What’s all the fuss about?

In a typical web browsing session, you might sign into slack, or twitch.tv, or ebay, or yahoo, or tumblr, or some other popular site and go on your way. Thing is, our brains are terrible at remembering things, and through password reuse, one compromised login can lead to a whole network being compromised. This isn’t just a boogeyman meant to scare you; your passwords could very well be out there, especially if you’ve been using them for multiple years.

Why should I stop reusing my passwords?

Here’s a great comic that shows one of the possible attack vectors to exploit password reuse.

If you reuse one password, or even pull from a mental pool of several passwords with slight variations for each site, all it really takes is one data breach, or one illigitimate website that fools you into trusting it, and many more of your accounts become compromised.

But if storing things in your brain isn’t the answer, what is? There is no one definitive answer to this, but here I’ll summarize the security advantage of using a password manager instead of your brain.

What are password managers, and are they safe for me to use?

A password manager is a program you run on your computer to help you organize and secure your accounts.

But the passwords are written down on the computer; that has to be less secure than my brain, right?

Well, not exactly. With the ‘brain method’, the passwords are still present on the computer when you physically type them on your keyboard or use the saved logins feature of your browser, and could be compromised just as easily by viruses or keyloggers on your machine. The underlying assumption present in this article is that your machine is virus free and doesn’t spy on you. If this assumption doesn’t hold, you have bigger problems than password reuse!

I also don’t want you to get the wrong impression. A password manager isn’t as simple as a word document that lists out all your passwords. Any good password manager will make sure it’s data is completely unintelligible to anyone except those who know the secure passphrase. So even if your mom, coworker, or best friend copies the passwords file from your computer to theirs, they still won’t be able to see your passwords until they beat the secure passphrase out of you with a five dollar wrench.

How does a password manager stop password reuse?

Unlike your brain, the computer is very good at storing vast amounts of random bits of information. A password manager, besides keeping your information safe, will present you options for easily generating unique passwords for every site. For example, a typical entry in my password manager might have the following stored credentials:

username:   'your_email@gmail.com'
password: 'zOLmTP.H~w|hoi0b@'

Never in a million years would I want to remember that my gmail password is zOLmTP.H~w|hoi0b@, but the whole point is that I don’t need to! Because the computer is remembering everything for me, all my passwords can be truly random and secure assortments of letters, numbers, and symbols. Instead, I just generate the password once and then either store it in my browser’s saved logins, or use my password manager’s paste feature.

But I still have to remember a passphrase?

Yes, one passphrase, total. That’s what keeps all your logins safe while they’re sitting on your hard drive. However, remembering one long, single “master password” is much more secure (and easier on the mind) than remembering a million variations of one or two reused. As long as your password is complex enough, and you never, ever reuse it, your accounts become orders of magnitude more secure by keeping them in a well regarded password manager.

What password managers are there, and which one should I use?

See the next post in the series, choosing a password manager (TODO)