder. Password protect it by choosing a secure and unique password, since the difficulty in brute-forcing the database file is the only security this password manager has if it falls into the wrong hands. Don’t use the same password you just used for Dropbox.
- Create your first stored password entry. Save it and then save the database file. Watch as it magically syncs to the great cloud.
- From Dropbox on another device, open the password database file. This can be unclear how to do on mobile so review in the Examples section how opening the file in MiniKeePass from Dropbox on iOS works.
- Using KeePass on MacOS and syncing with Dropbox
- Using Dropbox on iOS to sync the KeePass database file and open it in MiniKeePass
This is not a foolproof password syncing system. If you add an entry on your PC and then add one on your phone while it’s offline there will be conflicts syncing the database file with Dropbox when it’s back online. Since this is a single encrypted file rather than storage of individual credentials, the syncing system isn’t going to seamlessly sync changes like this. Avoid these scenarios by ensuring the password file is synced prior to making changes in it.
Password management need not be complex nor expensive. The days of ‘choose a memorable password’ are, unfortunately, long behind us now. Choosing unique, unmemorable passwords and storing them conveniently and securely is the best protection for limiting credential stuffing attacks when your personal information is made available from a breach. Choose the password manager built in to your browser, or succumb to the advertising of LastPass, or use my recommended setup for the perfect free password management system – just choose and use something!