Many people still have weak security practices, especially when it comes to passwords. They’re reusing them, relying on easily cracked ones, or aren’t aware that recommended guidelines have changed. And the reasons they have for not using a password manager aren’t crazy or stupid—their feelings are entirely understandable. But they’re still wrong.
Passwords are similar to the locks on the front door of a house. And when you live in a city (the internet is definitely that crowded), everyone throws on at least one lock. But choose the doorknob’s lock, and it takes but a minute for an experienced burglar to get past it. You want a deadbolt at a minimum, and in higher traffic or rougher neighborhoods, you might have a thicker door (or even an iron gate before your door), sturdier hinges, and longer screws for your deadbolt strike plate, too.
And yet, you don’t have to rely solely on keys to deal with your door locks. These days you can tailor your safety setup to make life easier and still more secure—e.g., using PIN pads, Bluetooth readers, and other methods to gain entry.
Password managers are the same. You can choose one that works for you, whatever your needs or concerns—you don’t need to rearrange your life for it. Don’t believe me? Watch as I dismantle the top six reasons people don’t use a password manager lickety-split.
A lot of folks still believe using numbers and symbols in place of letters or riffing off of a base password is sufficient protection. The sad news is that those strategies aren’t strong enough anymore and haven’t been for a while. My colleague Mark Hachman explains how easy it can be to crack a password—and extrapolate patterns and habits to make cracking future passwords even easier. In other words, it’s becoming easier and easier to pick the lock on a digital door.
You can gamble on never getting hit with an account takeover attempt, but you’re going to lose that bet sooner rather than later. Data breaches are only increasing in frequency (and scope), with potential fallout also increasing as vital services move further online. And even if you are generating your own long passphrases or even randomized passwords, keeping track of them will either be less protected than in a password manager (a spreadsheet with an innocuous name isn’t secure, alas) or slip your memory at some point.
Reason 2: It takes too much time
Not true! Typing out your login info takes longer than having your password manager pop up and autofill the credentials for you. So while it may seem like it’s slowing down your process to use one, it’s not.
As for setting up the password manager—some require no work to make them part of your routine. The ones built into Google, Apple, and Microsoft’s ecosystems (heck, even into browsers like Firefox) tie in with your existing account and offer automated password management across devices.
Even third-party password managers are pretty seamless if you can spare a few minutes to sign up and then install a browser extension and mobile app. You might have to also tweak a system setting or two to ensure full integration into your flow, but it’s fast if you do. Once that’s complete, the experience is nearly as effortless as with first-party password managers—and you get more robust features.
Oh, and entering all your passwords into the manager doesn’t have to happen all at once, either. It’s ideal of course, but if you take care of the sensitive accounts (and upgrade the quality of your passwords for them too!), you can then gradually add more credentials as you log into those accounts.
Reason 3: It costs too much
You don’t have to spend a single cent for a good password manager.
Yes, paid password managers do often get recommended, but that’s because of their extra useful features—not their level of protection. A paid service will offer a wider range of two-factor authentication options (like hardware authentication keys or the ability in the password manager to generate software-based tokens), easier password sharing, family plans with group access to passwords, special travel-oriented features, and more. For not much cash, you get a tangible quality of life improvement.
But a good free password manager will store all of your login info securely and also easily generate long, random passwords for every website and app. And just like paid password managers, it will also recognize sites you visit and offer to automatically fill in your credentials, as well as support basic two-factor authentication.
The better free services also provide a way to share passwords securely, set an emergency access for trusted contacts, and can generate unique user names (not just passwords), email masks, and more.
Reason 4: Having all my passwords in one place is dangerous
I hear you on this one. The idea that you would put all of your passwords in one place can seem like a direct contradiction with security. If someone breaks in, you could be in for a world of pain.
But you can mitigate this concern with little difficulty. Your first line of defense: Choose a good master password and enable two-factor authentication. This is arguably the most important thing you can do to safeguard yourself. You can (and should) also protect your accounts by requiring a PIN, biometric authentication, or your master password for all installed browser extensions and apps.
How you choose to store your passwords can minimize or eliminate this issue, too. For example, you can lean on KeePass as your manager, which gives you complete control over the file holding all your login info. Save it on a trusted PC or external drive (don’t forget to back it up!) and access to your passwords will remain limited.
Or you can spread your passwords between different services and apps. Maybe you sign up for both LastPass and Bitwarden, storing a mix of accounts in each. Alternatively, you could put your info for less valuable accounts in a cloud-based manager, while your high-value account info stays locked up tight in a KeePass file. Another riff on this idea: Split passwords themselves into different fragments and store them across different accounts. For all of these scenarios, you can have both browser extensions or apps installed on your devices for simultaneous use.
These options are a little more complicated, but you’ll still be remembering no more than a couple of mega-strong passwords. And you’ll have a faster and stronger system than typing out passwords kept in your brain.
Reason 5: Storing my passwords in the cloud seems risky
This is a fair concern. Even the most diligent company could have a vulnerability in their system. Bugs are an unfortunate but regular part of software development.
But you still have options. As mentioned earlier, KeePass saves passwords to a local file, which lets you keep that data out of cloud-based storage. Or you can DIY your own cloud solution by uploading a KeePass vault file to a cloud storage provider you trust (one that has enough engineers to properly ward off hackers or proper safeguards against rogue employees)—e.g., Dropbox, OneDrive, iCloud Drive, or Google Drive.
You can go with a hybrid system instead as well. Use an online password manager for medium- and lower-value accounts (places that have your address and billing info, but not more), while financial and other highly personal accounts are stored in a more tightly controlled environment. If you’ve been OK with using Ilovetarget.com as your password for shopping online at Target, this solution surely can’t be that objectionable.
Reason 6: I’ll get stuck with a password manager I hate
Nope, you can move at will. A standard practice for all reputable password managers is the ability to export your passwords. The better services allow you to export as an encrypted file, which minimizes the risk of sensitive data falling into the wrong hands. By the way, always choose the encrypted option, because a plain-text file of all your passwords is no bueno.
(This one’s easy to lay to rest!)
Any (reputable) password manager is better than none
This won’t be the last time I write about password managers, much less try to convince people to use them.
But let me say, whenever you hear different arguments from tech journalists (even right here among the PCWorld staff!) about why paid password managers are better, or that browser-based password managers should be passed over—don’t let that confuse you. Or turn that into a reason to write off online security as too complicated.
The reputable password manager that you use is the best one. Simple as that. I just want you all to be safe. Having to frantically recover an account or deal with identity theft is no one’s idea of a good time.