Use Password Managers

Password managers are the tools (desktop and mobile apps) that help you store your passwords and other confidential information securely. Some of the tools are available for free, whereas some tools require you to pay a monthly fee. Once you download and install a password manager in all your devices, the passwords are automatically synced in all your devices. This article tries to convince you to use a password manager and insists you use one, even if you are not convinced.

Q/A Time!

Why should I use a password manager?

Password managers don’t just store your passwords. They also help you:

  1. Generate a secure, random password for different websites
  2. Remind you of duplicate, weak, old and previously breached passwords
  3. Automatically fill login forms as well as input fields in your mobile app
  4. Automatically change any password for many services
  5. Sync your passwords across all your devices automatically

What can I store in a password manager?

Here is a list of the stuff you could store in a password manager:

  • Login information like username, password, and email address
  • Password for your mobile banking apps
  • Bank and credit card information
  • Any kind of secure note
  • Your SSH Keys
  • Server credentials if you are a web developer
  • Signing keys and app signing certificates if you are an app developer

What if I lose all my devices?

As a courtesy, most managers store a copy of your encrypted vault on their servers. Don’t worry, good password managers are open source, and audited by a third-party security team. The encrypted vault can only be opened with your master password. Even if you lose access to all your devices, you can access your vault by logging into their service using your email address, and your master password will be used to unlock your vault.

But… is my data safe with them?

Yes, password managers encrypt all your information using a master password and store it as a secure vault. The master password is the only thing you need to remember to access your vault. Whenever you make any change, the entire vault is once again encrypted, and then synced across your devices. Then the password manager apps installed on your devices need to re-open the vault using your master password. Not even the service providers, ISP, or intruders in the network can see your information. Your master password is never sent online; it is only used to unlock the secure vault locally on your device.

It is essential to use a trusted password manager that is regularly audited by independent security researchers. Like any other software, a random password manager downloaded from the internet may not be as secure as it should be.

I can remember everything. Do I still need a password manager?

That’s the problem right there. It is tough to remember long, random passwords for individual websites. If it is easy to remember, either the password is too short, or it follows a pattern. You might be able to remember passwords for a dozen services, but when you need to think of a few more new passwords, you start developing a pattern. If one or more of your passwords are breached, the pattern might be used to brute-force other passwords.

If you are a developer, you know you cannot remember everything. It is humanely impossible to generate and remember complex, random passwords every time you create a new database user for your web app, or when you need to spin-off a new VPS, or when you need to generate a new SSH key-pair. You know you can’t remember the content of your SSH Keys, all your API Keys, or the client secrets of the third-party services you use.

Even if you can remember a password, you cannot fill a login form as accurately and as fast as a password manager would.

What if I am still not convinced that I need a password manager?

Password managers also let you share your vault with your family members, so you might want to keep some notes for them in case of your untimely demise.

Told ya! Even if you aren’t convinced that you need a password manager, you should use a password manager.

Which password manager should I use?

There are several dozens of choices when it comes to picking a password manager. I chose LastPass® because it offers a free plan so you can start right now without a need to pay anything. LastPass is operated by a company named LogMeIn Inc. It stores your encrypted vault online, so you only need to create an account with them to get started. Passwords stored in LastPass is hidden from everyone, including the company itself.

The word LastPass and the LastPass icon are the registered trademarks of LogMeIn Inc.

I am not affiliated with LastPass, and I am not getting paid if you follow the links on this article.

This following information might become irrelevant when the user interface of LastPass gets changed.

Use LastPass.

LastPass is my password manager of choice. Use it to store virtually everything that you need to keep safe. Examples include your passwords, credentials, and app signing keys. This guide is slightly opinionated towards making your account as secure as possible while compromising on set-up time.

Even if your passwords are already saved by your web browser, or they only live inside your head, we don’t need to import all our passwords to LastPass immediately. Once you have installed LastPass, it will automatically detect when you sign-in, and it will ask your permission to save your login information to the LastPass vault.

Get Started

To make the best use of LastPass, you need to install it as an extension (plugin) of our web browsers, as well as in our mobile device. Installing a separate app on the PC is optional.

Create an account.

You need to create an account before you can use LastPass. I recommend you think of a strong master password before you start signing up. Learn how to create a strong master password and think of a good password. If you need, write it down in a piece of paper and throw it away when you remember it by your heart.

  1. Go to the registration page.
  2. Enter your email address and the new master password. Confirm the master password to make sure you remember the password correctly.
  3. Submit the form, and follow the instructions sent to your email address to complete the process of creating your account.
  4. Proceed to the next step after you have created and verified your new LastPass account.

Install the browser extensions.

