Is it Safe? Keeping Your Passwords Secure
We often write about investing accounts and what’s inside them. But what about the personal information all of us use to get into those accounts—our digital passwords? Are they as safe and secure as they should be? Shouldn’t we give an hour’s attention to the keys that unlock a lifetime of saving?
I thought I had a good password system figured out. But it was something I’d created over a decade ago. And in those 10 intervening years, the rapidly-evolving digital theft industry surely has devised craftier ways to hack my passwords. I was vulnerable.
This hit me as Tableaux switched to a new firmwide password manager—something we monitor regularly to protect ourselves and our clients.
Get a Dang Password Manager
The first thing I was doing wrong was not using a password manager. Honestly, I’d known they existed and understood they could be useful. But convenience wasn’t a problem for me, and my cheap nature balked at paying for yet another monthly subscription. I wasn’t thinking of safety.
Because the real value of a password manager is the security it provides. Instead of keeping your passwords in an unsecure place—written down on a piece of paper or kept on your computer or phone—a password manager stores your passwords in a secure, encrypted place that only you can access.
Image created with ChatGPT
In its latest recommendation, the U.S. Department of Commerce’s National Institute of Standards and Technology (NSIT) doesn’t explicitly recommend using password managers, but most of the NIST’s guidance on password best practices are exactly what password managers provide.
Actually, a password manager does a lot of things on your behalf:
Encrypts and stores all your credentials (the username and password combination that most protected sites require) in one online “vault” that’s protected by a strong master password.
Automatically generates unique, random passwords for you in the long format recommended today, for every site and account that requires a password.
Automatically enters your credentials for you when you’re logging on to a site.
Makes your password vault available across all your devices, so you can log in from any device.
Also securely stores other sensitive data, including credit cards, Wi‑Fi keys, and other secure notes.
Lets you share specific logins with family or teammates without revealing the actual password.
The best password managers also will alert you to weak, reused, or breached passwords. They’ll handle multi‑factor authentication (where you’re required to verify your identity with two or more independent forms of proof—for instance, your password and a numerical code texted to your phone). And they’ll continually back up your credentials in case you lose a device or need to install passwords on a new one.
Passwords your password manager can’t store
You still may face situations where your password manager isn’t available and you need to create and store your own password. This includes passwords that unlock your devices, or when you’re logging in offline to smart-home hub or home network.
It also includes your “master password:” the password to your password manager.
According to NIST, the best passwords are long phrases of unrelated words. They are harder to hack by brute force.
Something like:
Trees ate the sharp Thoreau students
(But don’t use this yourself!)
All the better if your password contains upper and lower-case letters, numbers, and special characters:
Trees 8 the sh#rp Thorea0 studen$
Storing Your Master Password
You can certainly memorize your master password. You may not even need to. Many password managers include a “biometric unlock” (where your device recognizes your fingerprint or face), so you hardly ever need to type the master password that gets you into your password manager.
Still, your master password should be accessible in case you forget it or you’re not around or able to provide it.
The solution is a bit old-fashioned: Record the password—with no reference that it is a password, in case it gets into the wrong hands—and keep it in a secure place. That could be a home safe, a safe deposit box, or a similar location. Tell your spouse, partner, trusted friend or family member, or executor where it is, but don’t tell them the password.
Which password manager?
We can’t recommend a specific password manager, mainly because their features and costs vary and the best fit for you will depend on your situation.
Instead, here are the latest evaluations and ratings of password managers by a few reputable free resources: