by Brandon Butler
A Story About Password Managers 11/9/2020

About a decade ago I received an alarming email from Google. A suspicious login attempt from somewhere in Ohio had attempted logging into my Google Account. Being in California, I was certain that wasn’t me trying to login.

Thankfully, Google’s systems realized the same and blocked the login attempt. After they alerted me to the breach I spent the rest of the day changing passwords. Back then I used a password system that was terrible and time consuming to manage. I created the passwords myself and kept nothing written down, either digitally or physically. It was all in my head. And it was a mess.

In those days I spent a good deal of time thinking of, changing, and remembering new passwords that I believed were complex and impossible to guess, yet somehow, someone had guessed or phished it out of me. And to this day I have no idea how they got my password.

This hack attempt was a serious wake up call to my own personal password security. I knew what I was doing wasn’t working, and I hated typing and forgetting password after password. The entire ordeal finally pushed me to what I’d been putting off for years: I installed a password manager.

“Passwords are a terrible system. I mean, passwords are awful,” said 1Password’s Jeffrey Goldberg, in Ars Technica’s The secret to online safety: Lies, random characters, and a password manager. It’s true: I talk to people everyday who are frustrated and annoyed and sometimes downright angry at being forced to remember a variety of (let’s be honest) weak passwords for their computers, websites, and programs. And this is where a password manager can really make a difference.

The most simplistic way a password manager works is by storing your passwords in an encrypted database. But a good password manager can do so much more. The best password managers will generate ridiculously strong passwords, warn you when an account has potentially been compromised, and give you the ability to share passwords with family or co-workers. Some also include 2FA, and the best will give you the option of working from a local database you maintain or storing data in the cloud. The best sign of a good password manager to me, though, is a well-written white paper explaining how your data is stored and secured, and a sustainable business model (yes, that means you pay for the software, but I’ll get to that in a minute).

Throughout my work day, I see many people using a Word document or an Excel spreadsheet to store their passwords. This is a bad system. Encryption on these documents is not strong (and rarely enabled), and many people leave the documents open on their computer screens all day. The documents also display everything in plaintext to anyone watching, either remotely logged in or simply standing behind them. The documents also can’t generate a password, so the user creates a new, weak password to replace a previous weak password. But these people are so close to using a password manager — they just need to take one last step. (And if this is you, keep reading!)

The other option is to use your browser to save and store passwords, although this is also less than ideal. The obvious downside is it locks you to a single browser. Your passwords are usually encrypted and synced across devices, but the browsers often lack the features that make password managers more than just a database, like scanning your accounts for compromised logins and storing additional information like IDs or bank accounts. And if you need to sign-in to an app like the Snapchat or TikTok you have to awkwardly launch the browser, go into the settings, and copy and paste the password out (which exposes the password to clipboard snooping by nosy apps). Plus, anyone who has access to your device or browser now has access to all of your online accounts, including banking, shopping, and social media. A password manager requires you to login (either with a password or biometrics) before being able to access the stored passwords. Saving passwords with a web browser is an all around bad idea.

When I decided to finally install a password manager, I don’t recall spending too much time agonizing over the choices. At the time, AgileBit’s 1Password was one of the few password managers available for Mac, Windows, and iPhone. Today, there are many password managers to choose from, but I’ve stayed with 1Password. I’ve also recommended 1Password to friends, co-workers, and family, and I rarely need to provide any family tech support for 1Password. The service just works.

I remember, back when I first signed up for 1Password, it was scary to trust everything to this one encrypted database. I added passwords slowly over the first year and as time progressed I “forgot” more and more passwords. It was actually very, very freeing to forget so many ridiculous passwords, and before I knew it, I had just one password: the password for 1Password.

The prophecy was fulfilled.

I also became a big user of Command+\ on my Mac, the shortcut key to invoke 1Password’s browser extension and auto-fill a username and password into a website. A few iOS versions ago, auto-fill came to the iOS keyboard, and my days of copying and pasting passwords came to en end. That’s right, you read that correctly: I don’t type passwords, and I don’t copy and paste passwords, either. Everything is auto-filled with a keystroke or a tap. It’s easy, but it’s also the most secure way to login to a website (short of memorizing dozens of 40-character alphanumeric passwords and typing each in by hand). Like most popular password managers, 1Password has support for a number of browsers and operating systems: you’d be hard pressed to find your passwords unavailable on your system of choice.

I use 1Password for much more than passwords, too: I store credit cards, personal history information, software serial numbers (like the Alfred Powerpack license), emergency info like my healthcare card, and secret recipes. Anything that I feel needs an extra layer of protection that the old Notes app can’t provide.

This might feel like a marketing pitch for 1Password, but the truth is 1Password is the best password manager I’ve used. In fact, the original draft of this article started out by not naming any password managers. Draft two included a long section comparing the different services, like LastPass, Dashlane, and Keeper; I even went so far as to install the apps on my iPhone and MacBook and use the trial modes for a few days to better understand how they work. But I honestly didn’t like any of them. Keeper tried suing Ars Technica over a story (https://www.zdnet.com/article/security-firm-keeper-sues-news-reporter-over-vulnerability-story/) and the app’s design looks dated. Dashlane includes an unnecessary VPN service which makes the whole thing way too expensive. And while LastPass is a very popular password manager, as I was writing draft two a co-worker messaged me to say — completely on his own — that he didn’t like LastPass on Android and wanted to know if I had any suggestions for another password manager. I told him to try 1Password, and now he’s a paying user. I still like LastPass’s design and features, and LastPass has something 1Password doesn’t: a free tier. 1Password has a great, full featured 30-day trial, and regardless of which password manager you go with, you should be paying for it.

Paying for your password manager means you are very unlikely to ever lose access to your passwords. Apps and programs, and especially cloud services, can come and go in a blink, but the ones that persist are the ones that make a profit and continue to pay their server bills. If you find the password manager useful and necessary — and I believe you will — pay for it.

We all use passwords. And we all hate passwords. But if you have a password manager like 1Password you won’t need to worry about memorizing passwords, forgetting passwords, or typing passwords ever again. You’ll know if one of your accounts has been compromised, and you’ll have additional features like secure notes and a strong password generator. For as much as I like 1Password, I still want the take-away for this article to be a simple one: use a password manager. Make it a goal to pay for a password manager before the end of the year — you’ll be glad you did! Passwords are a fact of life for anyone with an Internet connection, and a password manager turns a terrible system into something slightly less terrible.