Back to Top

Password managers are stupid


Yeah, all password managers are stupid, and yet lots of unwise people use them! So, if you are one of those guys, read this article to its end and I guarantee that you'll change your mind.

1. Online password managers

We live in an era in which we've got lots of web accounts. Think Facebook, Twitter, web-based email, and the like. So, it makes sense to store the user/pass information pairs somewhere safe, and have them input in the appropriate fields anytime we need them, right? Because, let's face it, using the same password for all your accounts is plain STUPID.

But let's try to put a cybercriminal's hat on for a few moments. If you adopt his mindset, would you try to attack and steal data from online giants like Facebook, Twitter or Gmail, which have impressive security teams, or would you attack an online password manager service instead, and thus get access to millions of passwords for lots of different accounts, including banking accounts, without having to go through a lot of trouble?

Whenever you entrust your private, precious information to a third party, you risk losing your reputation, your data and your money. So, be smart and avoid using online password managers like the plague. On a side note, don't ever entrust your precious data to a cloud-based service – it's not safe to do so.

2. Offline password managers

These pass managers are slightly better. I would never use them to store user/pass information for important accounts, though. Here's why.

First of all, they don't work fine across all browsers. And even when they do, they don't work for all websites, failing to discover the proper user/password fields, especially if a site gets updated AFTER you've saved the account data for it.

The biggest drawback by far is the fact that you're relying on a single, "master" password, though. So, if you lose access to it, or if a hacker discovers it, all your account data is either lost or compromised. The same thing will happen if the hacker manages to download the password database, and then utilizes a brute force attack to break into it. Or, if he manages to plant a keylogger in your system, which will record, and then email him the master password.

So, what should you do to keep your accounts safe? Utilize different passwords for each account and store them offline, using a plain notebook. Yeah, type in each password manually if you want security. I understand that you don't want to do that for an obscure social media site, but you should definitely do it for your banking accounts, PayPal accounts, Bitcoin accounts, and so on.

Let me show you how to create and store a "master" password which allows anyone to remember complex passwords for dozens of different accounts. Begin by thinking at a complex phrase, and then turn it into a password. Be sure to pick a phrase that includes names, numbers and special characters.

Here's an example: "Did you like the 47 roses that I have sent Jenny for her birthday?" can be turned into this password: "Dylt47rtIhsJfhb?". This 16-character looks good enough as it is, but we will make it even better by adding the first few letters from the name of the site that we're accessing to it. So, you should use "Dylt47rtIhsJfhb?Fa" when you log into Facebook, " Dylt47rtIhsJfhb?Tw" when you log into Twitter, and so on.

To increase password security even further, be sure to use MFA (multi-factor authorization). Don't choose SMS-based 2FA (two-factor authorization) though, because hackers may be able to intercept the sent SMS codes if your phone is infected with their malware.