How Password Managers Work
Password managers work by storing all your passwords in a database, which is sometimes called a vault. The password manager encrypts the vault’s contents and protects it with a master password that only you know. When you need to retrieve your passwords, such as to log in to your online bank or email, you simply type your master password into your password manager to unlock the vault. In many cases, the password manager will automatically retrieve your password and securely log in for you. This makes it simple to have hundreds of unique, strong passwords, since you do not have to remember them.
Some password managers store your vault on your computer or mobile device, while others store it in the Cloud. Most password managers include the ability to automatically synchronize your password vault’s contents across multiple devices that you authorize. This way, when you update a password on your laptop, those changes are synchronized to all your other devices.
When you first set up a password manager, you need to manually enter or import your logins and passwords. Afterwards, the password manager can detect when you’re attempting to register for a new online account or update the password for an existing account, automatically updating the vault accordingly. This is possible because most password managers work hand-in-hand with your web browser. This integration also allows them to automatically log you into websites.
It’s critical that the master password you use to protect the password manager’s contents is strong and very difficult for others to guess. In fact, we recommend you make your master password a passphrase, a sequence of words that is easy for you to remember (such as "walked slowly in November rain") but difficult for someone else to guess.
If your password manager supports two-step verification, we recommend using that as well for an extra layer of protection. Finally, be sure you remember your master password. If you forget it, you will not be able to access any of your other passwords.
Choosing a Password Manager
There are many password managers to choose from. When trying to find the one that’s best for you, keep the following in mind:
- Your password manager should be simple for you to use. If you find the solution too complex to understand, find a different one that better fits your style and expertise.
- The password manager should work on all devices you need to use passwords on. It should also be easy to keep your passwords synchronized across all your devices.
- Use only well-known and trusted password managers. Be wary of products that have not been around for a long time or have little or no community feedback. Cyber criminals can create fake password managers to steal your information. Also, be very suspicious of any vendors that developed their own encryption solution.
- Make sure whatever solution you choose, it continues to actively receive updates and patches and be sure you are always using the latest version.
- The password manager should include the ability to automatically generate strong passwords for you and show you the strength of the passwords you’ve chosen.
- The password manager should give you the option of storing other sensitive data, such as the answers to your secret security questions, credit cards, or frequent flier numbers.
- Good password managers support two-step verification/multi-factor authentication along with the master password.
Password managers are a great way to securely store all your passwords and other sensitive data. However, since they safeguard such important information, make sure you use a unique, strong master password that is not only hard for an attacker to guess, but easy for you to remember.
Saving Browser Credentials
It has been a long standing best practice to avoid saving credentials in web browsers. Web Browser security has significantly improved over the last couple of years and the attitude of saving credentials is shifting. Most third party password managers now offer a browser extension to manage and save passwords.
It is now considered reasonably safe to save credentials in Safari and Google Chrome password manager when you are following security best practices:
1. Securing The Device
Securing your device involves the following steps:
- Install Anti-Virus (AV) software to prevent malware from stealing your credentials.
- Keep software up to date to protect against security vulnerabilities
- Require a pin or password in order to unlock your device
- Only install trusted web browser extensions
- Lock your device when leaving it unattended
2. Securing the Password Manager
You can make sure that your password manager is secure through the following steps:
- Secure your password manager and master key by using two-step verification (multi-factor authentication)
- Avoid saving or syncing passwords on a shared device
- Lock the password manager when leaving it unattended
3. Register for Two-Step Verification
Registering for two-step verification (multi-factor authentication) on websites and saving the credentials in a password manager is recommended. Two-step verification will help prevent compromised passwords from being used successfully.
Recommended Password Managers
Here at Laurier, we do not have a specific password manager that we encourage students, staff and faculty to use. Laurier credentials should only be saved in a password manager when two-step verification has been configured. There are a number of the password managers on the market today that we would recommend reviewing: