Tools such as Last Pass and Dashlane can save you a lot of headaches New data breaches are coming to light almost weekly and they reveal a simple but troubling fact: many people still choose weak passwords and reuse them across multiple sites. The reality is, remembering dozens of complex passwords is almost impossible, and carrying them around on a scrap of paper that you have to keep updating is a huge hassle. That’s why password managers exist. Here’s why they’re important, and how to get the most out of them.Password variety is importantWith password leaks being a case of “when” and not “if,” you should limit the damage attackers can do by choosing a different password for each online account. Remembering all those passwords is hard without making them predictable, and that’s where password managers can play a big role. They’re available for most browsers and operating systems, including mobile ones, and provide a hassle-free login experience.Password complexity mattersMost password managers can generate complex passwords for you, and that’s important. Websites generally store cryptographic representations of passwords called “hashes,” but depending on the algorithm used, those hashes can be cracked. The more complex a password, the less chance an attacker will be able to recover it from the hash, so it’s good practice to use passwords with 12 or more characters, combining upper and lower case letters, numbers, and special symbols.Usually, you’ll still need to remember a master password that logs you into your password manager. You may also want to know your password for a few critical accounts, like email, in case the password manager is unavailable for some reason. In that case, sequences of words combined with digits and uppercase letters can be just as difficult to crack. An example would be DogsCatsRabbitsMyTop3Animals. These are typically referred to as passphrases, because they’re longer. Offline vs. onlinePassword managers employ a variety of security models. Some are offline, like KeePass, Password Safe or Enpass, which means they don’t synchronize across different devices: you have to move the encrypted database between the various instances of the program each time you add or change a password, or use a cloud sharing service like Dropbox to keep the database in sync. Others, such as LastPass, Dashlane and 1Password, automatically synchronize your passwords across different devices, and some even provide Web-based access to your password “vault.”If you choose one of the service-based implementations, pay attention to the architecture and make sure it decrypts the database locally inside the application or browser, without ever sharing the master password with the service provider. Don’t rely on a master password aloneProtecting all your passwords with a single master key isn’t the best idea, because it can create a single point of failure. But many password managers offer two-factor authentication, where accessing the password vault also requires a one-time code sent via SMS or generated by an app such as Google’s Authenticator. Make sure the password manager you choose has this feature, and turn it on.Even when you’re using a password manager, it’s a good idea to enable two-factor authentication (sometimes called two-step verification) for all your online accounts that offer it. An extra layer of protection never hurts.Make use of other security featuresSome password managers offer the option to log you out after a period of inactivity. That’s useful, because it’s not a good idea to keep the password vault open for extended periods of time, especially on a shared computer. Logging you out automatically can limit the damage if your computer gets temporarily infected with malware. It’s also best not to flag devices as “trusted,” which disables two-factor authentication for that device. Related content news Okta launches Cybersecurity Workforce Development Initiative New philanthropic and educational grants aim to advance inclusive pathways into cybersecurity and technology careers. By Michael Hill Oct 04, 2023 3 mins IT Skills Careers Security news New critical AI vulnerabilities in TorchServe put thousands of AI models at risk The vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. By Shweta Sharma Oct 04, 2023 4 mins Vulnerabilities news ChatGPT “not a reliable” tool for detecting vulnerabilities in developed code NCC Group report claims machine learning models show strong promise in detecting novel zero-day attacks. By Michael Hill Oct 04, 2023 3 mins DevSecOps Generative AI Vulnerabilities news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe