There’s no way around it, passwords are a pain in the butt. The internet is filled with lists of rules for making good passwords, most of which boil down to “make it something you’ll never be able to remember.” For most people, it comes down to two options. One is to use the same handful of easy-to-remember passwords across multiple sites, which — spoiler alert! — is a really bad idea.
The other is to find some way to store your passwords, so you can use a set of strong, unique passwords but not have to put your brain through the torture of trying to remember them all. Here again, security is key: It does you no good to have a set of robust passwords if a scammer can easily access the place you’ve stored them. Here are a few of the best ways to store passwords (or at least, the most common ones), and how they stack up.
The Cost of Bad Password Security
The security of your passwords stands on three pillars: the strength of each individual password, your willingness to use the same password across multiple sites, and how you store your passwords. A failure on any of those three points puts your personal information, and your online identity, at risk.
Hackers can use readily available tools to break weak passwords easily through brute force, or simply work from lists of the most commonly used passwords. If you use the same handful of passwords across multiple sites, an attacker who steals or breaks even one of your passwords can then try it everywhere else. A surprising number of sites use your email address as your username, so a scammer with both of those pieces of information is especially dangerous.
Finally, if you don’t secure your passwords properly, an attacker could use them to access all of your accounts, potentially stealing your identity or using them to phish your friends. So how should you store your passwords, to keep them secure?
Old-School Pencil and Paper
The simplest technique for storing your passwords is just to write them down. This may sound rather old-school — and it is — but that doesn’t necessarily mean it’s a bad thing. Obviously, writing them on a Post-It note and sticking them to your monitor is a bad idea, but keeping a small notebook with your passwords in it has its merits.
The first is that it’s simple to use, and because it’s offline it’s essentially unhackable. Getting into your passwords requires physical access, which narrows potential “breaches” from millions of faceless hackers to the handful of people around you. If the notebook is small enough to live in a pocket, wallet or purse, it’s difficult for anyone to access it without your knowledge. The downside, of course, is that if it is stolen, the thief will know all of your passwords and you won’t. You don’t need to be especially tech- or security-savvy to understand that this is a Very Bad Thing.
Our verdict? Not the best option for most users.
A File on Your Devices
The next step up in sophistication is keeping your passwords in a file on your devices. It has the same advantage of simplicity: You can simply list them in a word processing document or a spreadsheet, whichever you’re more comfortable with, and keep a copy on each of your devices.
Of course, if anyone should gain access to your device — in person or remotely — and see a file called “My Passwords,” that’s a pretty juicy target. Giving it a less obvious name, like “Q3_amortization_Appendix2” is helpful, but a better option is to encrypt the file. It’s easy to do, and you’ll only need to remember that one password in the future. The downsides are that a) you’ll need to manually update each copy individually, each time you add a new password (what are the odds you’ll remember?) and b) if anyone guesses that single password, they’ll have access to them all.
Our verdict? Better than pencil and paper, but the inconveniences and risks outweigh its simplicity.
A Local Password Storage “Safe”
This is the first formal password-storage option on our list. Essentially, it’s a small, encrypted database that holds your passwords and login credentials for multiple sites. These have been around for a long time, and include well-known programs such as KeePassXC and Password Safe. As with an encrypted Word document, you’ll only have to remember the password for your database.
The upside is that these password-storage options are offline and not cloud-based, so your passwords never pass through anyone’s servers (and therefore aren’t susceptible to hacking). The downsides, again, are that you’ll need to manually update your database on each separate device after adding a password (or improvise a DIY “sync” by keeping the encrypted document on Dropbox or a similar platform), and that anyone who knows — or guesses — your master password has full access to the rest. Also, if you forget your master password, you lose access to them all.
Our verdict? Reasonably secure and functional, but best suited to those with only one or two devices.
Your Browser’s Password Management Features
Your browser is a sort of digital Swiss Army knife, providing pretty much everything you need when you go online. One of those things is password management: Whenever you log into a site, your browser will usually offer to save your login credentials for future use. It’s the easy option for many users, because it doesn’t require you to download (or buy) and learn to use a standalone password-storage app. It just…happens.
