Top 5 reasons why you need a password manager
Let’s face it, human beings are not very good at coming up with passwords that are either unique or random, which is often why you need a password manager. Combine that with the fact most people have anywhere between 50-150 passwords to keep track of, it’s not surprising people re-use their passwords when they don’t have a suitable solution in place. The benefits of a password manager might not always be evident so to begin with educating yourself around what makes a good password is probably one of the most important things you can do for your digital security this year! The best bit is that it’s not difficult. Let’s cover off our top 5 reasons why you need a password manager.
- #1 Prevent duplicate passwords
- #2 Exceed minimum password requirements
- #3 Ease of access across multiple devices
- #4 Storing of additional information
- #5 Emergency access and accountability
#1 Prevent duplicate passwords
According to a leading password management company, 81% of data breaches are caused by reused or weak passwords, so random, unique passwords are your best defence against online threats. This means if you use the same password for both your social media and bank accounts, then an attacker need only steal one password to get access to both accounts, doubling your exposure. This scenario is infinitely scalable if you have used that password 5, 10, 25+ times across various sites making the attacker’s job very easy indeed!
Can I EVER re-use passwords?
With our techy hat on we would say no. With our we know what people are like hat on we’d say in some circumstances it could be viable BUT please proceed with caution. IF you are determined NOT to use a password manager then you should adhere to some best practices:
- NEVER opt to remember your password inside a browser… these are often not encrypted and can be viewed by anyone after spending 5 minutes on YouTube. If you want a “remember” facility, do it properly and use a dedicated password manager.
- NEVER use passwords that are numbers ONLY
- NEVER use ANY passwords shorter than 12 characters
- ALWAYS keep financial logins UNIQUE
#2 Exceed minimum password requirements
What is the minimum recommended password length?
We wrote an article back in 2016 (How secure is your password – A little cringe, reading back my early attempts at writing articles), but we touched on the points that people at that time were using less than 8 characters in a password. Back then we focused on increasing complexity however what we failed to say was that length is important arguable more important than complexity. Which is why we would recommend the absolute minimum length for a password in 2023 be no less than 12 characters with AT LEAST upper and lowercase letters. If you’re able to bump that up to 14 characters whilst dropping in a few numbers and special characters into the mix you can more than 2,500x the difficulty!
Password length vs complexity
PBKDF2 key strengthening is explained in the conclusion
You will see from the table above that the following password examples would BOTH take ~3,000 years to crack (with current technology). So by adding only 4 additional characters to your password you can alleviate complexity for those passwords that you want to keep in your head.
- 16 character password containing lowercase letters ONLY
- 12 character password containing lowercase letters, uppercase letters, numbers and symbols
What makes a strong password?
Unless you have a photographic memory, one of the primary reasons why you need a password manager is that without one you can almost forget about securely randomising every password you have. Random passwords would look something like the below:
Random Password Examples
Memorable passwords on the other hand may be a little more viable. Remembering 4-5 words isn’t really that hard to embed in your memory, and if it makes it easier you can always create a format if you need a prompt or password reminder in the future.
Memorable Password Examples
- nostril-hose-duff-lukewarm (26 characters)
- lola-tympanum-killdeer-proof (28 characters)
- pretext-unarm-anew-bureau (25 characters)
- Using a Format such as…
- Recommended: [country]-[numbers]-[ocean] (~18 characters)
- Hero: [animal]-[city]-[numbers]-[planet]-[book] (24+ characters)
note: aim for ~4-5 characters in each section, use whatever categories you wish, BUT keep the words random DON’T use things meaningful to you (such as D.O.B, Home Town, Place of Birth, your pet breed etc) as this can/will reduce your passwords overall efficiency if the hackers have additional information on you. You can check below if you have ever been subject to a data breach or you can read the full article covering the top data breaches in the last few years.
#3 Ease of access across multiple devices
Most of us have a plethora of devices from personal computers, laptops, tablets and mobiles. Being able to seamlessly switch between devices is a must in todays world. Personally if I’m called out of the office I grab my laptop and can continue exactly where I left off from my desktop, with access to all my files and login credentials. The best aspect is that I don’t have to type passwords for any of my online tools or mobile apps. I log in with my master password combined with a secondary form of authentication (like fingerprint or 2FA), then I’m good to go.
