December is already upon us. WOW. Let’s take a moment and focus on security. After all, passwords are like underwear – they should be changed frequently. Sure, I get that. And I can set all my passwords to either:
- be the same across all sites (definitely not a good idea), or
- ignore this advice and never update my password (also, definitely not a good idea).
OK, what if I want to change my passwords periodically but suffer from any sort of memory issues. How can I:
- use a unique password for each site I use,
- keep my passwords (actually passphrases) long and complex, and
- remember to change them from time to time?
Short answer – use a password wallet.
What is a Password Wallet?
In the same way you probably keep your folding money in an actual wallet and keep it close to you, a password wallet is a secure spot to store your passwords. It is a bit of software. It can be available only to you (perhaps on a USB drive – you recall those, don’t you) or it can be stored in the cloud (someone else’s computer). Regardless, access to the password wallet is controlled by a password (or preferably, a passphrase). Unless you know the password/ passphrase to access the wallet, the contents are not readily accessible. In a similar manner, the folding money in your wallet is not readily available to the world. Generally, contents in a password wallet are encrypted. This means if the data store is ever stolen, it is not of any use unless one knows the access word or phrase.
Yes, many browsers provide the ability to store your passwords these days. Many operating systems also provide this capability. That is always one alternative. Although we are not recommending/ endorsing any specific technology, it is important to know what options are available beyond your browser or operating system. Some examples of password wallets include:
- KeePassXC (you can store your access credentials on a thumb drive). This software is open source and OSI certified.
- LastPass (there are free and paid versions).
- NordPass (if you use Nord as your VPN, this paid version may be appropriate).
There are many other choices, Search engines are helpful, aren’t they?
Once you decide to that it might be useful to store your passwords in a secure wallet, here are some things to consider (this is not a complete list).
- How secure is my data? Does the wallet securely encrypt the contents? If you forget your password/ passphrase, you will likely not be able to access the contents. Confirm that no one can decrypt the contents (particularly if the password wallet is online).
- Is there a limit to the number of passwords/passphrases I can store? Some free versions limit you to 50 or 100 passwords. Of course, you get what you pay for.
- How much does it cost? Yes, many of these services cost. That is how they keep their software up to date (defending against the most current known vulnerabilities). Many services offer a discount if you pay annually.
- Password/ passphrase generator? The longer the password/ passphrase, typically the better. You should be able to specify the length. Also, you should be able to copy the information for a short period of time. When you use longer passwords, it is helpful to copy, then paste the contents into your browser. But, you don’t want that information remaining in your clipboard too long.
- What other services are included? Many paid options offer additional services (such as multi-factor authentication, or being able to selectively share information with family or co-workers). You decide what is necessary for you.
- Reminder to periodically change your password? It is a good idea to periodically change your passwords. Typically, we forget to do this. It is helpful if your software provides you with the ability to set a reminder for a given site.
Should I use one?
Ultimately, that decision is up to you. However, these days, one needs many passwords (and they should be unique for each site). Personally, my memory is simply not capable of remembering passwords for thousands of sites. And you want to make certain you periodically change important passwords. Those item alone likely dictate you should consider such an approach.
All this being said, I strongly recommend using 2 factor authentication in addition to a password/ passphrase on any given site. This means you must provide both your username and password along with a unique code to access a site. Most sites offer this option. Many allow you to use a technology like Google Authenticator or to receive a SMS text message with a unique code. These codes are typically only good for a minute or so.