How to manage your passwords securely
- Posted on May 11, 2023, by Sébastien
- Updated on July 3, 2023, to mention Proton Pass
- Updated on December 14, 2023 to mention Bitwarden's European servers
- Use a different password for each website / service
- Use hard-to-guess passwords
- Do not share your passwords with anyone
Use unique passwords
Do not re-use the same password for multiple websites, services, or devices.
If you do, an attacker who manages to steal your password in one place would also gain access to your other accounts.
Of course, memorizing dozens of secure passwords is quite a challenge, and writing them all on paper is a terrible idea:
- What happens if someone finds your password list?
- What happens if you lose it? Do you have backups?
Use a password manager
Instead, I highly recommend using a password manager.
Password managers are specifically designed to store passwords securely.
Use hard-to-guess passwords
Password cracking is heavily automated these days, which means you need to choose passwords which are difficult to guess, not only for a human attacker, but also for a program able to make thousands of attempts per second (or even millions).
Unfortunately, humans are pretty bad at generating randomness.
A character sequence chosen by a person is generally much more predictable than a character sequence generated by a secure randomness source.
Therefore, I strongly advise you to let your password manager generate all of your passwords.
Aim for at least 20 characters, including upper-case letters, lower-case letters, digits and symbols.
You won't need to memorize them anyway 😉
Mathematically speaking, a fully random password consisting of 21 characters including upper-case letters, lower-case letters, digits and symbols, will have an entropy of approximately 128 bits, which is as much as some encryption keys still in use today.
Pros and cons of password managers
- No need to memorize dozens of unique passwords
- Ability to generate strong passwords
- Password managers are high-profile targets for hackers. Make sure you choose a secure one!
- If you lose access to your password manager, you lose access to your passwords.
➡️ Be careful not to forget your master password.
➡️ Ensure you can access your password manager offline. Keep a backup copy.
Overall, the benefits of using a password manager outweigh the risks.
How to create a strong password
Even though the objective is to drastically reduce the number of passwords you need to memorize, you'll still need to remember a few:
- The master password of your password manager,
- Your computer's password (as you cannot use a password manager on the login screen),
- Some people also prefer to know the password of their email account, as you can use it to reset your other passwords (using the "forgot password" feature from most websites).
Here's a technique you can use to create an easy-to-remember, but hard-to-guess password:
- Think of a (fairly long) sentence, and take the first letter of each word,
- Also include digits and symbols,
- Aim for at least 20 characters. 15 should be the very minimum.
Use several sentences if necessary. It's even better if they're unrelated.
I like bananas! Also, the distance between the Sun and the Earth is 150 million kilometers.
Avoid building your password from a single famous quote, as that would increase it's predictability.
Recommended password manager: Bitwarden
My favorite password manager is currently Bitwarden.
It has numerous advantages:
- Open Source
- Very affordable (can be used for free)
All data you submit to Bitwarden is fully encrypted using AES-256 before it leaves your device, ensuring that neither the company, nor any potential attacker, can read it.
Some competing password managers don't go to such lengths, and only encrypt passwords, leaving website URLs unencrypted – which isn't a good thing, privacy-wise.
Because the encryption key is derived from your master password, you must not ever forget it, or you won't be able to recover your data.
Bitwarden has been audited for security multiple times by independent companies.
The code is Open Source, which is a good thing, when it comes to security.
This is an application of Kerckhoffs's principle – which dates back to the 19th century:
A cryptosystem should be secure, even if everything about the system, except the key, is public knowledge.
It's basically the opposite of the "security through obscurity" strategy, which in itself cannot guarantee the security of a system.
Ease of use
Bitwarden is available on all platforms: there are apps for Windows, macOS, Linux, Android, iOS, as well as browser extensions, and a Web vault:
Your passwords automatically get synchronized between all of your devices.
All versions – except the web vault – can be used offline.
You can import your passwords from other password managers.
Even though sharing passwords is generally frowned upon, some of them are inherently shared between a few people, such as Wi-Fi passwords.
It turns out Bitwarden has a secure sharing feature.
You can either send a secure link to anyone (the recipient does not need a Bitwarden account), or share passwords between Bitwarden accounts.
The free version allows sharing items with one other Bitwarden user, while "Families" and "Business" plans offer more advanced sharing features.
