How a Password Manager Can Keep You Safe

As pastoral counselor Jane Myers’ husband, Steve, lay dying in a Louisville hospital in late 2016, his boss at the University of Louisville pulled her aside. ‘I’m so sorry to have to ask you this, but it’s exam time and we don’t know where the exams are,” he said. “Is there any way you can check his computer?”

Credit: Adobe Stock

Myers didn’t know her husband’s password, but fortunately he was still coherent enough to give it to her. What he didn’t give her, because she didn’t think to ask, were any other passwords, including the one for his Apple account to unlock his computer. Months later, when she tried to guess that password too many times, she got locked out and eventually had to seek a court order to gain control of his devices.

“The rest of Steve’s passwords I figured out eventually, but most gave a little more grace than three tries,” she says.

Welcome to the brave new world of online security. As hackers become more adept at stealing personal information, we end up locking our loved ones (and even ourselves) out of our online accounts and digital devices.

Fortunately, it’s relatively simple to keep yourself safe, and your loved ones in the loop, by using a password manager. This is a program that stores all your computer passwords in an encrypted vault, either on your computer or in the cloud, that only you can open with a master password you create.

“The use of password managers is really becoming a best practice,” says James Goepel, CEO of cybersecurity firm Fathom Cyber in North Wales, Pa.

Goepel uses Dashlane, which lets him access his passwords at any time from any of the six or so devices he uses. If he changes a password on his iPhone, for example, the new password will be available next time he logs into the same site from his laptop. Moreover, he says, “It gives me redundancy so that if I lose a device, I still have access to my passwords from another device.”

That combination of convenience and security isn’t available when you keep your passwords in a notebook or save them in a document on your computer (that a loved one might not be able to unlock). And trying to remember dozens of passwords? Fuhgeddaboudit!

"A lot of people worry that security comes at the expense of convenience,” Goepel says. “Password managers are one of those things where it’s actually the opposite.”

Although Goepel uses Dashlane, he says other top programs like 1Password and LastPass are equally effective. Some programs are free if you have a small number of accounts or only use one device. Others, like the open-source KeePass are totally free. And some cost $20 to $60 a year. (You can find password manager reviews on Cnet.com and PCMag. Additionally, general information on cybersecurity is available on Fathom Cyber.)

Goepel acknowledges that there’s a learning curve when you start using a password manager, but mostly because you’re changing your processes.

When he needs a password, he opens the Dashlane application, copies the particular password and then pastes it in where the website is requesting it. Dashlane and most other programs also have browser plug-ins that make the process even easier. When you get to a login page, you simply click a button on the toolbar and then choose the account to fill in the user ID and password fields.

If you’re logging into a site for which you haven’t saved your password, the password manager will prompt you to save it. Similarly, if you change a password, the password manager will offer to replace the old one in the vault. Password managers will even generate a random password for you that conforms to any website’s requirements.

Besides encouraging his clients to install password managers, Goepel has gotten his mother and stepfather set up on Dashlane. “They had so many passwords that my stepfather was carrying them around on a piece of paper in a notebook,” he says. “He would complain to me that he had so many electronic accounts now and so much stuff to keep track of.”

Goepel says the process went smoothly, in part because he focused on his parents’ most important and frequently used accounts. “I think it was about fifteen or twenty accounts initially, and it’s steadily grown over time,” he says.

Password managers also let you do something you know you should do but probably don’t, and that’s  use a different password for every account. Since you only have to remember your master password, you can create a different — and difficult-to-crack — password for every account.

That way, if you have to change your bank password because it’s been compromised, you won’t also have to change your brokerage password and your Amazon password and your Netflix password.

“Even if you have a super-strong, twenty-character-plus password, every time you re-use it you put yourself at risk,” says software consultant Matt Ferderer of Bismarck, N.D., who recommends 1Password, “All it takes is one poorly secured website to get hacked with your password on it; the bad guys can sell it all around the world where people will try your password on every important website out there.”

