The Best Way to Manage All Your Passwords
There's a war raging between hackers and companies, and you're caught in the crossfire. Every time a company gets hacked, you have to change your password. And don't you dare reuse it somewhere else.
Dreaming up a different password for every site and service is the only way to keep your stuff safe online, but it's also a gigantic nuisance. There's one thing you can—and should—do to help: Get a password manager program.
Alex Nabaum for The Wall Street Journal
I have more than 150 different logins and counting. I'd have to be Rain Man to memorize that many passwords. So I went on a hunt for the best services for storing all my passwords, and whittled down the list to four that get the job done and offer enough security for most
of us: 1Password, Dashlane, LastPass and PasswordBox.
LastPass is a good choice for people who use newer technology like fingerprint scanners. For the really paranoid, 1Password offers the most control over where your encrypted vault of passwords gets stored.
For most people, I recommend Dashlane. It's simple, so you'll actually use it. It may even save you clicks.
But, wait—isn't storing all your passwords in one place a terrible idea? It's better than reusing easily remembered passwords everywhere. Password managers hide your information behind a master password that only you know.
Nothing is 100% guaranteed, but all four of these managers take the additional security step of never sending your master password over the Internet. They're like a safe-deposit box that a professional keeps without knowing what's inside, or even holding a key to open it.
In an age where more of our personal information lives, password protected, up in the cloud, we need defenses beyond antivirus software. Using a password manager is the next step.
Enlarge Image
The Wall Street Journal
Dashlane is like the memory you wish you had. It keeps track of not only passwords, but also credit card numbers and user IDs, filling them in when you need them across many different devices. It also keeps a helpful scorecard on the quality of your existing passwords, and nudges you to improve them.
Dashlane is free to use on any single device; a $30 annual subscription lets the Dashlane apps automatically sync your data across devices. You can try this premium service free for 30 days.
Setting up Dashlane is a pleasure. Its app slurps up the passwords that have been saved unencrypted in your Web browser, and learns new ones as you type them. All of this gets protected by the master password, encrypted in a database on your computer or mobile device. Every time you start your computer or open the Dashlane app, you must log into the app with that master password. (You can make it ask for your password more often, like whenever your device is idle for too long.)
Dashlane uses an add-on to Web browsers, including Chrome, Firefox, Internet Explorer and Safari. When you're logging into a site Dashlane knows, it puts a small icon (a dashing impala) in the login box to let you know it can enter your username and password—even your credit card number. If you tell it to, Dashlane will even press the "login" button automatically. It doesn't work on every site, but does a better job than most.
Along the way, Dashlane also tries to improve your security. When you're changing a password or starting a new account, it suggests a strong one that would confound even a supercomputer. And its colorful security scorecard cheerfully humiliates you into replacing weak or repeated passwords.
Where password managers really become helpful is keeping your passwords up-to-date across all sorts of devices—computers, phones and tablets. (I ruled out the password keepers built into Google's Chrome browser and Apple's iCloud because neither works across all of my stuff.
Dashlane works largely the same way on Android phones and tablets, automatically entering your passwords in apps, though not yet on the default Chrome browser. (The company says it is working on that.) On iPhones and iPads, the Dashlane app gives you access to all of your logins and passwords, but can't fill them in for you because of Apple's programming rules. (The same problem afflicts most password managers except for PasswordBox, which has figured out a way to auto-login on a handful of big sites on mobile Safari.)
Dashlane's mobile apps include their own Web browser that does automatically fill in passwords, but most people end up copying and pasting passwords from the app to their preferred browsers.
If you share a computer with family members, Dashlane remembers multiple logins without asking you to set up profiles. And the company says it is close to launching a new families-and-teams version that will make it easier to sync passwords between people who share, say, an Amazon or Netflix account.
Behind the scenes, Dashlane takes some important steps to secure your data. It never sends your master password over the Internet, and it protects your personal data using advanced encryption known as AES-256 before syncing it with your other devices via its servers. Neither Dashlane nor a hacker (or government agency) breaking into the company's systems could access your data without knowing your master password. This setup prevented Dashlane from even being vulnerable to the recent Heartbleed security catastrophe.
But if you really want to keep your stuff off the Internet, Dashlane gives you that option, too, though you'll need to sync passwords manually across devices. (The password manager that does the best offline syncing is 1Password. See chart for more info.)
OK, what happens if somebody manages to get your master password? That could happen if someone installs a piece of keylogging malware on your computer—and is a good reminder that you should run antivirus software to keep such attacks at bay. But even if that happened, there's an additional layer of security: Dashlane won't let someone unlock your passwords on a new device without first entering an ever-changing code it sends directly to your phone or email.
This important two-step authentication is only available from Dashlane and LastPass, though PasswordBox says it is working on it. A 1Password spokesman says this additional authentication isn't helpful with its design, where there is no central silo of your data. But I think it helps to know if someone is trying to get into your stuff.
Still, why should you place your trust in Dashlane, a two-year-old startup with two million customers? Because selling security is the only way Dashlane makes money. And if you decide it is not worth $30 a year, Dashlane lets you export your password database in forms that can be read by you or another password manager.
You could even use the old-fashioned technique, and print out the database on paper. As crazy as that sounds, it's still safer than using the same password over and over again.
No comments:
Post a Comment