Security for Everyone≫Part I: Securing Your Digital Life≫How to Protect Your Passwords and Email≫

Start With a Password Manager

8 minutes, 4 links

From

editione1.0.0

Updated October 9, 2023

Security for Everyone

As a business owner, you will have more than a few critical passwords—and even with the best memory in the world, you will struggle to maintain them. That’s where password managers come in.

A password manager is a tool that provides one central place to safely store and manage your passwords so they can all be unique and strong—that is, long and complex enough they are very difficult or impossible for attackers to guess.

confusion “But wait, how is storing all your passwords in one place safe?” I hear you say. Yes, it does seem counterintuitive to do this, but it is safer. Consider the alternatives, like a password-generating formula you thought up (like service name + year + a $ or & or number), or maybe reusing the same group of two to three passwords you use across all your systems. These methods have proven to be unsafe, and you need a new method that works for how you operate and the important accounts you need to protect. Considering the context of how attacks against accounts can be automated and performed, this is your best defense against these attacks.

important It is important to pick the right password manager and set it up right because that one tool will hold your whole digital world in one database, including the password to your email.

Password Manager Options

Password managers can operate a few different ways:

Cloud-based managers. Managers such as 1Password or Bitwarden store passwords in the cloud, so you can use them from any device.
Browser-based password storage systems. Like those provided by Chrome or Firefox, these systems are conveniently integrated within your browser, and may also store the passwords in the cloud so they are synced between devices.
Self-hosted password managers. These managers store passwords on your own devices, which involves syncing your devices yourself. Bitwarden also provides this capability.

Each of these have their pros and cons. Whichever one you pick, it should be the one you are most comfortable using and that works for you (not just the one that your security expert pals say you have to use). The tools I use as a security professional will differ from what I expect a business owner to use, and will differ again to what I get my parents to use. Brand names I mention here may come and go, but I’ll list the features you need so you can make your own decisions based on what’s available.

Picking a Password Manager

As an individual or a business owner, let’s assume that you need to be able to:

access passwords on the go (mobile) and while working remotely
share passwords from time to time when a service doesn’t allow unique usernames and passwords for each person
set and update passwords seamlessly

With that in mind, you’ll want a password manager that has the following security features:

Unlock expert knowledge.

Learn in depth. Get instant, lifetime access to the entire book. Plus online resources and future updates.

Now Available

locked by default when starting up
require a master password or other form of authentication (like your device password) to unlock it
lock again after a reasonable period of time
the ability to set up two-factor authentication for unlocking your manager, and also for the accounts stored inside (more on this topic in Protecting Your Email Account
up-to-date encryption to keep the contents safe

The science of encryption is complex but when looking for features in password managers, it can be boiled down to two things to look for: an encryption algorithm that experts say is strong, and salted hashes.

At the time of writing, an accepted standard for encryption is the 256-bit Advanced Encryption Standard (AES-256); however this can change. It doesn’t hurt to do a quick internet search for “what is the current strongest encryption to use,” and then compare that with what your tool of choice says they use. If you want a trusted source of information, you can check the website of your country’s computer emergency response team (CERT), such as US-CERT for the US or CERT NZ for New Zealand.

Using salted hashes, also called salting, is the process of adding a random string to passwords when they are securely stored. Salting provides an extra layer of protection and prevents passwords from being easily guessed (reversed) by attackers.

Setting a Master Password

Lastly, you need to set a master password—a password used to unlock your password manager. This will either be one you set yourself, or it might rely on your computer login password if you are using a browser-based manager.

Your master password should at minimum:

be over 16 characters long
be unique and only used as your master password
not use any personal or easy-to-guess information.

confusion Don’t pick a complex, randomly generated passphrase because you will have to type this every day. A line from a book, a string of four to five random words, or a phrase that is a balance between silly and memorable are all good options. (You will also need to set up two-factor authentication to access your password manager, which we will cover in the next section.)

What Password Managers I Use

The context of how I work is slightly more advanced, since I have access to a lot of sensitive client data, in addition to the sensitive data for my business. I have a complex system with three password managers:

I use 1Password for all my work accounts. It is cloud-based, so I can access it from my phone, laptop, and anywhere I need to be. It also lets me set up my team so they can keep their accounts safe and we can share the passwords we need to share (like social media).
I use Bitwarden for all my personal accounts. It is also cloud-based, but a different brand tool than my work one. I have changed jobs a few times, so going through and removing old work accounts got tedious. It also allows me to spread the risk out so if one password manager was accessed (due to some very, very unlikely incident), my work passwords would be safe. There are now a few good cloud options to pick from.
I use KeePass for my high-value accounts I don’t access often, like my cryptocurrency wallets. I never have to access these on the go, so I keep this on a local password manager on a device I have stored away at home. There are of course risks in this choice too, if the device is lost or damaged, but like all security strategies, the aim is to understand and plan for those risks rather than avoid them.

Here are pro and con lists from my own password manager research:

Figure: A comparison of two popular password managers, one cloud-based and one local. There are plenty of other password managers besides these two, but this gives an example of pros and cons to consider.

While I have a complex system, you might find a simplified version of this would work for you.

Protecting Your Email Account

Now that you have a safe place to store your new secrets, we can work on protecting your email. As mentioned before, your email acts like a skeleton key for a large part of your online identity—people you communicate with associate your email with trust, and your email is also a key factor involved in logging into other accounts and receiving password resets. With access to just your email, an attacker can unlock access to more information and accounts.

To protect your email you will have to take these steps:

Reset your password and store it in your password manager.

You’re reading a preview of an online book. Buy it now for lifetime access to expert knowledge, including future updates.

If you found this post worthwhile, please share!

Related sections

Protecting Your Email Account

Step 5: Enable Automatic Cloud Backups

Step 4: Disable Use of Insecure Third-Party Apps

Share the Minimum Amount of Data

Moving and Securing Shared Accounts