The Ultimate Guide to Password Management in 2020

Author: Romain Brabant
Date Published:
Reading Time: 7 minutes, 45 seconds. (1,698 words)

There are plenty of DOs & DON’Ts when you set a password to register on a new website, but the most overlooked advice is to never use the same password on more than one website. The obvious reason is due to the inherent risk of a data leak.

You can read here about The 18 biggest data breaches scandal of the 21st Century, the most impressive scandal being Yahoo with literally billions of accounts compromised in 2013-2014. 🤯

And don’t think these data leaks is only to the profit of one person, all hackers can and will trade/exchange these leaked databases on various darknet places.

So if you are one of those who mostly use the same password everywhere, no matter how strong your password is, and your best effort to remember and protect it, you are always at risk of that kind of leak.

If you become a victim of a data breach and one of your passwords is included, then it’s time to change this password in every single website you use it.

Now, not only you have to set complex passwords not easy to guess, and almost impossible to remember, but you have to pick a unique one for each of the hundreds of websites you might be using on regular basis.

This is simply an impossible feat without a proper Password Management solution.

Fortunately, there are plenty of Password Management solution and if you search for “password management software” on Google you’ll find right away the most popular one:

Search Result on Google when you search for "Password Management Software"

Now you only have to choose between a “Cloud-Based” solution where your database of passwords is encrypted and stored in the server of the password manager provider, or a “Software” solution where you will have the responsibility to save, store, and backup your password database.

I’m in team #2 (Software Solution) and decided to deal with the security of my password database on my own. I’m going to details now how I do that, however, I want you to know first that my guide simplifies a lot to be accessible to as many people as possible.

But using a Password Manager also implied some crucial responsibilities that you should be aware of and that are extensively covered in this excellent post by Stuart Schechter on Medium. I recommend you to read this one if you’re interested in going more in-depth on this topic.

Password Management for Windows OS

I’m a Windows user, and for a very long time, I was personally using the software solution Access Manager, but for the past few years, my personal favorite is the free and open-source solution KeePass that is always pinned to my Taskbar for easy access.

This is how it looks when you launch it, first it will ask you for your Master Password:

Keepass Master Password Screen

And then you’ll have access to your list of Password, neatly organized with nice features to search your database, sort the result by name, or categories.

Keepass Password Manager

Now you just need to double click the columns “User Name” or “Password” to automatically store in your clipboard the value of the columns and paste it to the sign-in form of the website you’re trying to log in.

Finally, every time I need to register for a new website, I simply have to press this icon to add a new entry in my Keepass Database:

Keepass Add Entry Icon

The windows below will open, and KeePass will generate a robust password that you can still edit and then cut and paste to the sign-up form.

Add a New Entry windows on Keepass

For those interested in customizing the level of security, the password generation tool has advanced configurable options that will please any security expert:

Keepass - Password Generation Settings

How secure is KeePass Password Database?

KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.

The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too. SHA-256 is used to hash the master key components. SHA-256 is a 256-bit cryptographically secure one-way hash function.

No attacks are known yet against SHA-256.

Source: https://keepass.info/features.html 

Password Management for macOS or Linux

I’m not a macOS user but I asked Matthew our awesome UX/UI Designer 👨‍🎨 and he’s personally recommending the tool 1Password. It’s a Cloud-Based password manager and also works on iOS, Windows, Android, Linux, Chrome OS. It looks awesome, but unlike Keepass for Windows, it’s not free.

1Password - Main Password List View

DOS AND DON’TS when generating a Master Password

With a solution like KeePass or 1Password, you just need to remember the one unique Master Password asked by the software when you launch it to unlock your password database, and it is this Master Password that will rule them all.

Needless to say that this Master Password needs to be as strong as possible so here are some tips:

Master Password – DO’S:

Do use a combination of uppercase (U) and lowercase (u) letters, special characters or symbol (@, #, $, %, ^, &), and numbers (1, 2, 3, 4, 5, 6, 7, 8, 9, 0).

Do make sure your passwords are at least eight characters long, the more characters your passwords contain, the more difficult they are to crack.

