Passwords are your first line of defense against cybercrime. Password managers, software that securely stores, manages, and retrieves passwords, are essential tools for maintaining secure password policies and practices. A password manager eliminates the need to remember complex credentials by securely storing usernames and passwords and auto-filling login pages. Such software reduces the risk of “password fatigue” and resulting poor practices such as the use of weak passwords and password reuse. Furthermore, many password managers can generate complex, random passwords, making it harder for attackers to breach accounts through brute force or credential-stuffing attacks. For the average user a password manager is likely the single most important cybersecurity tool in existence!
Choosing a password manager is an important decision and it forms the cornerstone of your personal cyber citadel. Vault 7, a collection of classified documents revealed by WikiLeaks in 2017, documented that the CIA routinely uses backdoors to compromise domestic software. While it may seem counterintuitive, it is worth considering using security software developed in an adversarial country. Kaspersky’s Password Manager, having been created in Russia, is one such example. If you subscribe to the plausible notion that all nations backdoor their software, it may be prudent to use software from countries that cannot exert legal jurisdiction over your person or personal information.
Update: In July of last year, the US banned the sale of Kaspersky products and sabotaged updates for existing users in September. If you’re migrating from Kaspersky to KeePassXC, consider using the script I helped create in order to automate the process.
Alternately, you may want to consider open software. Open-source software is often considered more resistant to zero-day exploits and being backdoored due to its transparency and collaborative nature. With the source code publicly available, a diverse community of developers, security experts, and enthusiasts can review, audit, and improve the software continuously. Such software stands in stark contrast to proprietary software whose developers often rely on the less secure approach of “security through obscurity.” If you prefer the open-source software approach, consider KeePassXC. It has the added benefit of being non-gratis. This means that in addition to being financially beneficial, your software subscription ( and by extension, your security) will not lapse.
In either case, stand-alone password management solutions are recommended. Browser-based password management solutions should be avoided as they are inferior to stand-alone software for several reasons:
- Limited Features: Browser-based password managers often lack advanced features that stand-alone options provide, such as secure password sharing, advanced password generation, and robust security audits.
- Less Robust Security: Built-in password managers may not implement the same level of encryption or security protocols as dedicated password management solutions. They are also more susceptible to attacks that target the browser itself, which can compromise stored passwords.
- Browser Dependency: Browser password managers are tied to a specific browser. In contrast, stand-alone password managers can provide cross-platform support, allowing users to access their passwords from any device and using any browser.
It is important to note that a password manager is not a panacea for password security. Your passwords can still be compromised by keystroke loggers and man-in-the-middle attacks, among others. Keep in mind that a password manager is itself protected by a password; a password that doesn’t benefit from the protections of the password manager it protects! Consider too that most passwords are still illicitly obtained the old-fashioned way, via social-engineering, phishing and spear-phishing.
Software is not a substitute for vigilance and users should be mindful of all the possible vectors for password compromise. Regardless of their vulnerabilities (most of which are indirect), password managers are still very much essential for anyone who values cybersecurity and needs the protections proper password practices provide. Give some thought as to which password manager is right for you. If you have not yet implemented a stand-alone password management solution, make it your top priority as you strive to develop robust personal cybersecurity practices.