What is a password manager, and why should I use one?

Best practices state that you should use a strong, unique password for each of your online accounts, but as the world shifts everything to online it can be hard to manage all of your online accounts. Password managers can help you generate, store, audit and manage long, complex passwords for each of your accounts. The only way to access your password vault is by using one strong master password, which greatly reduces the amount of information you need to remember and protect.

Most password managers can encrypt the stored information in a “Vault”, which makes them a much safer alternative to writing down passwords on Post-It notes or typing them up in a Microsoft Excel spreadsheet.

What benefits can password managers provide?

• Password managers can sync your vault to various devices making it convenient to login via mobile or workstation.
• Zero knowledge architecture, decrypts vaults on the client vs in the cloud infrastructure. Your password is never sent to their infrastructure.
• Password generators to help you create strong, secure passwords or passphrases.
• Password checkers within the manager can determine if your password has been exposed.
• Built-in captcha features on web services portals to prevent brute force attempts.
• Multi-factor Authentication to prevent unauthorized login attempts.

The recommendations below should not be seen as an endorsement by the University of Hawaiʻi :

• PC Magazine’s List of Best Free Password Managers
• PC Magazine’s List of Best Password Managers
• Wired’s List of Best Password Managers

Password Manager Security

When considering a password manager, you should evaluate several factors, including whether the service is free or a paid subscription, the level of encryption offered, cross-platform support (for mobile and desktop), and the availability of Multi-factor Authentication. Price versus capabilities is an important consideration.

Keep in mind that not all password managers are equally secure. Avoid using password managers from unverified publishers and untrustworthy sources. Also, be cautious about the browser extensions you install, as compromised extensions can leak your passwords. How you use your password manager determines its safety.

Tips for Keeping Your Password Manager Secure:

Is your master password in the green?

• Strong Master Password: Your master password should be difficult to guess, with over 12 characters, a combination of letters, numbers, symbols, and without common words or phrases. Refer to the chart above for an idea of the required complexity. A strong master password in the green zone will be hard to “brute force” if your password manager vault is stolen.
• Enroll in MFA: Multi-factor authentication on your password manager will prevent unauthorized logins from accessing your fault. Change your password immediately if you get prompted for MFA.
• Caution when installing Third-Party Browser Extensions and Applications: Unverified or compromised applications and extensions can leak your passwords. Use caution when reviewing emails with attachments or untrusted links as they can install malware or capture your credentials.
• Use haveibeenpwned.com: This website lists compromised passwords, allowing you to monitor the security of your accounts.
• Regularly Update OS, Apps, and Extensions: Keeping your password manager updated ensures you have the latest security patches and bug fixes.
• Install Anti-Virus or anti-malware software: Regularly scan for malware and new threats as they can steal passwords by installing keyloggers or remote access tools.
• Trustworthy Vendor Reviews: Not all password manager vendors offer the same level of protection and service. Choose a vendor that provides the necessary security features and has a good track record of keeping users safe.
• Your Security Practices: Unwanted intruders gaining physical or digital access to your devices can compromise the safety of your password manager and associated accounts. Don’t leave devices unlocked or unattended in public places!

What do Password Managers NOT Protect You From?

• Malware: Password managers can be compromised by existing malware on your device or malware acquired while using the password manager. That’s why it’s important to use a firewall and keep your device’s security settings up to date.
• Compromised Master Passwords: A password manager is only as strong as the master password used to access it. If you use a weak master password, all your securely generated, complex account passwords are at risk. Choose a master password that is both memorable and sufficiently complex.
• A Breach at the Password Manager Provider: The recent data breach at LastPass illustrates the importance of choosing a trusted vendor. If the provider experiences a data breach, your stored passwords may be exposed.
• Phishing and Social Engineering Attacks: Entering your login credentials on a fake website or revealing your login information to hackers and scammers can still compromise your accounts. Hackers are using Google Ads and Punycode to push malware. Be cautious about the sites you visit and the links you click and go to the vendors website instead of the sponsored ad.

What should you do if your password manager is compromised?

If your password manager is compromised, take immediate action to ensure the security of your personal information and online accounts. Some password management providers keep your vault encrypted, giving you time to secure your accounts based on the strength of your master password. However, it’s advisable to change your master password and update all passwords in your vault, as any access to your vault should be considered a compromise. Additionally, any notes or credit card information stored within your password manager should also be considered compromised. It’s best practice to avoid storing such sensitive data in the manager.