A few years ago, hackers stole login credentials for 117 million accounts on the business networking site LinkedIn. Among those accounts, more than 2.2 million had one of just 50 easily guessed passwords, including 123456, abc123 and (believe it or not) password. Chances are those victims were using the same passwords across the internet, meaning they needed to spend countless hours updating their passwords on multiple sites.

So what makes for a strong password? Experts say it should be at least eight characters long (preferably longer) and contain at least three of these four character types: lowercase letters, uppercase letters, numbers and special characters like exclamation points or question marks. It should not contain a common word or phrase or any personal information like your date of birth.

Also, if a phrase pops up when you enter its first few characters in Google, you should probably rethink it.

For your master password, which you shouldn’t have to type often, Ferderer recommends using a complete sentence. “If you write a thirty-character-long sentence that isn’t a popular phrase, you have an easy-to-remember secure password with little work,” he says. “Here’s an example with a few symbols for extra credit: My mom’s cookies were ranked #1 in last year’s state fair!”

If you aren’t sure whether your password is strong enough, a host of online password checkers will analyze it and tell you how strong it is.

For example, if you test 4score&7yearsago at howsecureismypassword.net (which is sponsored by Dashlane), you’ll learn that that password would take 2 billion years to crack. However, RoboForm’s checker, which uses a more robust open-source checker called zxcvbn, only rates its strength as medium.

This variance demonstrates that you can’t necessarily trust such checkers, the simplest of which don’t compare your password against databases of commonly used passwords. In fact, the results can be downright misleading, according to a blog post by Mark Stockley with security firm Sophos.

He entered five truly awful passwords in five password checkers and got deceptive results. Although he could instantly crack all five on his two-year-old laptop using free software, one of the checkers said all five were good, while the others said at least one of the passwords was either good, or of medium strength.

Those checkers would all have probably approved Ferderer’s state fair example. According to howsecureismypassword.net, it would take 7 untrigintillion years to crack. (An untrigintillion is 1 followed by 96 zeroes.)

Of course, it doesn’t matter how strong your password is if a hacker steals it, as happened to those millions of LinkedIn users. That’s why security experts recommend also using two-factor authentication, where you must identify yourself a second way in order to gain access to an online account. (The factors can include something you know, like a password, something you have, like a physical device, and something you are, like your fingerprint.)

In most cases, two-factor authentication involves entering a special code that’s sent via text to your mobile phone. However, authenticator apps like Google Authenticator are growing in popularity; these display a site-specific list of codes that is constantly updated. Depending on the site, you might have to enter a code each time you log in — the most secure option — or only when you log in from a new device. Despite the importance of two-factor authentication, barely a quarter of U.S. adults understand the concept, according to a recent study from the Pew Research Center.

When you store your passwords in a password manager like Dashlane, no one can access them without your master password — including the software company. That can be a problem for your loved ones, however, if you die unexpectedly (or if you simply forget it).

One option is to share your password or record it in a place your loved ones will know to look for it, such as in a safe-deposit box or in the file with your will. Another: Some programs let you grant access to a loved one in case of death or incapacitation or share access to one or more entries in your password vault at any time.

A third option is to share the recovery keys you can generate from within the software. (These are long strings of characters you can use in lieu of your master password.) “The recovery key is the easiest way to have a good comfort level that they're not going to be accessing your stuff normally while at the same time giving them the access that they need should something happen to you,” Goepel says.

“Having a password manager and giving access to a few select loved ones in case you die is one of the best types of estate planning you can do,” Ferderer says. “A password manager that is actively used quickly becomes great documentation about all the important things in your life, especially finances, insurances, your social circles of friends and more.”

That’s a lesson Jane Myers learned the hard way — and one she shares each time she does premarital counseling at Christ Church United Methodist in Louisville. When she hears that someone wants to keep passwords secret, she has a simple message: “If you can’t trust that person to access your stuff, that’s a problem.”