Why I use a password manager

The wind howled on a cold evening . The only thing missing was the crackle of lightening to foreshadow the impending ominous news.

Another website had suffered a breach. Emails, passwords and some other details stolen. It was becoming a regular occurrence, except this time it was different.

My details were amongst the ones breached. The email notification I received read like any other post-breach press release. An apology, a claim they took security seriously; and that I would be wise to change my password on other services.

It got me thinking whether I’d used the same password anywhere else. I spent 2 hours trying to list all the websites I’d ever registered for. I came to the conclusion that I had no idea how many websites or services I’d registered for. Even if I did, I’d not be able to remember if I’d reused my passwords or variations of them.

It wasn’t quite end of days, but I thought it was about time I cleaned up and organised my online presence. So I invested in a password manager. Now I have unique and strong passwords for every website I’ve registered for.

But the story doesn’t end there.

A few months later, I received another breach notification. Except this time it really was different.

In a sequel of epic proportions, the password manager I was using had been breached. Of course I felt guilty for using a ‘cloud-based’ password manager. But the lure of synchronisation between all my devices had been too great to resist. Plus I am too lazy to manually synchronise passwords between devices in a secure manner.

In reality, it’s still harder to break a password manager than having one password to access all the websites you use.

One of the underlying problems lies in how passwords are the cornerstone of authentication.  Two-factor and two-step authentication is becoming more commonplace (including for password managers) so should be availed wherever possible.

Nothing is going to be 100% secure. So it’s often better to ask yourself is a particular security measure ‘good enough’? For the majority of people, I’d suggest a reputable password manager and enabling two factor authentication wherever possible constitutes ‘good enough’.

Yeah, I know – that’s a more disappointing conclusion than the Matrix trilogy.

Edit: I said that some password managers can use 2FA. According to Paul Moore, who is a extremely knowledgeable in these matters, it is not the case in the truest of forms in particular when it relates to using a Yubikey.  From a risk perspective I feel this is an important point to note particularly for enterprise customers. For consumers and the masses even using a password manager alone will likely put you in a better position than most.