Anyone with a paid account can also share files, in addition to passwords or text.
Alternatively, if you ever need to send passwords / text data to someone, you can use the free "kPaste" service from Infomaniak (a Swiss hosting company), without any registration:
It's also end-to-end encrypted, and Open Source.
Bitwarden's free plan is very generous, allowing unlimited passwords, and unlimited devices.
In fact, it should be sufficient for the vast majority of individuals.
The premium version is so cheap ($10 per year), that you can subscribe to it even if you don't need the additional features, just to support Bitwarden.
There are also family plans ($40 per year, up to 6 users), and business plans for companies, ranging from $3 to $5 per month per user.
It's hard to find drawbacks to Bitwarden.
One could argue that the USA is not most privacy-friendly country, and Bitwarden is an American company, with servers in the US.
However, end-to-end encryption guarantees that your privacy is protected.
Update: Since 2023, Bitwarden also provides servers in the European Union, in addition to the United States.
Both regions are separate, so make sure to select "bitwarden.eu" when creating your account.
Alternatively, you could also resort to self-hosting – which would allow you to choose your hosting provider/location, and avoid centralization.
That being said, I don't recommend it, unless you belong to an organization with enough knowledge and resources to set it up properly, maintain your installation, and keep it secure.
Finally, some people might prefer the user interface (UI) of other password managers – although it's entirely subjective – or be interested in some niche features that Bitwarden doesn't offer.
Other secure password managers
The following password managers are also acceptable:
- Proton Pass
The UI and features are good.
It's not Open Source, though, and there's no free plan.
The paid plan starts at $2.99 per month (billed annually) for individuals.
Again, the interface and features are fine.
It's not Open Source either, and the free plan is limited to only 1 device.
In order to be able to use Dashlane on all of your devices, you need to opt for the “advanced” plan, at $2.75 per month (with a one-year subscription).
Proton Pass is the new kid on the block, as it launched on June 28, 2023.
It’s developed by Proton AG, which is the company behind Proton Mail, founded in 2014 by a group of scientists who met at CERN (in Switzerland).
It may be too soon to fully evaluate whether it’s on the same level as Bitwarden, 1Password or Dashlane, but it does seem quite promising:
- Fully encrypted
- Provides browser extensions (Firefox, Chrome, Edge, …) as well as mobile apps (Android and iOS)
- Has a free plan with unlimited passwords, and unlimited devices
- Open Source
- Hosted in Switzerland – a country with very strict privacy laws
On the other hand, because it’s brand new, as of early July 2023, it doesn’t have as many features as other, more established password managers – such as password sharing, for instance – and is only available in English.
Besides, while the free plan is quite generous, the paid plan is relatively pricey (more than 1Password or Dashlane – and much more than Bitwarden).
People who subscribed before the end of July 2023 will get to keep their $1 / month pricing, but the regular price is $3.99 per month with a yearly subscription.
Free and Open Source.
However, it's definitely not as user-friendly as the other options.
By default, the password database is stored 100% locally on your PC, and synchronizing it to other devices involves a bit more setup.
There are also a few variants, such as KeePassXC.
Alternatives to avoid
- The built-in password manager from your browser (especially Chrome)
LastPass is not up to par with the aforementioned password managers, security-wise.
Some data isn't encrypted, notably website URLs.
It also suffers from security issues fairly regularly.
In 2022, a serious breach resulted in attackers obtaining some user data, including billing addresses, emails, IP addresses, and vault data.
While the encrypted data (i.e. passwords) is protected by the user's master password – assuming it isn't too short or predictable – the leak of unencrypted data presents a privacy risk, and can be used to perform social engineering attacks, targeted phishing, etc.
Google Password Manager
Using your browser's built-in password manager locks you into its ecosystem, and is not as convenient as a full-fledged password manager for everything that isn't a website.
By contrast, Bitwarden, 1Password and Dashlane are also able to auto-fill password fields in mobile apps, and provide dedicated apps that do not depend on a browser.
Even more concerning: by default, Chrome encrypts your passwords using a key that is stored in your Google account, effectively giving Google access to all of your passwords…
A more secure mode of operation was introduced recently (on-device encryption), but you need to enable it manually.