Most of the time you’ll be using LastPass to automatically fill your passwords in the websites that you use. For that, you need to install the LastPass extension (plugin) in your browser. You can download and install the extensions from the downloads page. Once you have installed the extension, you can find the LastPass icon on the menu bar of your web browser. Click on it to sign in to your LastPass account to use the extension.

Get the mobile app.

LastPass can also auto-fill passwords and other information in mobile apps. That’s why it’s a good idea to install the LastPass app on your mobile device. Search for LastPass on the Google Play Store or App Store app in your mobile device, and install it. Open the app and follow the steps to complete setting up the app on your mobile device. Once you’re done, you will be able to auto-fill passwords in mobile apps.

Add Account Recovery Options

When you start using LastPass for the first time, your master password is the only way to see the saved passwords. In case you forgot the password you will lose access to all the information that you have saved in LastPass vault. To your rescue, LastPass offers several options to recover your account in case you lose your master password.

There are several account recovery options available in LastPass. To set up the options, follow these steps:

  1. Click on the LastPass icon on your browser’s toolbar.
  2. Select the Open my Vault option.
  3. You may need to log in to your account one more time to access your vault.
  4. Click on the Account Settings menu on the bottom left corner.
  5. On the Account Settings window, scroll down to the SMS Account Recovery section. Add your mobile number and verify it to enable account recovery using your mobile number.

Do not close the window yet. You need to change some more settings to protect your LastPass account from unauthorized access.

Protect your LastPass Account

If someone got your master password, they will be able to log in to your LastPass account and see all your passwords and secret notes. To stop this, you need to add one more step of verification that confirms that the person trying to log in is you. You can easily protect your LastPass account from unauthorized access by enabling two-factor authentication. There are several ways to protect your account, but we will use the mobile app called LastPass Authenticator for the sake of simplicity.

Search for the app on Google Play Store or App Store on your mobile and then install it. Please make sure the app icon & the developer name matches the following.

Once the app is installed, open it and grant some required permissions.

Follow these steps to start securing your LastPass account with two-factor authentication using the LastPass Authenticator app. Do not miss any step; especially step #4 and #6.

  1. On the LastPass app’s Account Settings window: switch to the Multifactor Options tab. Scroll down to enable account recovery using LastPass Authenticator. You will be shown a secret code and a QR Code that you need to scan using the mobile app.
  2. On the LastPass Authenticator app on your phone: tap on the button that says Add new account. In some cases, instead of the button with text, there could be a round button with the plus sign on it (+). Select the Scan Barcode option. In case the camera isn’t working on your device, you can enter the secret code manually. Once the app scans the secret code, it will generate a PIN code; the PIN code keeps changing every 30 seconds.
  3. Enter the PIN displayed on your mobile app to the LastPass app on your PC. Confirm enabling two-factor authentication.
  4. Once done, also enable recovering the account with Grid option. Read and follow the instructions carefully. The grid helps you get back to your LastPass account in case your phone is lost or damaged, and you cannot LastPass Authenticator app on your phone.
  5. Set LastPass Authenticator as the primary method. Now onwards, you must enter the code displayed in the authenticator app whenever you log in to your LastPass account.
  6. On the LastPass Authenticator app on your phone, tap on the menu icon on the top left corner and tap on the Settings menu option. On the settings options, turn on the Backup to LastPass [✔︎] option. Then tap on the Backup now option.

Backup to LastPass [✔︎]
You must enable this option. If you don’t, your secret codes saved in the app will be lost if your device is lost or damaged. You may also lose access to all other accounts that use LastPass Authenticator.

When you enable this option, you can simply log in to your LastPass account, and your codes will be restored from your LastPass vault. While logging in, you will still need to enter the two-factor authentication code (PIN code). You need the grid that you saved from step #4 to log in. You may also request the code via SMS, but this option might not be available if you also lose your SIM card, and can’t get a new one immediately.

Things are complicated, but you need to compromise ease of use for security.

After you complete these steps, you have secured your LastPass account by enabling two-factor authentication (2FA) and made sure you don’t lose access to your account even if your phone is damaged or lost.

That’s all for now.

Too paranoid to use a password manager?

If you are paranoid that an earthquake or fire destroyed all your devices and written notes that you had stored in your wardrobe, you should keep an off-site backup of your information. Here are a few questions that you might ask.

What if LastPass’s servers got destroyed, and I also lost all my devices at the same time?
You can simply restore your data from a back-up hard drive.

What if I don’t back-up my device regularly?
Seriously? You must back-up your devices on a regular basis. Or, you can occasionally email a copy of your encrypted vault to a trusted friend.

What if I lost my memory due to an accident, and no longer knew LastPass existed?
Store your master password and backup codes in vaults of two different banks, and tell a family member or a trusted friend about it. Or, just store your master password and backup codes in a trusted friend’s wardrobe instead.

What if…
Please stop.