- Use a password manager, don’t write down your passwords!
- Avoid cloud-based password managers if you can.
- Go with my recommendation: KeePass.
- Sync your password database across all devices.
Why you should use a password manager
One of the more common problems that users of the internet find challenging, and even pesky and frustrating, to take control of is the issue of managing their passwords. A typical person owns multiple email, bank, retail, and many other types of accounts that they reach a point when it becomes difficult to remember the credentials. To make the problem more complicated, many services vary their password requirements, enforcing various combinations of upper case, lower case, numbers, and symbols, and sometimes requiring the user to change passwords periodically.
In the last ice age, people would resort to writing down their credentials on paper, a practice that I also employed until better options became available. Since security is the highest priority, this practice has been acceptable to those who trust themselves to keep it well hidden. However, paper passwords are written without any sort of encryption, so anyone who manages to get a peek at them will be able to read them in plain sight. Thankfully, this needn’t be a problem if you switch to more secure and versatile software options that can manage your credentials, generally called password managers.
Why should you switch? Some of the biggest advantages in my experience have been
- Not having to wrinkle your brain trying to remember passwords.
- Being able to search, organize, group, sort, add, delete, and modify password accounts effortlessly.
- Attaching other details to an account, like pin numbers, web address, notes, and anything else you want.
- The ability to copy and paste passwords without ever seeing them. You never have to reveal them to anyone, not even yourself.
- Generating a random password that meets certain criteria like upper/lower case, numbers, symbols, etc … This saves you time thinking of a password.
- Auto login: advanced users can enable password managers to automatically log in to a website without having to type the username and password.
- Auto fill: Tired of repeatedly entering your address, credit card, and other details? You can set up the password manager to type everything for you.
- Automatic keeping of history: whenever you change something, the password manager will make note of it.
There is a catch
The only catch to using a password manager is that you would have to remember a master password that would be used to unlock all the other passwords in your password manager. If you have a bad headache, got whacked in the head, suffer from amnesia, or somehow just forgot the master password, you’d be in big trouble. However, since you would frequently be typing the master password, chances are that you would know it like the back of your hand. This has not been an issue for me in all my years of using password managers.
Which password manager should I use?
If you are not bothered by that risk and the slimmed-down list of advantages above were enough to convince you to use a password manager, the next question is likely “Which password manager should I use?” My guiding policy here is to use the password manager that allows me, and no one else, to be in control of my data. What this means is that my passwords live on my devices only. There are many password managers available, free and paid, that actually store a copy of your password database on their own servers. This would leave you vulnerable to hackers who target popular password manager services (see “The LastPass security breach: What you need to know, do, and watch out for“). If, like me, you want the piece of mind that your data isn’t stored on a computer that is under someone else’s control, then you should prefer password managers that store your data only on your local devices. In other words, avoid cloud-based password managers.
At this point, if you are interested in all the options available to you (including cloud-based solutions if they are not a deal breaker to you), I would recommend reading this article which gives a comprehensive comparison: “The Best Password Managers“.
The password manager that has done well reducing my headaches, and the one that I recommend, would be KeePass. This is a manager that meets all of my criteria, and it is free to use and supported on many platforms. Whether you use a Windows or a Mac computer, or an Android or iPhone, your bases are covered.
On Windows, I recommend using either the application that was developed by KeePass themself: the Professional Edition available at http://keepass.info/download.html, or the slicker looking KeeWeb available at https://keeweb.info/.
On Macs, you can also use KeeWeb, but I prefer the more user-friendly MacPass downloadable at http://mstarke.github.io/MacPass/. MacPass looks good, has a configurable toolbar with buttons to copy the username and password, and shows more information at a glance.
On an Android phone, you can install the Keepass2Android app. You can see what it looks like at Keepass2Android Password Safe.
Although I have not tried any KeePass applications on an iPhone, your options are to install “KeePass Touch” or MiniKeePass. The former was updated recently, but MiniKeePass hasn’t been updated since April 2016, so it may be worth trying KeePass Touch first.
Using KeePass on multiple devices
If you are interested in using KeePass on multiple devices, you would have to think about how to sync the password databases on those devices. If you change a username, password, or other information on one device, you would want the change to be reflected on all your devices. All of your data will be stored in a database file with an extension of “kbdx”. KeePass, KeeWeb, Keepass2Android, KeePass Touch, and MiniKeePass all work with this database. The key to keeping the databases in sync is to keep the kbdx database file in sync. To do this, you have several options:
- The least complex way is to keep your database in a cloud service like DropBox or Google Drive. You can then open the database on any device by selecting it from the cloud service, and changes you make will be saved by the cloud service. You may have noticed though, that this approach fundamentally conflicts with the reason why one may have chosen KeePass in the first place: to keep data locally and off the cloud. However, if you trust the cloud service enough, this is a viable solution.
- A bit more tedious is the option to sync the databases yourself. Let’s say that you have the database on your Mac and you made some change to it and want to have this change on your Android phone, then one thing you can do is send the database file to your phone via Bluetooth. If you want to propagate the change to a Windows computer, you can put the database in a USB drive and transfer it. Depending on the capabilities of your devices, there are a good number of other ways to transfer database files between them.
- The more secure solution, and the one that I use, is to run a cloud service yourself and put the database there. All devices will then sync from one centralized place. This, to me, is the best of both worlds: you get the versatility of a cloud service but you also own that cloud. I chose to run a Network Attached Storage (NAS) that stores and backs up my data, and it runs the cloud service I use to manage my KeePass passwords. This option is more complicated and requires monetary investment into a good NAS (several hundred dollars), so I recommend researching into it if you are interested.
Happy remembering things other than passwords!