Russ Harvey Consulting - Computer and Internet Services

Password Managers

Essential for managing your passwords

You Need a Password Manager | Don't Use Browser Password Managers
Bitwarden recommended | Password Safe | Reviews

All trademarks, company names or logos are the property of their respective owners.

A computer keyboard is overlaid with a padlock.

You Need a Password Manager

We simply have far too many passwords to manage them without a password manager. No one can remember all their passwords.

Humans simply have too much difficulty creating and remembering long, strong and unique passwords.

Password managers associate usernames and passwords with specific web pages.

 

This makes it hard for password managers to betray you to bogus websites by mistake, because they can't put in anything for you automatically if they're faced with a website they've never seen before.
Naked Security

LastPass No Longer Recommended

I no longer recommend LastPass because of lax reporting of the 2022 LastPass breaches.
LastPass user? See your options. | Bitwarden recommended

Don't Let Your Browser Store Passwords

While web browsers have built-in password managers, all are vulnerable to being hacked.

Unscrupulous websites can use malicious scripts and hidden login fields to track and gather information from your browser's password manager.

Browser Password Managers Vulnerable

While all modern web browsers have built-in password managers, all are vulnerable to being hacked.

Experts tell us that relying on Google Chrome (or any browser) to manage your online passwords is a seriously bad idea.
PCMag
If you currently use or have used browsers to save your passwords, you may have noticed that you don't frequently need to log back into your browser. Although this can seem as being convenient, it also poses a major security concern.
Keeper

Chrome Especially Vulnerable

There are serious security deficiencies in browser password managers — any browser, but particularly Google Chrome.

Zero-knowledge encryption is the reason dedicated password managers can keep your data safe without ever having access to your master password. "Google's password manager doesn't use zero-knowledge encryption," stated Lurey. "In essence, Google can see everything you save. They have an 'optional' feature to enable on-device encryption of passwords, but even when enabled, the key to decrypt the information is stored on the device."
PCMag

Return to top

Computer or Mobile?

Most current password managers recognize that people want to access their passwords on multiple devices which usually includes both computers and mobile devices.

Some password managers require you to purchase their premium plan to obtain access on both. Others work on only one device.

Providing cross-platform and multi-device access means that your data is going to be stored in the cloud which complicates security.

Configure It Carefully

Whichever password manager you choose, take care in setting it up and choosing the master password.

Choosing a Master Password

Provided that your password is decent (at least 15 characters) and the number of PBKDF2 iterations (a salting of the hashed password) is very high, then the likelihood of your data being decrypted by brute-force is relatively small.

You should NEVER reuse any password but especially not your password manager's master password.

See Passwords: Your Electronic Signature for more information about creating and remembering strong passwords.

Moving to a New Password Manager

There can be many reasons that you wish to move to another password manager.

Password Breaches

If you're using LastPass, I recommend moving to another password manager, especially if your master password was weak.

Norton LifeLock also suffered a recent breach of up to 925,000 accounts.

Cybercriminals are increasingly targeting password manager companies because they hold the sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted.

 

In this highly competitive landscape, cybersecurity practices, transparency, breaches and data exfiltration can influence the future of these password manager companies.
Tech Republic

Exporting & Importing Passwords

All password managers have some method of exporting and importing passwords.

CRA and Password Managers

While password managers work for most sites, one of the most glaring exceptions is the Canada Revenue Agency (CRA) site. Their people will tell you NOT to use a password manager (i.e., you must manually enter your username and password).

I discovered that the data in the location bar (or address bar) on my browser was an unbelievable 2005 characters!

Not only is the CRA one of the most sensitive sites you can visit (it contains access to all your tax files including some of your most sensitive personal information) but the agency should have the expertise to manage decent security.

Return to top

Bitwarden

I strongly recommend Bitwarden for your password manager. Not only does it provide a great free version, but the cost of upgrading to premium is relatively inexpensive compared to other commercial password managers.

Bitwarden has and always will be a free and open source product. One of our goals since the beginning has been to create a free password manager that is not crippled by "free trials" and truly offer a quality product at no cost. This goal remains at the top of our priorities.

Note: Bitwarden is my recommended replacement for LastPass.

Free

You get a Bitwarden vault with:

Premium

Add premium features for only US$10/year:

Families

Up to 6 users for only US$40/year:

Bitwarden also offers business plans.

Bitwarden Emergency Access

Bitwarden Premium emergency access allows users to designate and manage trusted emergency contacts, who can request access to their vault in cases of emergency.

Only premium users, including members of paid organizations (Families, Teams, or Enterprise) can designate trusted emergency contacts, however anyone with a Bitwarden account can be designated as a trusted emergency contact.

 

Setting up emergency access is a 3-step process in which you must Invite a user to become a trusted emergency contact, they must Accept the invitation, and finally you must Confirm their acceptance.
Bitwarden

See Bitwarden's “Emergency Access” page for the details.

Downloads & Learning More

Download options include

Beware of Fake Downloads

Be sure to only download Bitwarden from bitwarden.com.

Getting Started

There is documentation on the Bitwarden Help pages. Look for the menu on the left and click on the help item you want.

I strongly recommend that you disable the login website icons because of the privacy risk.

Getting Help

Resources

Tools

Return to top

Password Safe: Offline Alternative

Realize that ANY cloud-based password manager (or service) is subject to the same vulnerabilities: world-wide access to online servers.

The alternative is a secure password manager which resides only on ONE computer.

If that is your choice, I recommend Password Safe.

Password Safe is open source and free (no license requirements, shareware fees).

Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Twofish algorithm.

Return to top

Reviews

I've provided my recommendation of Bitwarden, but you might like to do more research.

That is a good idea if you aren't completely convinced that Bitwarden is for you.

About Reviews

Realize that, like all software reviews, products change over time. Depending upon when the review takes place, you may find one product favoured over another.

Reviews of Password Managers

These are some reliable reviews

Are You Using LastPass?

Steve Gibson's initial support of LastPass was one of the main reasons I felt I could recommend LastPass.

He's now moving to Bitwarden as are most of the security folks I follow.

Learn more about the LastPass security breach.

Return to top

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/passwordmanagers.html
Updated: June 14, 2024