2 Factor Authentication: This is another essential feature in the world we live in, that can become particularly cumbersome for businesses. As more and more websites require 2FA for access it can often lead to bottlenecks in workflows or employees having to wait for access until their line manager, director or company owner authenticates their request. Using a password manager and delegating access can help alleviate these bottlenecks ensuing multiple who have access to a site can also authenticate 2FA requests (note: feature not available in all password managers).
Revoking Access: Another overlooked aspect of password managers is the mitigation of risk when a theft or loss occurs. If I lost my phone or my laptop is stolen, the first thing I would do is revoke access to my password manager from that device, followed by revoking access to my cloud file storage. Within minutes I can rest assured that even though a device is no longer in my possession I have considerably reduced the risk any of my data could be compromised.
#4 Storing of Additional Information
An overlooked aspect of password managers is the ability to store additional information. These can take many forms but can make aspects of your life that little bit easier. So what additional information am I talking about?
- Identify Information – Store Your name, address, phone numbers etc and when you’re filling in an online form this data is auto populated for you
- WiFi Access – Maybe a little overkill for some, but like we’ve demonstrated here, you’re only as secure as your password and a WiFi network can be hacked as well. Make sure you have a good password and an isolated guest network where possible/
- Software Licenses – Got a license key for some software, extension or a browser plugin. Keep track of them all within one location.
- Database / API Credentials – OK this one is for the techy people out there but storing API / database access securely (especially if your a business) is essential and with this data you can do an awful lot of damage!
- Files – If you have any sensitive files you would like to store in an encrypted format you can do that with some providers as well.
#5 Emergency access and accountability
If you’re still unsure of why you need a password manager, I’ll attempt to wrap things up with a few points from both a business and personal perspective.
I can’t think of any valid argument against using a reputable password management company when you’re running a business, it’s just one less thing to worry about. Some basic accounts are free and most premium service start from only a few pounds/dollars/euros per month. These services allow you do not only store your passwords but delegate access to relevant departments and staff. As an example this means the marketing director could share access to all social media passwords with the marketing team without them EVER knowing what the passwords are.
Company accountability: Business accounts will offer auditing and event logs to accompany the basic password management features providing even more visibility and security for those responsible for key areas of the business. On-boarding and off-boarding digital access for staff becomes a few minute task without even needing to reset a single password out of fear an ex-employee might do something malicious. Another (slightly more morbid) point is that company directors should always act in the best interests of the company. Therefore having a single point of failure (as themselves) should always be avoided. In 2019 Gerald Cotten (CEO of Quadriga CX) died unexpectedly, his death left $145 million dollars in Bitcoin and other digital assets protected by his passwords that were unretrievable. Without the digital keys, their clients lose access to digital coins and other funds. If this CEO had prepared for this by storing additional information in a retrievable vault then this situation might have been avoided.
Password Sharing is a feature offered only by some providers which is hugely beneficial for Digital Agencies or those who are a little more cautious with password sharing (or with long unmemorable Wi-Fi passwords). These passwords can be for household wifi, website admin, online tools, CRMs, cloud accounting, servers, mailbox admin etc etc. Being able to send a password securely is a huge benefit to us here at Spotlight Studios. We can share sensitive information by generating a unique URL for a limited time period. Additional features also include the ability to make the URL expire after one-click OR set access solely to certain emails addresses. So you can share a link within a group chat that only provides access to the specified recipient.
note: we’re yet to find an optimal solution for requesting passwords from clients. Whilst some might say “you should never do this”, in our profession it’s not always avoidable. If one of our clients does not use a password manager and we need access to their existing website / server, then we need a way of obtaining those credentials. We would never request these over email, so our current solution is to get the client to submit these to use using this secure form, which temporarily stores them within our CMS and sends our senior team a notification we have received some credentials. We will then copy this data to our password manager and delete them from our CMS immediately.
Bonus: How can I trust a provider with all this sensitive data?
The short answer is you don’t have to. The reasons above detail why you need a password manager, but you’re right to be cautious. When it comes time to making a decision you should spend some time researching, look into how the data is stored, search Google for “[provider name] breaches” ask a friend/family member who is in the IT industry or failing that visit some community forums. If you’re a client of Spotlight Studios then you are always free to raise a support ticket or give us a call on 0800 689 3652 and we’ll happily provide assistance.
