It's {{current_year}}; Use a Password Manager.


If you have the same password on multiple sites, you need to read this post.

What Problem Are We Solving?

Password reuse is a massive issue when it comes to our online security. We can't trust that websites are storing our passwords properly nowadays; even well-known companies occasionally mishandle passwords (example 1 , example 2 , wall of shame). If you use the same password for, say, your Neopets account and your bank account, what happens if your Neopets password gets leaked? Or, if you share the same password between that Neopets account and your email account, an attacker can use access to your email to get access to nearly everything else.

The easiest way to minimize those risks at the moment is to eliminate password reuse. If you're like me, though, you can't remember a hundred unique passwords for all of the websites that insist on having you make an account. It feels natural to start reusing passwords, or you come up with some pattern. A couple of examples I've seen are:

Neither of these are particularly good ideas. The first is easily guessable as soon as one password gets leaked. The second is slightly better, but still fairly predictable.

Ever since the “Correct Horse Battery Staple” xkcd comic, this style of password has seen a jump in popularity. Unfortunately, despite its popularity, this isn't a good way to come up with passwords. Not only does it not solve the problem of password reuse particularly well, but it's also incredibly vulnerable to attack (nice write up here).

A Solution

Password managers make everything simple. Most of them include a random password generator that can be configured based on a website's password requirements/limitations. This feature allows you to get unique passwords per site, with no discernible pattern, with a high level of entropy.

Websites with good password policies have a minimum password length and usually a high max password length. The max password length should not be so high that password hashing makes them DoS themselves. Some sites enforce some other requirements, like “at least one special character,” or “at least one uppercase and one lowercase letter.” Whether this does or does not improve security is not for me to say. Technically it decreases the search space of the passwords, and in practice, a lot of people will say, make the first letter capital and add an exclamation point. But it can get people to think a little harder about their passwords, so I take a neutral stance on it.

Password managers allow you to take full advantage of the sites with good password policies. You can max out the password length and fit the requirements effortlessly. You won't even have to remember any of it, because it all gets saved to some form of database.

Even on sites with ridiculous password policies, your password manager will help. Take this hypothetical policy: “must have at least six characters but no more than eight, at least one special character from *, &, $, @, and !, at least two non-consecutive non-repeating numbers not located next to each other, at least one uppercase letter and at least one lowercase letter”. If you try to come up with a password that matches this, you're probably going to get frustrated and make something extremely insecure. With many password managers, you can configure them to at least get close to fitting those requirements. Depending on configurability, it might take a couple of tries, but it's less frustrating than doing it manually.

What Should I Use?

I'm not going to give you a hard answer here, because that answer is different for everyone. I will talk about two I have personal experience with, with the disclaimer that there are plenty of other options out there. You should do some more research before you take advice on any of this.

The software I currently use is Bitwarden. Bitwarden is an open-source, self-hostable online password manager. You can use it through their desktop applications, mobile apps, browser extensions, and command-line API. If you're particularly paranoid, you can host a personal instance using either their docker environment or the unofficial bitwarden_rs project.

Having your password manager sync over the internet is convenient because it means that even if you need to log in to your accounts on a new or different computer, you can go to the web vault. You can find some documentation on a security audit here.

One downside to Bitwarden is that if you want to use U2F, you need to upgrade to a “premium” account. It's only $10/year, sure, but it seems like a kind of scummy thing for a security tool to put behind a paywall. Authenticator apps can be used for free, though. You can also get around the paywall by using the bitwarden_rs project I linked above, though its security should be evaluated separately from the core project.

Another really good option is KeePass. KeePass is another open-source option, but rather than being hosted on a network, it's completely offline. It's a little more effort because you need to keep all of your devices in sync manually, but this comes with the benefit that the attack surface is much smaller. An attacker needs access to the device(s) that store the database if they want to gain access. Because you only ever input your master password into one self-contained application, there's less of a chance of something leaking your master password.

You can find some security audit information here.

It's up to you to decide what password manager to use. My recommendation is almost always to go with an open-source solution like either of the ones I mentioned above, but as long as your passwords are encrypted and you use unique passwords for each site, it's hard to go wrong.