Password Managers
Essential for Managing Your Passwords
You Need a Password Manager | Browsers Vulnerable
Bitwarden recommended | Password Safe | Reviews
LastPass No Longer Recommended
Following the 2022 LastPass breach I no longer recommend LastPass.
See your options if you are using LastPass. Bitwarden recommended
You Need a Password Manager
We simply have far too many passwords to manage them without a password manager. No one can remember all their passwords.
Humans simply have too much difficulty creating and remembering long, strong and unique passwords.
Password managers associate usernames and passwords with specific web pages.This makes it hard for password managers to betray you to bogus websites by mistake, because they can't put in anything for you automatically if they're faced with a website they've never seen before.
— Naked Security
Don't Let Your Browser Store Passwords
While all modern web browsers have built-in password managers, all are vulnerable to being hacked.
Experts tell us that relying on Google Chrome (or any browser) to manage your online passwords is a seriously bad idea.
— PCMag
If you currently use or have used browsers to save your passwords, you may have noticed that you don't frequently need to log back into your browser. Although this can seem as being convenient, it also poses a major security concern.
— Keeper
Chrome Especially Vulnerable
There are serious security deficiences in browser password managers — any browser, but particularly Google Chrome.
Zero-knowledge encryption is the reason dedicated password managers can keep your data safe without ever having access to your master password. "Google's password manager doesn't use zero-knowledge encryption," stated Lurey. "In essence, Google can see everything you save. They have an 'optional' feature to enable on-device encryption of passwords, but even when enabled, the key to decrypt the information is stored on the device."
— PCMag
- Don't let Google manage your passwords.
- Are Browser Password Managers Safe?
- Why you shouldn't store passwords in a browser.
- Why you shouldn't use your web browser's password manager.
Computer or Mobile?
Most current password managers recognize that people want to access their passwords on multiple devices which usually includes both computers and mobile devices.
Some password managers require you to purchase their premium plan to obtain access on both. Others work on only one device.
Providing cross-platform and multi-device access means that your data is going to be stored in the cloud which complicates security.
Configure It Carefully
Whichever password manager you choose, take care in setting it up and choosing the master password.
- You can only set up one account using any particular email address.
- Recovery is difficult (if you could easily recover it, so could anyone else).
- Ensure your master password is very long and strong.
- You only need to remember this one password, so make it a good one.
Choosing a Master Password
Provided that your password is decent (at least 15 characters) and the number of PBKDF2 iterations (a salting of the hashed password) is very high, then the likelihood of your data being decrypted by brute-force is relatively small.
You should NEVER reuse any password but especially not your password manager's master password.
See Passwords: Your Electronic Signature for more information about creating and remembering strong passwords.
Moving to a New Password Manager
There can be many reasons that you wish to move to another password manager.
Password Breaches
If you're using LastPass, I recommend moving to another password manager, especially if your master password was weak.
Norton LifeLock also suffered a recent breach of up to 925,000 accounts.
Cybercriminals are increasingly targeting password manager companies because they hold the sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted.In this highly competitive landscape, cybersecurity practices, transparency, breaches and data exfiltration can influence the future of these password manager companies.
— Tech Republic
Exporting & Importing Passwords
All password managers have some method of exporting and importing passwords.
- How to switch to a new password manager.
- Moving your passwords from LastPass.
- How to move between password managers.
CRA and Password Managers
While password managers work for most sites, one of the most glaring exceptions is the Canada Revenue Agency (CRA) site. Their people will tell you NOT to use a password manager (i.e., you must manually enter your username and password).
Investigating this issue, I discovered that the data in the location bar (or address bar) on my browser was 2005 characters. Unbelievable.
Not only is the CRA one of the most sensitive sites you can visit (it contains access to all your tax files including some of your most sensitive personal information) but the agency should have the expertise to manage decent security.
Browser Password Managers Vulnerable
While web browsers have built-in password managers, all are vulnerable to being hacked.
Unscrupulous websites can use malicious scripts and hidden login fields to track and gather information from your browser's password manager.
- Don't let Google manage your passwords.
- Why you shouldn't store passwords in a browser
- Why you shouldn't use your web browser's password manager.
Bitwarden
I strongly recommend Bitwarden for your password manager. Not only does it provide a great free version, but the cost of upgrading to premium is relatively inexpensive compared to other commercial password managers.
Bitwarden has and always will be a free and open source product. One of our goals since the beginning has been to create a free password manager that is not crippled by "free trials" and truly offer a quality product at no cost. This goal remains at the top of our priorities.
Note: Bitwarden is my recommended replacement for LastPass.
Free
You get a Bitwarden vault with:
- Unlimited passwords.
- Unlimited devices.
- All the core functions.
- Share vault items with one other user.
- Always free.
Premium
Add premium features for only US$10/year:
- Advanced 2FA.
- Emergency access.
- Bitwarden Authenticator.
- Security reports and more.
- Share vault items with one other user.
Families
Up to 6 users for only US$40/year:
- 6 premium accounts.
- Unlimited family sharing.
- Unlimited collections.
- Organizational storage.
- Share premium features and vault items with six people.
Bitwarden also offers business plans.
Bitwarden Emergency Access
Bitwarden Premium emergency access allows users to designate and manage trusted emergency contacts, who can request access to their vault in cases of emergency.
Only premium users, including members of paid organizations (Families, Teams, or Enterprise) can designate trusted emergency contacts, however anyone with a Bitwarden account can be designated as a trusted emergency contact.Setting up emergency access is a 3-step process in which you must Invite a user to become a trusted emergency contact, they must Accept the invitation, and finally you must Confirm their acceptance.
— Bitwarden
See Bitwarden's “Emergency Access” page for the details.
Downloads & Learning More
Download options include
- Windows, macOS or Linux;
- browser extensions for most browsers;
- iOS and Android; and
- online.
Getting Started
There is documentation on the Bitwarden Help pages. Look for the menu on the left and click on the help item you want.
- Create your Bitwarden account.
- Get started with the web vault.
- Get started with browser extensions.
- Get started with desktop apps.
- Import data to your vault.
I strongly recommend that you disable the login website icons because of the privacy risk.
Getting Help
- Getting started as a user video series.
- Help
- Bitwarden Learning
Resources
Tools
Other Tools & Help
Password Safe: Offline Alternative
Realize that ANY cloud-based password manager (or service) is subject to the same vulnerabilities: world-wide access to online servers.
The alternative is a secure password manager which resides only on ONE computer.
If that is your choice, I recommend Password Safe.
Password Safe is open source and free (no license requirements, shareware fees).
Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Twofish algorithm.
