Yes, You Do Need A Password Manager, Brett. Yes You Do!

A Password Manager is an essential security feature for individual users and enterprises alike. The average internet denizen has to remember 70-80 passwords and accounts, and using the same few passwords over and over is very insecure. Now add in enterprises, who need to secure more than just passwords alone.

Passwords and Secrets Management

Seems to me that password (and secrets) managers are like banks. Most people: 1) reluctantly agree that they are necessary, 2) have a vague idea what they do and why they are important, 3) and never really ever change the one that they use for any reason. Trouble is, most people still do not use a password manager at all- especially personally. A 2021 Bitwarden survey of IT business leaders has password management software at 86% utilization in the enterprise, best estimates float (or sink, depending on how you look at it) around 25% for the overall population.

This is unfortunate, as using a password manager immediately makes you more secure than just reusing a single password on websites. (And no, using an Excel spreadsheet doesn’t count as secure password management.)

The trouble is that websites get hacked... a lot. Or, they leave an S3 bucket completely open to the internet, allowing your PII to be stolen. And there are tables upon tables out there of usernames that have been compromised; if you are using only one password for all of your 70-80 sites, that means that they are all in danger of being broken into by bad actors. You can check for yourself if any of your usernames have shown up on these lists at https://haveibeenpwned.com/. It is safe to use this site- it has been around for a while and asks you for no identifying information whatsoever. All it does is look up whatever email address you feed to it.

NOTE: For the purposes of this article I tested my own email and apparently it was a part of 24 known breaches.

What's nice about this website is that it shows the details of when (and in some cases how) the data loss occurred. If you've ever wondered exactly how easily hacked (or how careless) the companies you trust your information to can be, through these case studies really does lay it bare.

(What's a secret, you might be asking? Don't worry... we'll get to that soon enough.)

Defining Terms: So what's a secret?

Using the term ‘secret’ can be confusing when used in context, primarily because what a ‘secret’ is has evolved over time to satisfy enterprise use cases and needs. Personally I wish they decided on a different term.

At first glance, a secret is just what it sounds like: any piece of information that you want to carefully control. For example, a password is a secret. It's the most common kind of secret, as a matter of fact. So a password manager is just a secrets manager that focuses on a single kind of secret (a password.)

That covers general users. You use a password manager to securely keep track of the combination of username and password that allows you access to a specific website. The password manager helps you keep all of those passwords unique as well as private, and can even help you rotate them (and, as we’ll see below, can alert you if a password is exposed due to a website’s data breach.)

Now for some business use cases.

NOTE: This section will be irrelevant to casual desktop password management use, but I include it for completeness for the curious. I have indented it slightly (and used a different font) for maximum skippability.

Not all secrets are created equal. For example, consider the way the government classifies sensitive documents: Confidential, Secret, Top Secret, etc. Some documents just have to be kept ‘more secret’ than others. In technology, this can mean hostnames, IP addresses, or resource pointers such as database names, that are handled differently (and don’t have to be as ‘secret’) compared to passwords.

Here is an example of how one program connects to another (in this case a connection string to a database). All of the fields in in the example below can be considered secrets:

1Server=tcp:<serverName>,3342;
2Database=<databaseName>;UserID=<userName>@<serverName>;
3Password=<password>;
4Encrypt=True

So while userName and password are probably considered very sensitive (Top Secret?) data, databaseName and serverName are probably not (Confidential, maybe). An organization will still want control over who uses these 'confidential' pieces of data (a user or program will still need access that only the secrets manager can provide), but they don’t have to be as tightly controlled as the top secret ones. Also, if the database name changes, you don’t have to rewrite your code. Instead, you can modify the secret that maps to databaseName. An enterprise-focused secrets manager can handle the management of all of these kinds of secrets.

Whew. Glad we got all that out of the way.

Finally, the “vault” is simply the digital folder that stores all of these secrets.

How Does A Password Manager Work?

To use a password manager, you will first create an account. This account will be secured by what's called a master password, which should be super secure and never, ever, reused or shared with anyone. (Best practice would be to also protect this account with MFA.)

Once you are logged in, you will be able to create an entry for each website you use. This will include a username and a password, which will be encrypted based on your master password. Now the encrypted data can be shared amongst your devices in a way that the password manager company will not be able to read. When you go to log into the website, you will be able to use the password manager to auto fill in the username and password data. So, outside of your master password, using a password manager means you will never have to memorize another password ever again.

The password manager will also help you keep track of how old a password is, as well as generate new complex passwords to replace old ones. Some password managers (advanced features vary by vendor and may have a separate fee) can even check public lists of compromised passwords (kind of like haveibeenpwned.com does) and alert you if you need to change a password immediately.

Which Password Manager Should I Choose?

This is a very tough question. There are a variety of password managers on the market with various features and availability. They are also not all free. The one you decide on will be based on your own use case.

Some things to think about when you are evaluating a password manager:

Cost What am I willing to spend? What do I get for free vs. the paid plans?
Device Coverage Do I need multiple device password sync?
OS Is it compatible with the operating systems of the devices I use? (e.g., Windows, Linux, OSX, iOS, Android)
Cloud Usage Does the company use the cloud as a storage repository? If yes, are you comfortable with that?
Breach reports Have there been any reports in the news about this company being hacked or otherwise losing personally identifiable information?
Encryption Model Does the company publish their encryption model? Does it make me feel like my data is in good hands?

There are a lot of options when it comes to selecting a password manager. The one you decide to use is your decision, based on the list of criteria that matter most to you. What is important is that you use one- any one.

One thing that often comes up is the value of the built-in options that are provided by the web browsing companies. Firefox, Chrome, etc., have password manager built-in options. They are not ever going to be high on my list of recommendations, if for no other reason than they are very lacking in features. You would be limiting yourself to only that browser (Chrome password manager can only be used to manage passwords in Chrome, for example), but using the Firefox password manager is still better than using no password manager at all. What's important is that you use a password manager. Which one you use, however, is entirely up to you.