Do scramble, if you insist on using a word, misspell it as much as possible, or insert numbers for letters. For example, if you want to use the phrase “I love my password” you can change it to [email protected]

Do use a long-phrase (part of a poem, a song, or a proverb you like) and scramble it with an abbreviation and mixing. Let say you choose the phrase such as “I want to become the best password keeper in the world, and this password will rule them all.”, you can convert this phrase to an abbreviation by using the first letter of some word, and mixing it by changing the word “to” to a number “2” and the word “and” by the special symbol “&”. This will result in the following basic password phrase “iw2btbpkitw&tpwrta”. Make it even more complex by adding punctuation, or decide to keep some word entire, or pick some letter with uppercase: “iwANT2btbpkitw,&tpwrtaLL.

Do check if people around you aren’t looking when you type a password and if they are don’t hesitate to ask them to look away when you type it or move to a more private place. When you are in public space, don’t forget about the Surveillance Camera. In these situations, you can always try to cover your keyboard with one hand while typing your password.

Do change your password once a year or every time you have a doubt it might have been compromised, it’s not a bad habit to change your master password when you switch to a new workplace, or when ending a long relationship.

Master Password – DON’TS

Don’t use a commonly used password such as 124567 or the word “password

Don’t use keyboard pattern password such as “qwerty”. Passwords should not contain keyboard patterns because they are vulnerable to cracking attacks and shoulder surfing (observing users as they enter their password).

Keyboard Pattern Password

Don’t use a solitary word in any language. Hackers have dictionary-based systems to crack these types of passwords using the brute force method.

Don’t use a derivative of your name, or the name of a family member, loved one, or the name of your dog/cat. In addition to names, do not use phone numbers, addresses, birthdays or wedding date, or tax identification and social security numbers.

Don’t write your passwords down.

Finally, don’t answer “yes” when prompted to save your password to a particular computer’s browser. Instead, do rely on your password manager to cut & paste each unique password to each unique website you log in.

How to store and backup my Password Database?

The advantage of using a Cloud-Based password management solution is that your database is securely stored by a professional company, but this usually comes with a monthly fee. So, if like me, you decide to use a free solution like KeePass, then you’re the one in charge of storing and protecting your Password Database. 

Knowing that you have to understand and realize that if you have a Hard Drive problem and/or lost the computer that store your Password Database, then you basically lost all your passwords and will have to deal with the lengthy process of one by one manual password recovery, with each website you sign-up with.

My recommended solution to this risk is to have a File Hosting service such as DropBox or Google Drive (both of which have a free plan). And to store your Password Database on your computer in a folder that is synchronized (backup) in real-time with your favorite file sharing service.

And even though the KeePass database is strongly encrypted by default, if you are a control freak and want to step up your encryption game, you can always add an extra layer of security and use a solution like Duplicati to store an encrypted backup to your file hosting service.

Interested in a guide on encrypted backup to Google Drive using Duplicati? Please ask below in the comments section to motivate me to write a guide about this 😂

What about 2FA (Two Factor Authentication)? 

Two-factor authentication (also known as 2FA) is a method of confirming users’ claimed identities by using a combination of two different factors: 

1) Something they know: your password

2) Something they have: a one-time password (OTP) or code generated or received by an authenticator (e.g. a security token or smartphone) that only the user possesses.

The best way to manage all your 2FA accounts is to use the Authy app. It enables you to have a single mobile app for all your 2FA accounts and you can sync them across multiple devices, even accessing them on the desktop.

Authy App - 2FA Preview

Install Authy on your device by searching for it in your device’s app store.

Note: If any sites prompt you to use Google Authenticator for two-factor authentication, note that you can always substitute with the Authy 2FA app instead. Although they work in similar ways, Authy is more feature-rich and allows for multi-device syncing, cloud-backups, and easier account recovery should you change or lose your phone or device.

Read more information on the features of Authy here, and yes, Authy is also Free.

I hope this guide will help you, please leave a comment to share your appreciation or criticism about this guide, and also to share any interesting tips so we all can have a better password management process.

about the author
Romain Brabant
SEOBUDDY Team

CEO & Founder at SEOBUDDY

FOLLOW ME
  • Follow me on Twitter
  • Follow me on LinkedIn
Romain is the CEO & Co-Founder of SEOBUDDY, a SaaS company that turns the daunting world of SEO into easy-to-complete daily missions that your team can perform in short sprints of 20 minutes.