Considering that your password manager contains “the keys to the kingdom”, securing your password manager should be a priority in order to prevent unauthorized third parties accessing your login credentials, payment details, and other personal data you want to keep confidential.
Password managers are incredibly useful for people who understand the importance of using unique, complex passwords for each online account. They enable you to create and store virtually unhackable passwords, which you don´t have to remember because login boxes are filled in automatically whenever you visit an account for which a username and password have been saved.
In addition, password managers can be used to store credit card details, addresses, and social security numbers – which are also conveniently auto-filled for you whenever required by a website. However, having so much personal data in one place can be a security risk if somebody manages to hack into the password manager. Therefore, securing your password manager should be a priority.
This three-step to guide to securing your password manager assumes the use of a vault-based solution such as Bitwarden. If you are using a browser-based password manager (i.e., Chrome, Firefox, etc.) or an OS-based password manager (i.e., Apple Keychain, Microsoft Credential Manager, etc.), you will be unable to apply Step 1 – potentially risking the security of your passwords.
Step 1: Use a Unique Username or Email Address
When you set up a password manager account, one of the first things you are asked to provide is a username or email address. This is most often the username or email address you will use to log into your password vault, and – naturally – most people use an existing username or email address. However, there is a high probability this username or email address is already known to hackers.
The haveIbeenpwned database contains more than 11 billion hacked usernames and email addresses; and although many of these are historic inasmuch as the credentials could have been hacked more than ten years ago and subsequently changed, there is still a strong likelihood that the username or email address you use to create an account appears in the database.
Although usernames and email addresses are “identifiers” rather than “authenticators”, any hacker trying to access your passwords may already have the first of two keys (or three keys if you use two-factor authentication) to get into your vault. Therefore, the first step towards securing your password manager is to use a unique username or email address when setting up your account.
Step 2: Use a Strong, Random Master Password
Even when you create an account with a never-before-used username or email address, it is important you use a strong master password to protect your password vault. Weak passwords that can be cracked in seconds by software “brute force” algorithms are one of the leading causes of data breaches; and not only should the master password be strong, but it should also be entirely random.
However, following password best practices to create a strong, random master password does have issues because you won´t be able to save it in your password manager, so you will have to remember it, save it somewhere else on your device (not recommended), or write it down and carry it about with you for whenever you want to access your vault via the web or a mobile app.
Additionally, humans are not very good at creating random strings of numbers, letters, and special characters. However, earlier this year, Bitwarden´s Gary Orenstein wrote a blog containing excellent advice on how to create a strong and seemingly random master password which is easy to remember. While not all of us share Gary´s musical tastes, the blog is well worth a read.
Step 3: Securing Your Password Manager with 2FA
The third step to securing your password manager is using two-factor authentication (2FA) to nail down your account. Most password managers provide free-to-use authenticator apps that can generate Time-based One Time Passcodes (TOTPs), and it is better to use these (or free apps such as Authy and Google Authenticator) rather than email and SMS services that can be intercepted by hackers.
Although two-factor authentication mitigates the convenience of a password manager, it only has to be used once each time you access your vault. All the time the vault is open on your device, it is not necessary to re-authorize access to your vault each time you want the password manager to auto-fill a login credential – unless you use 2FA to secure individual accounts in your vault.
One important consideration when securing your password manager with two-factor authentication is that you might lose the device on which you receive TOTPs which would mean you are locked out of your vault. Most password managers account for this possibility by generating recovery codes at the time you enable 2FA – so it is important you make a note of your recovery code and keep it safe.
Retrospectively Securing Your Password Manager
While it is advisable to take these three steps when first setting up your account, most password managers provide users with the opportunity to change their username/email address and master password retrospectively. It is possible to add two-factor authentication at any time. However, there are a few things to remember when retrospectively securing your password manager:
- If you pay for a subscription, tell the provider you have changed your email address so they don´t cancel your subscription in error.
- If you change your master password, don´t check the box asking if you want to rotate the encryption key because rotating the key could corrupt vault data.
- If you are adding 2FA to your account, remember to write down the recovery code and keep it safe in case you lose the device on which you receive TOTPs.
Finally, if you have got a digital legacy (a file for trusted contacts to access your accounts in the event of incapacity or death), remember to amend the digital legacy to reflect the changes you have made for securing your password manager. Most vault-based password managers work on a zero knowledge model, so it will be impossible for anyone to access your vault without up-to-date details.