Use a Password Manager
If you want to be secure online the biggest, and one of the easiest, step is using a password manager.
I don’t care which one you use. One probably comes with your browser and bugs you to do use it. That one is probably great, start using it.
I offer three main reasons to use a password manager.
Phishing is one of the most common way people get scammed online. This is a very simple attack where someone convinces you to give them your password. This is most often done by sending you a link that looks like a login page for a site you use, like Google or Facebook. It is very easy to perfectly replicate the look of any login page. Seeing a login page is not surprising, many sites use Google or Facebook login, and you want to see Joe’s cat pictures. So you log in to FakeGoogle and now the attacker has your password (and your 2FA code).
Password managers make this much less likely because manually entering your password becomes a rare activity that raises alarms inside your head. Every time you log into Google your email and password is pre-filled, why isn’t it this time? That is because while you didn’t notice that you were actually on
goog1e.com your password manager did, it can’t be fooled and won’t fill in your password.
This means that Password managers make phishing much more difficult. Not only will the lack of autofill make you suspicious, but you don’t even know your password to enter it manually. You would need to look it up in your password manager and paste it. You will have time to think and be careful.
This is by far the best reason to use a password manager.
Another risk is when you use the same password on multiple sites. This is a problem because even if you trust both sites one can have a security breach and now your username and password combination is public. Attackers will try this combination on every site they can think of and now all of your accounts are compromised. With only two sites it isn’t a major issue. But if you use the same password at dozens or even hundreds of sites it quickly becomes inevitable that it will be leaked.
Want to see if a site you use has leaked your password? Try putting your email in here: https://haveibeenpwned.com. It will check all public breaches and tell you what information was lost.
Another attack is brute-forcing. This is where an attacker just guesses passwords. This can be done on the regular login form. This can work for simple passwords but is often too slow, or rate-limited which prevents guessing even moderately complex passwords. It can also be done on password hashes which is much faster, and is where an extra-strong password is very valuable. This means that even if a website’s database is leaked the attacker may not be able to log into your account.
Human memory sucks. Most people can remember at most a dozen strong passwords. Using a password manager removes this limitation and allows you to use a super-strong and unique password for every site.
There are other reasons to use a password-manager as well, such as that it is easier and that you will never have to struggle to remember a password again, but the above three reasons (especially the first one) are in my opinion the most important.
As I said, I don’t care what password manager you use. But if you really want a recommendation I can share some thoughts. Please note that I haven’t researched all the available password managers, so if you really want to make sure you are picking the best option you should do your own investigation …or just use the one that comes with your browser it is good enough and easy to use, don’t overthink it.
Seriously, stop reading here and just use your browser’s password manager. Close this tab, we’re done.
First and foremost use a password manager that is integrated into your browser. Most password managers have browser extensions, so this isn’t difficult, but it is critical for the Phishing Protection described above to work.
If you aren’t going to use it, it won’t help you. So try to find a password manager that works the way you do.
Non-exhaustive list, just ones I have experience with or thoughts on.
This is my main password manager. It is built into Firefox and end-to-end encrypted (so even Mozilla can’t access my passwords). If you are really paranoid you can even self-host Firefox Sync.
The downside of Firefox’s password manager is that it is quite basic. It only stores the domain, username and password for each entry. But it fulfils my needs on desktop and on Android (where it can act as the system autofill service).
Chromium-based browsers including Google Chrome, Microsoft Edge, Brave and others generally share the same password manager. It is also built-in and ready to go just like the Firefox one.
The main downside is that it isn’t end-to-end encrypted but for almost all users this is a good tradeoff if it gets you using a password manager. It is also similarly basic to Firefox’s, but it is good enough for most users.
Bitwarden is a popular password manager which is open source. It has very strong security properties (like Firefox) but is more full-featured. The main downside is that it isn’t built-in and will require some extra setup.
I would avoid them. They don’t have good security practices and appear to be on a death spiral where they are just attempting to extract as much money from users as they can before the company goes bust.
Use a password manager. It is an important link in your online security, is very easy to use and is probably already built-in to the browser that you use. Just start using it. It is by far one of the best bang-for-buck security improvements that you can make. (In my opinion it is far better value than any form of 2FA. But do that too.)