Just, make sure it’s not LastPass. They have once again suffered a breach in their security today (December 2022) with their last breaches occurring just a few months ago in August 2022, and another one a few years earlier. For a security based company, they sure seem to have a problem with it. Besides that, they’re owned by GoTo, who is the parent company behind GoToMeeting, LogMeIn, and other trash pieces of software that I wouldn’t trust. Oh, and Lastpass’ free tier is complete garbage.
But, you should absolutely be using a password manager. I’m going to explain why, along with how to use one properly, and my suggestions for which one you should be considering. They not only make your digital life considerably more secure, but they can prevent you from extreme frustration every time you need to login to some service that you haven’t used in the last few years.
Simply put, it’s a program you install on your various devices, and it stores your passwords to all of your online accounts in an encrypted format. You have a “master” password to unlock it, and from there it’s a breeze. They’re typically used as a browser extension for all the popular browsers, and there’s an app for wireless devices like phones or tablets. Some of you may already be using the FireFox or Chrome password manager, but those are trash and have way too many limitations. I wouldn’t want to lock myself into a single browser, and further, there’s a ton of other uses besides just websites.
When you’re browsing the web and login to a website, the program will prompt if you want to save the login and password. You can save those passwords into folders (which I suggest), as a way to better organize them. For me, I have some 40+ folders for things such as personal passwords, work passwords, client passwords, then even break them down further into different types of devices, or client name. I don’t just store website passwords, but also passwords to things like network devices, terminal devices, and a bunch of other nerdy things a lot of people would never log into.
All that information has to be stored somewhere, and overwhelmingly that is going to be in “the cloud” somewhere, likely with the company that you choose. There is usually free tiers available that most users will be OK with, with paid versions which typically cost about $5/month.
Let me guess, your “usual” password is something like “winston93” or something, with Winston being your old dog or whatever, with 93 being some random or possibly lucky number. Maybe you use versions of it like “Winston1993” or “w1nst0N9393” in different places. This sucks, and sooner or later, it’s going to bite you in the butt. I’ll also bet that your password is generally legible and isn’t truly random, if it’s even over 8 characters long. So, when just one of your passwords is exposed, there’s a high probability they’ll be able to get into a lot of different things with that info. Your password on pets.com gets cracked? Maybe that’ll also work on your Gmail account, Facebook, online banking, or your work logins – which is very serious – and could get you fired.
Chances are your password, no matter how secure it may be, has already been exposed on the open Internet multiple times through one of the thousands of data breaches that have occurred over the years. Essentially the way it works is that when a company gets “hacked”, things like your login and password are exposed, albeit your password is (ideally) encrypted. However, it’s not all that hard to decrypt your password, especially if it’s 8 characters long or less. Most powerful computers can break an 8 character password in under a few hours with relative ease. I can tell you I’ve done it in anywhere from a few minutes to half a day – on a laptop. There’s literally lists of hundreds of millions of passwords decrypted and the hashes exposed for easy lookups, or just websites like hashes.com where you can just do it online easily.
The thing is, if you have a password like “2gGKNnv@*6d4Lkyw” it’s very likely not going to be decrypted easily. It absolutely can be, but it’d take weeks if not years to get that one busted, even with a super powerful machine. As such, those types of passwords are almost ignored in a data breach and they’re rarely if ever exposed. So, even if your login and password are part of a company being exploited, chances are they’ll never actually get your login information – and that’s a massive first step.
But how the heck are you supposed to remember that password? The thing is, you don’t. You just remember ONE password, and the rest is easy. You’ll want to make that password as secure as possible, without it being impossible. Choosing a password that’s a phrase such as “Couch84sPrinkler$$” would be perfect. Not only is it easy to remember, but it’s 18 characters, with upper & lowercase, numbers, and special characters. That will be near impossible to decrypt. And, if you can remember that – you’ll have access to all of your other randomized passwords.
From there, you should have the app running in your browser – and also your phone. If you _really_ want to make it more secure (which, I highly suggest), you can use 2FA (or two-factor authentication) where once you login to the password manager, it’ll send you a text message – or you need to use an app such as Google Authenticator.
My choice with no hesitation would be BitWarden, and there’s a very simple reason for that. It’s open source, and it’s not run by some horrible tech conglomerate, and their prices are incredibly reasonable. For a free account (which, most of you won’t need more than), you can store unlimited passwords, and also access it on unlimited devices. This is really the biggest thing as many other companies charge you if you want to access your passwords on both your phone and your computer. Further, if you want to secure yourself further with 2FA and get some added features, it’s literally $10/year – which is dirt cheap. If you’re a family, it’s $40/year for up to 6 users, and you can share passwords with one another – which is another huge feature at a steep discount over many of the big names.
If you’re a tech nerd like I am, you can even look at running your own BitWarden server. They offer you the ability to host it yourself on your own server – so you’re entirely in control of everything. However, you will need a bit of horsepower to host an actual BitWarden server as it won’t play nicely on a low end device such as a RaspberryPi. The good news is, there’s another open source clone of it called VaultWarden – which is a carbon copy, and you can still use the BitWarden browser extensions and smartphone/tablet apps to connect to it. If you don’t know how to use a docker container, then chances are this is going to be a pretty steep learning curve if you wanted to host it yourself – and likely one I wouldn’t suggest embarking on for a production environment when it comes to your password manager. However, it’s always good to learn, and everyone needs to start somewhere – just don’t host your passwords until you understand and are confident in what you’re doing.
End of the day, regardless of which password manager you may choose – you really should be using one at the end of the day. Do your research, consider the options, and choose the one that’s right for you. But, as you do, consider where you want your most sensitive of information stored, and who you trust with that. If it’s going to be a big corporate backed solution that’s expensive, a self-hosted thing in your basement, or something open source & cheap like BitWarden, it’s just the best practice to be using one – and you’re going to considerably help yourself remain more secure by doing it.
If you’re looking to setup your own ValutWarden server, need help migrating your current solution to a new one, or setup a family or business account – I’d be happy to provide you some sound consulting advice. Please reach via our contact us page out if that’s something that sounds like a thing you’d like to explore.
© Open Source IT Solutions. All rights reserved.
All opinions, posts, comments, & content are solely that of OSIT Solutions. They in no way, implied or otherwise, represent the views or opinions of any business, corporation, or entity that OSIT Solutions or it's affiliates may be associated with.