Russ Harvey Consulting - Computer and Internet Services

Password Managers

Essential for Managing Your Passwords

You Need a Password Manager | Browsers Vulnerable
Bitwarden recommended | Password Safe | Reviews

A computer keyboard is overlaid with a padlock.

LastPass No Longer Recommended

Following the 2022 LastPass breach I no longer recommend LastPass.
See your options if you are using LastPass. Bitwarden recommended

You Need a Password Manager

We simply have far too many passwords to manage them without a password manager. No one can remember all their passwords.

Humans simply have too much difficulty creating and remembering long, strong and unique passwords.

Password managers associate usernames and passwords with specific web pages.

 

This makes it hard for password managers to betray you to bogus websites by mistake, because they can't put in anything for you automatically if they're faced with a website they've never seen before.
Naked Security

Don't Let Your Browser Store Passwords

While all modern web browsers have built-in password managers, all are vulnerable to being hacked.

Experts tell us that relying on Google Chrome (or any browser) to manage your online passwords is a seriously bad idea.
PCMag
If you currently use or have used browsers to save your passwords, you may have noticed that you don't frequently need to log back into your browser. Although this can seem as being convenient, it also poses a major security concern.
Keeper

Chrome Especially Vulnerable

There are serious security deficiences in browser password managers — any browser, but particularly Google Chrome.

Zero-knowledge encryption is the reason dedicated password managers can keep your data safe without ever having access to your master password. "Google's password manager doesn't use zero-knowledge encryption," stated Lurey. "In essence, Google can see everything you save. They have an 'optional' feature to enable on-device encryption of passwords, but even when enabled, the key to decrypt the information is stored on the device."
PCMag

Return to top

Computer or Mobile?

Most current password managers recognize that people want to access their passwords on multiple devices which usually includes both computers and mobile devices.

Some password managers require you to purchase their premium plan to obtain access on both. Others work on only one device.

Providing cross-platform and multi-device access means that your data is going to be stored in the cloud which complicates security.

Configure It Carefully

Whichever password manager you choose, take care in setting it up and choosing the master password.

  • You can only set up one account using any particular email address.
  • Recovery is difficult (if you could easily recover it, so could anyone else).
  • Ensure your master password is very long and strong.
  • You only need to remember this one password, so make it a good one.

Choosing a Master Password

Provided that your password is decent (at least 15 characters) and the number of PBKDF2 iterations (a salting of the hashed password) is very high, then the likelihood of your data being decrypted by brute-force is relatively small.

You should NEVER reuse any password but especially not your password manager's master password.

See Passwords: Your Electronic Signature for more information about creating and remembering strong passwords.

Moving to a New Password Manager

There can be many reasons that you wish to move to another password manager.

Password Breaches

If you're using LastPass, I recommend moving to another password manager, especially if your master password was weak.

Norton LifeLock also suffered a recent breach of up to 925,000 accounts.

Cybercriminals are increasingly targeting password manager companies because they hold the sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted.

 

In this highly competitive landscape, cybersecurity practices, transparency, breaches and data exfiltration can influence the future of these password manager companies.
Tech Republic

Exporting & Importing Passwords

All password managers have some method of exporting and importing passwords.

CRA and Password Managers

While password managers work for most sites, one of the most glaring exceptions is the Canada Revenue Agency (CRA) site. Their people will tell you NOT to use a password manager (i.e., you must manually enter your username and password).

Investigating this issue, I discovered that the data in the location bar (or address bar) on my browser was 2005 characters. Unbelievable.

Not only is the CRA one of the most sensitive sites you can visit (it contains access to all your tax files including some of your most sensitive personal information) but the agency should have the expertise to manage decent security.

Browser Password Managers Vulnerable

While web browsers have built-in password managers, all are vulnerable to being hacked.

Unscrupulous websites can use malicious scripts and hidden login fields to track and gather information from your browser's password manager.

Return to top

Bitwarden

I strongly recommend Bitwarden for your password manager. Not only does it provide a great free version, but the cost of upgrading to premium is relatively inexpensive compared to other commercial password managers.

Bitwarden has and always will be a free and open source product. One of our goals since the beginning has been to create a free password manager that is not crippled by "free trials" and truly offer a quality product at no cost. This goal remains at the top of our priorities.

Note: Bitwarden is my recommended replacement for LastPass.

Free

You get a Bitwarden vault with:

  • Unlimited passwords.
  • Unlimited devices.
  • All the core functions.
  • Share vault items with one other user.
  • Always free.

Premium

Add premium features for only US$10/year:

  • Advanced 2FA.
  • Emergency access.
  • Bitwarden Authenticator.
  • Security reports and more.
  • Share vault items with one other user.

Families

Up to 6 users for only US$40/year:

  • 6 premium accounts.
  • Unlimited family sharing.
  • Unlimited collections.
  • Organizational storage.
  • Share premium features and vault items with six people.

Bitwarden also offers business plans.

Bitwarden Emergency Access

Bitwarden Premium emergency access allows users to designate and manage trusted emergency contacts, who can request access to their vault in cases of emergency.

Only premium users, including members of paid organizations (Families, Teams, or Enterprise) can designate trusted emergency contacts, however anyone with a Bitwarden account can be designated as a trusted emergency contact.

 

Setting up emergency access is a 3-step process in which you must Invite a user to become a trusted emergency contact, they must Accept the invitation, and finally you must Confirm their acceptance.
Bitwarden

See Bitwarden's “Emergency Access” page for the details.

Downloads & Learning More

Download options include

  • Windows, macOS or Linux;
  • browser extensions for most browsers;
  • iOS and Android; and
  • online.

Getting Started

There is documentation on the Bitwarden Help pages. Look for the menu on the left and click on the help item you want.

I strongly recommend that you disable the login website icons because of the privacy risk.

Getting Help

Resources

Tools

Other Tools & Help

Return to top

Password Safe: Offline Alternative

Realize that ANY cloud-based password manager (or service) is subject to the same vulnerabilities: world-wide access to online servers.

The alternative is a secure password manager which resides only on ONE computer.

If that is your choice, I recommend Password Safe.

Password Safe is open source and free (no license requirements, shareware fees).

Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Twofish algorithm.

 

Reviews

I've provided my recommendation of Bitwarden, but you might like to do more research.

That is a good idea if you aren't completely convinced that Bitwarden is for you.

About Reviews

Realize that, like all software reviews, products change over time. Depending upon when the review takes place, you may find one product favoured over another.

Reviews of Password Managers

These are some reliable reviews

Are You Using LastPass?

Steve Gibson's initial support of LastPass was one of the main reasons I felt I could recommend LastPass.

He's now moving to Bitwarden as are most of the security folks I follow.

Learn more about the LastPass security breach.

Return to top

Related Resources

On this site:

Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/passwordmanagers.html
Updated: September 11, 2023