You should start using a password manager

The system you keep in your head probably isn't cutting it.
It's probably time to manage your passwords differently. Photo by Tim Gouw on Unsplash

It’s the year 2019, and we have so many cool gadgets: machines like flying taxis are even in the works. But we also still have to cope with passwords, the bane of our online existence. Google recently released the results of a survey about security, and it reported that 52 percent of the adults they polled use the same password for more than one account. It’s a forgivable offense, considering what a pain it is to remember all those letters and numbers. But some—a full 13 percent—even use the same password for every account. That’s very bad.

About a quarter of respondents to the same survey said they had employed a password manager to help them with this issue. These results are a good reminder that a platform that helps you manage your password—popular options include 1Password and LastPass—is a strong, if imperfect, solution to the problem of personal online security.

Password managers basically do two things: they autofill your existing passwords for you, and even better, they can generate a long, complex, random code for you and store that too. Browsers like Chrome and Safari can do that already (Apple, for example, saves those passwords in your iCloud Keychain). Those services can be a good option if you use just one system heavily, like an iPhone, plus a Mac, plus Safari.

But a third-party password manager will work across multiple platforms—from apps to different browsers, whether it’s a Google product or an Apple one.

The real security bonus comes from those lengthy, complicated passwords that a password manager will generate and save for you, which are definitely going to be better than whatever system you’ve cooked up. “It’s really difficult for the vast majority of people to be able to maintain good hygiene when it comes to passwords, because there are just so many different accounts they have to manage,” says Shuman Ghosemajumder, the chief technical officer at cybersecurity company Shape Security.

A compelling reason to consider using a service like this is the fact that millions of emails and passwords are already available to criminals who may try to use them. For example, a list known as “Collection #1” reportedly contains over 700 million email addresses and some 21 million passwords. Data like this isn’t the result of one security breach, but many, and criminals can try to use this fodder to log into accounts they shouldn’t have access to, like a bank’s website. That’s a tactic called credential stuffing, and by one estimate [PDF] from Shape Security, an average of 80 to 90 percent of the traffic hitting a retailer’s website in 2017 came from those attacks.

But if every single password you ever used was different and complex, a password released in one breach would have be totally useless on other sites. Interested in going a step further? A physical device like a YubiKey or the Google Titan Security Key can help make the two-factor login process more secure.

Password managers are not perfect, and they do have their user-experience pitfalls—for example, using a system like 1Password requires you to first teach it your existing password. Then, you must change that password so it can create a new one for you.

Still, you get the point. Even a not-perfect solution trumps the password scheme you carry around in your head. “Everyone who is not a security expert is going to be better off using a password manager than using whatever manual system they have tried to come up with on their own,” Ghosemajumder says.