It is difficult to create long, strong, unique passwords, creative responses to security questions, and alternative usernames without the aid of a password management application. For solos with even a few support staff, a password management application will help everyone follow these best practices and add succession planning to the mix.
After the recent breach of LastPass you may have decided that your system of using a few passphrases or writing your passwords in a notebook is a better way to go. However, password managers are still the recommendation from many security professionals. Here are considerations to help you make an informed decision about choosing and using a password management application.
Cloud or No Cloud?
Many of the password management applications store your passwords in an encrypted vault in the cloud. There are levels of encryption, zero-knowledge architecture, and safeguards like authentication to help protect your valuable information. However, if storing your passwords in the cloud makes you wary, you have options to store them on your local computer or server. The downsides to this model are that if the server is unavailable, or your hard crashes or the application becomes corrupted, you could lose your computer with all your passwords in it.
Some applications are only available for Windows. Some options, like KeePassXC, Keepass, or Enpass, let you store your password vault locally, or on private or public clouds. The open-source options may require a little more end-use sophistication, but the nature of open source suggests that the code can be reviewed, and exploits are discussed in a transparent nature. Review how often the open-source password managers are updated, and make sure support is available if you are not very tech-savvy.
Pricing
Many free password managers are very good. However, they are “lite” versions, and may limit the number of passwords you can store or not fill your passwords on multiple devices. They often lack some of the extra features seen in the paid versions, like tech support. Compare the paid and free plans to make sure you are getting all that you need. Often providers have personal and family plans and business plan options. Paid family or premium personal plans usually cost around $5 a month, including five family members. Business plans run anywhere from $8 per user per month to bundles for up to 10 users to $20 per month. Many times, the business plans include free family plans for the users.
Additional Options
In addition to storing, generating, saving and filling passwords, password manager applications offer other attractive options in the paid plans.
Dark Web Monitoring
If your password is compromised in a breach and is being sold on the web, your password manager will alert you to this. You can use websites like HaveIbeenpwnd, but it is nice to get proactive monitoring and notifications as part of your service.
Password Health Check
Having all of your passwords in one place means that your password manager can track your password health. You can see which passwords are being reused, which are weak, and which logins have been compromised and why.
Secure Document Storage
In addition to securely storing login information and form filling information, some password managers let you store confidential documents in the vault. Pictures of your passport, deeds, tax returns, your will, your insurance card and other information can be stored in your password manager.
Secure Notes
Some password managers let you store IDs (social security, tax ID, driver’s license), banking and credit card information in the secure vault.
Shared Passwords
For family plans and business plans, you can share passwords. It is not normally a best practice to share passwords, but for succession planning, short-term sharing, and emergencies, securely sharing a login or secure note can be helpful.
Authenticators
Some password mangers come with built-in multifactor authenticators. One such product is Keeper, which is a business focused password manager, that has a built in authenticator to generate and fill a unique code when you log in to applications that use two factor authenticators. Since no additional device or authenticator app is required this is especially useful for business users, so they need not use their personal mobile devices.
Backing Up Your Password Manager
Before you choose a password manager, check to see if you can back up and restore your data. The backup file should be encrypted.
Ease of Migration
If you should ever need to move from one password manager to another, be aware that the backup file will likely only work with that specific password manager, unless you export the vault to a CSV file. The CSV file will not be secure, and you will need to make sure that your new password manager can accept the file. Don’t move from a password manager to another without making sure you can transfer the file and make sure it works before you unsubscribe and delete your old account.
Conclusion
Once you have decided on what to use, consider how you will use your password manager. Knowing you are storing extremely sensitive information in a system that could be breached, consider whether you will store every single password and document in the system. Memorize a few passwords, such as your bank passwords, your primary email accounts, and your document storage account like Dropbox or ShareFile. And don’t forget to memorize your password manager password. It cannot easily be recovered. Add two-factor authentication to any accounts you can and you will be in a good position to be safe and secure.
About the Author
Catherine Sanders Reach is the director for the Center for Practice Management at the North Carolina Bar Association, providing practice technology and management assistance to lawyers and legal professionals.