People keep asking the NCSC if it's OK for them to use password managers (sometimes called password vaults). If so, which ones? Who should use them - private citizens, small businesses, massive enterprises? And how should people use them? Is it safe to put all your crucial passwords into a password manager, and forget trying to remember any at all?
This is a big topic, so we're chunking it up. This blog explains what I think about password managers in general, and how I use them myself. This might be helpful if you're an individual deciding whether and how to use a password manager for your personal use. If you're looking for business use, this blog post won't hold all the answers you need (look out for more from the NCSC on this soon).
Should I use a password manager?
Yes. Password managers are a good thing.
They give you huge advantages in a world where there's far too many passwords for anyone to remember. For example:
- they make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
- they are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
- they can generate new passwords when you need them and automatically paste them into the right places
- they can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet
All these things are full of win. They reduce security friction - making security easier and more convenient. If security is difficult, tedious, appears to add no value or gets in the way of the main task we're trying to do, then we tend to find (insecure) ways around it. And then we end up less protected.
Well, that all sounds great. Where's the catch?
You might be thinking "If password managers are this good, why haven't you recommended them before now?"
Well, they do have some drawbacks:
- Password managers are attractive targets in themselves. They've been successfully attacked in the past, and realistically they will be again. So all your passwords could get stolen in one go.
- If you forget the master password for your password manager, you will not be able to get back in. You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt.
- You can't use them for everything. Some service providers (such as certain banks) don’t support the use of password managers. If you tell them you’ve put your banking passwords into one (or written them down in any way at all) they might not give you your money back if you are the victim of cyber crime. If your bank is one that takes this stance, you'll need to think about how you’re going to manage critical passwords without writing them down. On the brighter side, this is much easier to do once you've got most of your passwords out of your head and into the password manager.
Should I use a browser-based password manager?
Many web browsers now come with password managers built in, and they can be a very good choice. They are very convenient to use, as they are fully integrated with the web browser - so they know when you're on a website that needs a password, and they just pop up and do their thing. You don't even have to remember a separate master password. So feel free to use the built-in password manager, provided that:
- You keep your web browser up-to-date.
- You have some kind of access control on your device such as a PIN/password/biometric
...two things you should be doing anyway!
One drawback with browser-based password managers is that your passwords may not automatically sync between all your devices if these use different operating systems. So, if you have a Windows laptop, an iPad and an Android smartphone, your passwords may not follow you around everywhere - unless you use the same web-browser on all your devices and log into it. Also, if more than one person uses a device on the same user profile, they would all have access to the same password-protected content. You may not want that.
Should I use a standalone password manager?
Compared to browser-based managers, standalone password managers tend to do a better job of keeping your passwords available to you on all your different devices, no matter what platform they're on. They give you a little more control over when and where you use your passwords, as you get to press a button to say 'I want to use the password please', rather than the web page in the browser requesting one when it feels like it.
Importantly, with a standalone password manager you do have to create and remember a long master passphrase (unlike with a browser-based one). Standalone password managers may also include more advanced features, such as:
- notifications about compromised websites
- flagging up reused or weak passwords
- prompting you to change old passwords*
- helping you change passwords for some websites, by integrating with your browser
- multi-factor authentication
How do I do this, then?
As with many things, there are lots of different ways of going about this. This is what I do myself:
- First, try and cut down the number of passwords in your life, and reduce how much you rely on those passwords to prove who you are. Use multi-factor authentication or single sign-on where available. For infrequently-used passwords, use a password reset mechanism when you need to log in (instead of making any attempt to recall or store the password). But take really good care of the email account that the password reset emails are sent to.
- Consider biometrics. Fingerprint readers on smartphones are generally good enough to protect your phone and the data on it, and they are very usable. So feel free to use them. Turn on encryption (if it's not already on) for extra protection.
- Decide whether to use a browser-based or a standalone password manager. Personally, I use both, for different things.
- If you use a standalone password manager, make its master passphrase the best you possibly can. We suggest a passphrase rather than a password as it's much easier to make it really long, and adding length gives much more protection than adding complexity. Make it hard for someone who knows you to guess in 20 attempts, and make it totally different from any password or passphrase you’ve ever used anywhere else.
- Memorise your passphrase. Yes, you really do have to, sorry! If it helps, write it on a piece of paper until it’s firmly lodged in your memory. Keep the piece of paper very safe, and destroy it when you’ve memorised the password.
- Don’t put any work passwords into your personal password manager unless you’ve got permission from your employer.
Finally, think about how important each password is to you for each account. If someone discovered this password, would it result in
- your life being ruined?
- your bank refusing to refund any losses?
If the answer to either is 'yes', then I wouldn’t put it in a password manager. For these cases, a password shouldn't be the only thing that the security of your account rests on. So look at extra defences such as multi-factor authentication.
For other, less important accounts, having the password stolen might be massively inconvenient, but there would be no real permanent damage done. Passwords for these accounts should be OK to go into your password manager.
Some accounts have very low value. For instance, an online forum that requires a password, but doesn’t actually hold any personal information you care about. These passwords can be stored in a password manager without a second thought.
A future without passwords?
Long-term, I think the success of password managers shows - yet again - that password-based authentication has outstayed its welcome. Passwords are supposed to be 'something you know', but now we’re saying the best way to manage them is not to know them (because your password manager knows them all for you). Passwords have taken us a long way, but now it's really time to move on.
The NCSC is working to help us all reduce our reliance on passwords, and to move towards a future where we make greater use of better, more secure, more usable authentication mechanisms instead. In the meantime, we're also working on some guidance on how best to use password managers in organisations - look out for this soon.
Password managers are a good thing - for now. But we hope not forever.
* We normally recommend against regularly changing passwords where there is no indication or suspicion of compromise - if you are trying to memorise them. The costs are greater than the benefits. However, remembering new passwords that are very different from the previous one isn't a problem for a password manager.