There are upsides to browser storage for your passwords. The near-zero learning curve is certainly one of them. Another is that your login credentials will be synced automatically across all of your devices, just like your settings and bookmarks. They’ll also automatically generate strong, random passwords for you, so you won’t have to try to think of one.
The downsides, though, are significant. First, the browser will autofill the credentials of whoever’s signed in. That means if someone else gains access to your phone or laptop, even for just a few moments, they could easily sign into your accounts. It’s especially a problem on a shared “family” device, where several of you might have different logins to the same game or streaming service. More importantly, browsers are relatively easy targets for hackers and malicious sites who want to steal your passwords and other data.
Our verdict? Seductively easy to use, but too flawed and vulnerable to recommend.
The Best Way to Store Passwords? A Full-Featured Password Manager
Sometimes the best tool for the job is, simply, the one that’s designed for the job. That’s the case with password management apps. They’re designed to give you seamless access to your passwords across multiple devices, and to do it securely (the data is encrypted when it passes through the app’s servers, so an intruder can only intercept unreadable gibberish).
Aside from security, the biggest advantage of using a made-for-the-purpose tool, as opposed to a DIY solution or your browser’s Swiss Army knife approach, is its versatility and depth of features. A good password manager can handle family and multi-user situations with aplomb, providing each user with the correct login credentials. Many can even let you share a password with others without ever letting them actually see the password. These will also generate strong passwords for you, and the best will allow you to specify their length and description as well (i.e., “at least 8 characters, 1 numeral and 1 special character”).
There are only a couple of downsides to standalone password managers. One is that most of the best ones require a paid subscription, though many offer a free version with fewer features or a free trial of the paid version (in fairness, the cost of most password apps is about the same as a cup of coffee a month). A second is that you’ll need to learn the features of the app, and how to use it.
Our verdict? The best option for security, features and cross-platform convenience.
Choosing a Password Manager
No one password management app is right for everybody, so we won’t make a specific recommendation here. A quick internet search for “best password management app 2021” or something along those lines will give you plenty of options for comparison.
Checking a few reviews will give you a good feeling for the features you’ll find on the leading programs, and you can decide which combination is the most appealing to you personally. The next step is to try the leading candidates, and see how they compare for ease of use. Most programs offer a free version or at least a free trial, so this doesn’t need to cost a lot. Even if you need to pay for a month to evaluate the app, the cost is usually minimal.
The leading programs are available across multiple platforms, including Windows, OSX, Android, iOS and sometimes even Linux, though you should check to make sure all of your devices and OSs are supported before making your final choice.
Cleaning Up after Yourself
Once you’ve settled on a password manager, you’ll still have some work to do in order to make sure everything’s locked down. The very first thing is to check whether any of your existing accounts have been compromised. A useful tool for that is a website called “Have I been pwned?” It previously just checked your phone number and email against known breaches, but now it can check specific passwords as well (they’re encrypted in transit, so they can’t be compromised this way). The Dark Web monitoring that comes with a Spokeo Protect subscription can also help identify accounts that have been breached by hackers and scammers.
If any of your accounts or passwords show as being breached, you’ll need to change those immediately. Work your way through those sites and change the passwords (or close the accounts entirely, if you no longer use them). Letting your password manager auto-generate strong passwords for you is a good option here.
Next, get rid of any passwords you’ve currently stored in another format. If they’re on paper, shred the paper. If they’re in a file on your computer, delete the file and empty the Trash. Finally, if you have some of your login credentials saved in a browser, purge them.
Once you’ve taken care of those high-priority tasks, it’s only sensible to use the password manager’s auto-generation capabilities to replace the remainder of your passwords as well. Start by retiring any passwords you’ve used across multiple sites, or any that are too short or weak. Over a few days (or weeks, depending on how much time you put in and how many passwords you have), you can gradually pick away at the remainder until all of your passwords are strong, unique and fully protected.