Use Brain or Password Manager
I struggled with this question for a long time. It is contradictory in a way that using a password manager should make everything more secure, but using a master password introduces a single point of failure. So is it more or less secure? Given the number of accounts I have created over the years, I would say going with a password manager is the better choice and stop repeating same passwords on different sites. This way hackers can only hack into one of your accounts if they hack into a site.
In terms of password managers, there are quite a few choices to choose from currently. I have tried few of them and want to share my experience here. I will start by listing some of the problems I have experienced, some personal tips, and finish off with a few recommendations.
The idea of having all my security details stored on a company’s server makes me very uncomfortable. Not only can hackers crack open their server and have access to all of my details, it makes my insanely long master password essentially useless. Putting security aside for a minute, imagine you put all your passwords on a service like Lastpass. One day their server goes down, then you cannot even access your accounts. I think the best way is for the password manager act as a client, the storage of the passwords should not be their concern. I prefer saving the password database on cloud storage services such as Google Drive, One Drive and etc. This means I don’t have to worry about people stealing my data from external servers. Sure, they could try to steal the password database, but since it is encrypted it will take them maybe 100 years to decrypt the content. Alternatively, they can steal my master password. However, without access to my cloud storage, the master password is useless on its own. To summarise, cloud storage beats service provider’s servers.
Do not choose a service that does not offer both mobile and desktop support. This was a tricky problem because I need it to work with Android, Mac, Windows and Linux. This was often the deal breaker, just think it through since migrating to another service later will be time-consuming and expensive.
I have tried a few password managers on Android and I was surprised how they did not include support for fingerprint access. Instead, they ask the user to enter an extremely secure master password. Can you imagine every time before you access your amazon account you have to spend about 10 seconds login into the password manager app and find your Amazon password? Compare this to fingerprint access which will take maybe half of a second? So another thing to look out for is fingerprint support on mobile.
Personally, I much prefer one-time payment services because it is generally cheaper in the long run. However, something to consider here is that subscription-based service may have better long term support due to the fact they will have more money to invest back into the product.
I have talked a lot about what to look for and things to avoid. Here are a few products I would recommend, they are intended for different user groups and hopefully at least one of them will be useful for you.
- There are quite a few open source projects out there, there is no reason not considering them because they are secure and is free to use. The most popular one is KeePass Password Safe by far, it supports both desktop and mobile. It also lets user choose between local password database or cloud storage, amazing! The only drawback is the user experience, compared to other services its desktop and mobile apps are not as well polished.
- SafeInCloud is my current service. It is well polished, has browser support, and is available on most platforms. It can be purchased with a one-time payment. Since this is not a subscription based service, I am hoping the project doesn’t get abandoned over time. There is no Linux support right now which might turn some people away.
- My last recommendation is LastPass. I have used it for more than a year, and it is all you can hope to get for a password manager. It has auto-fill on desktop browsers and mobile apps. It supports all platforms (even Linux since it is browser based). Desktop features are free to use, however, mobile apps require paid subscription. Even the paid subscription is very reasonable, right now it is $14.40 for a year. Lastpass is almost perfection, my biggest problem with it is how it stores all user details on their server. I personally have moved away from them for this exact reason. However, if you only want to use it for non-critical account info like random website login then it is definitely the go-to choice. Otherwise, I recommend looking at the two alternatives above.