Welcome to “Ask a security trainer,” the column where the digital security training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Let’s jump right into this week’s question.
Dear DST,
I’m not sure about a password manager. I’m concerned about putting all of my passwords in one place. Isn’t putting all of my account information in one place unsafe? Don’t password managers get hacked too?
Yours truly,
Gotta Keep ‘Em Separated
Dear GKES,
My colleague David Huerta answered a similar question very well in a recent training session when he said, “Using a password manager to store all your passwords is like putting them in a heavily fortified, encrypted basket.” In other words, the information you store in your password manager will be rendered illegible to anyone but you, the password manager account holder, even in the event of a data breach.
You are not alone in voicing this concern, though. These days, we hear news about data breaches on a near-constant basis. On top of that, we are living in the shadow of the 2022 security incident involving LastPass, a popular password manager, in which bad actors obtained sensitive account data including website usernames, passwords, and secure notes.
But all of the data I just listed was encrypted (you can learn more about the encryption model used by LastPass here). Even the old encryption standards LastPass implemented would take a long time to crack, and this correspondent earnestly hopes that these past two years have afforded LastPass account holders plenty of time to change their passwords and shore up their two-factor authentication methods.
Even in light of these incidents, using a password manager reduces risk to account security, while relying on your memory guarantees risk to account security. As I’m writing, my password manager holds login information for 326 accounts. Strong passwords are random, long, and unique to each account. By contrast, I am well aware of the limits of my human mind to remember all of this information.
By the way, I’ve ruled out browsers as a safe place to store my login details in case I need to share my computer with someone or turn it in for a repair. (Remembering to log out of accounts in time seems to stymie a lot of people, as I’ve witnessed from the many signed-in streaming accounts I’ve encountered during recent homestays.)
In case it seems like I’ve merely determined that password managers are the least-worst option, here’s why I am actually quite bullish on these services. At home and here at FPF, we are particularly fond of 1Password for several reasons:
- 1Password writes long, randomized passwords for me, if I want, and I can create parameters for how a password should be written.
- Its browser extension saves the URL where I’ve created an account, which means 1Password cannot enter login details into fraudulent sites.
- The Watchtower feature alerts me if and when any of my passwords may have been compromised. It also lets me know when my passwords could use a little more strengthening, or if the password has been reused.
- I deeply appreciate the ability to add categories and tags to each item. This has been very useful for, as I’ve found, taking notes as to which types of two factor authentication I’ve applied to each account. Doing so has been a time saver more than occasionally.
- Being able to share passwords between colleagues and family members means I don’t need to bother anyone when I need access to a shared account (streaming services in particular).
Most importantly, I like knowing that if, unfortunately, one of my accounts is breached, my whole world won’t come crashing down with it. While I don’t love to hear that my information made it into the wrong hands, I also know I won’t need to spend a whole lot of time addressing the fallout by setting new passwords on multiple accounts.
I hope this puts your mind at ease, and I encourage you to check out our recommendations for selecting a password manager. For more information on how you can best protect the information behind your passwords, see all of our guides to account security.
Thanks again for writing,
Davis Erin Anderson