How did we decide on what provider to use?
We could easily wite another entire article on the “best password manager for 2023” (maybe we will), but to keep things short and sweet for years we were advocates of LastPass but now we use 1Password. Why? Well a couple of the reasons we moved were to do with the information we shared in point #5 and the rest was due to the fact we feel LastPass simply isn’t keeping up with the demands of the industry nor are they adopting best practices for encryption and they have a growing history of ignoring security researchers and vulnerability reports. Their “zero knowledge” is not what it appeared to be, their browser extension is open to exploitation, they and their API is in serious need of improvement. If that wasn’t enough their most recent breach (noted in point #4) has left backups of people vaults in the hands of attackers with some data not encrypted WHATSOEVER. So if an individual didn’t adopt best practices on their master password (i.e. they used a password that could be cracked in a short period of time) then your data is at risk and will continue to be at risk as they have a local copy. So we set out to find a provider that solved these problems and we settled on 1password.
256-bit AES encryption. Our 1Password data is kept safe by AES-GCM-256 authenticated encryption and uses Password-Based Key Derivation Function 2 (PBKDF2) key strengthening. PBKDF2 prevents password cracking tools from making the best use of graphics processing units (GPUs), which reduces guess rates from hundreds of thousands of guesses per second, to less than a few tens of thousands of guesses per second. The table below demonstrates how this technology works for certain password examples as well as the associated GPU cost it would incur.
|Generation scheme||Bits||Cost (USD)||Example|
|8 char, with lowercase, digits||40.00||770|
|7 char, with uppercase, lowercase, digits||40.47||1,100|
|3 syl, constant separator, capitalize one||41.50||2,200|
|3 word, constant separator||42.48||4,300|
|3 word, constant separator, capitalize one||44.07||13,000|
|9 char, with lowercase, digits||45.00||25,000|
|8 char, with uppercase, lowercase, digits||46.25||58,000|
|3 syl, digit separator, capitalize one||48.15||220,000|
|3 word, digit separator||49.13||430,000|
|10 char, with lowercase, digits||50.00||790,000|
|3 word, digit separator, capitalize one||50.71||1,300,000|
|9 char, with uppercase, lowercase, digits||52.03||3,200,000|
|11 char, with lowercase, digits||55.00||25,000,000|
|4 syl, constant separator, capitalize one||55.22||29,000,000|
|4 word, constant separator||56.65||79,000,000|
|10 char, with uppercase, lowercase, digits||57.81||180,000,000|
|4 word, constant separator, capitalize one||58.65||320,000,000|
|12 char, with lowercase, digits||60.00||810,000,000|
|4 syl, digit separator, capitalize one||65.19||29,000,000,000|
|4 word, digit separator||66.61||79,000,000,000|
|4 word, digit separator, capitalize one||68.61||310,000,000,000|
|5 word, constant separator||70.81||1,400,000,000,000|
|5 word, digit separator||84.10||14,000,000,000,000,000|
Table provided by 1Password
Secret Keys: Once of their most desirable features from our perspective is their use of Secret Keys. In our opinion this is a fantastic feature. A Secret Key is 34 letters and numbers, separated by dashes. It’s stored ONLY on devices you’ve used to sign in to your account, and in an Emergency Kit so only you have access to it. Your Secret Key works with your 1Password account password – which only you know – to encrypt your data and keep it safe. Simply put even IF anyone does obtain a copy of your vault (i.e. through a data breach), they simply cannot access it even IF they were in possession of your master password, making it essentially uncrackable (in todays terms).
Watchtower: As you can probably imagine we manage a considerably amount of passwords both internally and for our clients. Staying on-top of security for us is essential and native integration into tools that monitor this on our behalf allows us to stay a step ahead and take a proactive (rather than a re-active) approach to our password security.
If you’re still contemplating “Should I use a password manager” then we’ll conclude by saying that password managers are certainly not a one size fits all solution. But for those of you who are business owners or more security conscious individuals there are considerable upsides to be had. Either way, we hope this article has helped to shed some light on this topic and if you don’t decide to delve into the world of password managers then we hope you take at least ONE thing from this article and that’s to implement longer, unique passwords!
Something in the article peaked your interest? We’re never more than a contact form or a quick call away so please don’t hesitate to get in touch!