Nearly every website you visit requires you to create a user account and think up a password.
As discussed in my blog on passwords back in January, this can be quite a task for some to remember a different set of credentials for every account they own. So in this blog, I’ll take a look at password managers, what they are, the features they offer and whether you should use one (spoiler: yes, you should)
Why use a password manager
Password managers offer a convenient way to keep your online accounts safe. With a password manager, you don’t have to remember multiple strong, unique passwords for all your accounts. The password manager stores them all for you, and can even help you generate new, random ones if you can’t be bothered to think of ones yourself.
Most password managers will autofill your credentials into websites and applications, so you don’t have to type the data yourself. Most will also suggest strong passwords for sites where you are creating new accounts.
Protecting your password manager data
All password managers insist that you generate a strong, unique mater password which is used to encrypt the data it holds. This master password should then be the only complex password you ever need to remember.
In the majority of cases, your master password will be unrecoverable if you forget it, so most utilities will offer you the ability to safely record and store the master password – typically in printed form so that you can store it offline in a secure place, such as a home safe.
Some password managers offer MFA to unlock your password vault, and others are implementing biometric authentication (face and fingerprint mostly).
Using a password manager
When you have chosen the password manager that fits your requirements, the first step will be to generate the master password.
Most password managers operate in similar ways when doing this and initially ask you to pick a location on your disk drive to store the database which the master password will protect.
Once you have specified a location / name for the database, the password creation process will begin. Typically you will be shown a graphical illustration of how strong your master password is.
I use the open-source, free utility – KeePass for my pasword management, so the screenshots in this blog will be from that application.
Many password managers offer alternate ways to generate a master password. For example, KeePass offers you the ability to use a key file to record your master password data to save you having to remember a complex password.
A key file must be kept separate from the machine used to store the password database, because if an attacker obtains both from a compromised machine, then they have the ability to access all your passwords. If you decide to use a key file, then it is advised to keep it on a USB device. It is also advised that you keep a backup of this file on a secondary device in case you lose your primary storage method.
KeePass also offers the ability to use your Windows password credentials to unlock the database file. This option utilises the unique SID (SecurityID) associated with your Windows account, and as such if you change the password to the account, the SID stays the same, so will not affect KeePass.
After you have generated the master password, the next step will be to populate the database with passwords.
If you have, in the past, used a browser to record your passwords, then you should be able to export the stored credentials to a file which you can then import into your password manager.
If you have never stored your passwords anywhere, then it will be the case that you will have to manually enter the data site-by-site.
Exporting passwords from browsers
The process of exporting password from your browser is very simple, but varies slightly from browser to browser.
In Chrome, access your settings by clicking the 3-dots in the top-right of the browser. Then choose the Autofill option from the left-hand menu bar.
Choose the option to view your password manager, and you will see another set of 3-dots next to the button for adding a new set of credentials. Clicking this will reveal the option to export your password data.
In Edge, access your settings be clicking the 3-dots, as per the chrome instructions above. Then select the passwords option from the list of options shown.
Click the 3-dots next to the Add password option to reveal the export passwords option.
In Firefox, select the 3-bars in the top-right of the browser, then choose settings.
In the page which opens, choose Privacy & Security, and then click Saved Logins.
In this page, click the 3-dots in the top-right of the page and then choose Export logins.
All the above methods will allow you to extract your password data and save it as a .csv file which you can then import into your password manager utility.
Importing your exported data
Importing password data which you have exported from a browser is a fairly simple task. Some password managers will auto-detect the file when you select it to import, whereas others will ask you what the source of the file was. KeePass asks you for the filetype which you are importing and offers a list of options.
When importing the password data, you will typically have options to organise your data by categories. In KeePass, you can save password data in categories such as Windows, (local)Network, Internet, email, banking, etc. Or keep them all in one category
Using your password manager
When you wish to log into an account, there are a few ways you can use the password manager to enter your credentials. some managers automatically detect the URL you are visiting and offer to enter your data, others differ slightly.
KeePass offers an auto-type facility which can be invoked by pressing a hot-key combination. The default global hotkey in KeePass is CTRL+ALT+A. Upon pressing this hotkey combination, the application searches the database for a match based on the title of the webpage visited and then automatically enters the username & password data for you.
Final words
Using a password manager is a very safe method of storing multiple credentials without having to remember them all yourself.
When choosing the right password manager for you, you might want to consider some of the following:
- Does it sync between different devices
- Is it portable
- Is it cloud-based
- Does it support other data such as address, phone numbers, etc.
- Does is work with MFA systems
- Does it allow for credentials sharing
- What is the cost / is it free to use