How to secure passwords?

What do we do in this case? The easiest solution is to use the same username and password for several websites. A username is often some variation of a personal name or nickname with added numbers, random capitalization, and the like. Although we are warned at every step that passwords must be long, complex and different on each website, we still too often use simple passwords, such as password, password12!, password1 and the like. Any slightly more experienced attacker will be able to brute force your passwords, but by then it will be too late.

Even on phones, most people use simple PIN codes (123456, 2222, 0000...) and patterns (swipe right and down...). Biometric unlocking, available on almost every newer phone, doesn't even appear on the list of possible solutions in the hands of an inexperienced user. Not to mention the possibility that the PIN code is the same as the one used to access mobile banking or trading services.

We have become complacent. We rely on companies to keep our data safe, even though there's a lot we can do ourselves. You won't remember more than a hundred passwords unless you have a photographic memory. You will not write them down on a piece of paper either.

One solution is dedicated password managers

Some of you are already using password managers in Chrome, Firefox, Safari browsers... With them you can create complex passwords, store them in a "vault" and let the browser fill them in automatically when needed.

Is Google's password manager secure?

Google's password manager is a much more secure solution compared to using the same passwords over and over again - but it's still not the best. Google's password manager is not open source, so we cannot know exactly how it works, how it stores passwords, etc. Otherwise, even the label "open source" does not necessarily mean that it is a safe solution. But there is at least the possibility that the source code can be reviewed by independent experts.

What we do know is that Google does not use a zero-knowledge encryption approach, which means that Google knows everything about the data you store on their servers. There is an option to enable local encryption of passwords before they are saved to your Google account. We have no data on how many users have it turned on, but we can assume that it is not the majority. There is also no option to set a master password to access the password manager. In addition to transparency, the disadvantage is that it does not work outside of the Chrome browser.

So should you use it? Although it's not the best and doesn't offer all the features that some other password managers offer, it's still safe and above all convenient.

How does Apple store passwords?

Similar to Google's solution, Apple's is also very convenient for users in the first place, as it is available by default on all Apple devices. With the iCloud Keychain password manager you can generate random passwords, store them, store credit card numbers, the manager fills in the information for you, in short very similar to what all other password managers do. It uses 256-bit AES encryption for encryption, passwords are synchronized with other Apple devices, multi-factor verification is available, and they recently added the option to use "passkeys".

It works very similar to Google's password manager and also has the same drawbacks: transparency, incompatibility outside the Apple ecosystem, missing more advanced features...

iCloud Keychain is a secure password manager and a solution that most people will use on Apple devices - primarily for convenience.

5 % users who like to delve deeper into security prefer a dedicated password manager. There are several of these and they work very similarly, so it is difficult to determine which one is the best.

Bitwarden, NordPass, 1Password, RoboForm, KeePass, Keeper... There are quite a few choices and the ones listed are considered the most popular. You don't have to limit yourself to just one. One is easier to manage, but there are no other reasons why you shouldn't use two password managers. Most of these managers offer a free version that will be sufficient for most, but you can optionally lease one of the paid versions for additional features, such as multi-factor authentication with devices such as the YubiKey.

Since you probably already have passwords stored in a Google or Apple password manager, you'll need to export them first to use other password managers.

In Chrome, go to Settings, select AutoFill & Passwords, then Google Password Manager. You will then notice another Settings section on the left where you will select Export passwords in CSV format. If you ever need it, these settings also allow you to turn on encryption and import passwords from other browsers or password managers.

Apple users, the easiest way to export passwords to iCloud Keychain is on a Mac computer. Go to System Preferences or Settings, select Passwords from the sections, you will most likely be asked to type in your password or use Touch ID, then you will be able to choose from several options to export all passwords. According to our knowledge, it is currently impossible to export passwords on iPhones without using third-party solutions, so make sure you have password sync turned on on all Apple devices.

You can then easily import the exported CSV file into the selected password manager.

What do dedicated password managers offer?

Take Bitwarden for example.

Bitwarden is a secure and open source password manager. It is extremely easy to use, the functions are elaborate, which is where its popularity among users comes from. Its integrity was last verified by external experts in 2022. It also allows you to install their service on your own server if you want to manage your own cloud.

Its advantage is also that it is available on all operating systems (Android, iOS, MacOS, Windows and also Linux) in the form of an application or a web interface. It can be installed as an extension in almost any browser and is also compatible with Windows Hello and Touch ID.

Bitwarden supports passwordless authentication, meaning you can log in with a one-time code, biometric verification, or security key. Bitwarden also has excellent support for passkeys, including the ability to log into Bitwarden with a passkey, meaning you don't even need to use a username or password to open the vault. There are also some extras, such as a secure file sharing feature (Bitwarden Send), an authentication app (unfortunately paid), and you can always rely on an extremely active user community.

What are passkeys or access keys?

Passkeys are a new type of login credentials that allow you to log into websites and services without having to enter a password. You don't need to remember them, but you can use them with devices you already have, such as a smartphone or laptop. Passkeys are based on WebAuthentication or WebAuthn standards. Both use public key cryptography.

In addition to hacking into data systems, access keys cannot be stolen in phishing attacks. Cybercriminals often use phishing or social engineering as a way to gain access to a user's username and password, which they then use to gain access to valuable data. Passkey consists of a private key and a public key. The public key stays on the company's servers, the private key stays on your device and cannot be easily stolen.

Whichever solution you choose—or stick with a Google or Apple password manager—make it a daily practice to use different passwords and usernames. You also don't store passwords in Word documents, Google Drive, or anything similar. Passwords should be long and use both characters and numbers. And in no case do not trust passwords to others.

Cover photo: Image by starline on Freepik