Today on World Wide Web Day, we celebrate the achievements of the internet and the role it plays in our daily lives. More and more activities - private and business - are increasingly shifting to online services. This is exactly why it is important to think about the security of our online activities.

To secure these activities, we need more and more (secure) passwords. According to a study on World Password Day 2017, every person living in Germany already had 78 online accounts at that time - in the meantime, there are significantly more.

In an earlier blog post, we already looked at what actually makes a secure password: Password security.

Now no one can remember over 100 passwords - so how do people deal with it?

1. They write down the passwords (maybe even a sticky note on the monitor?)
2. They save them in a file
3. They save them in the browser
4. They use the same password for several accounts (and only remember this one)
5. They use a password manager
6. They use insecure passwords that are easy to remember

For example, variant 4 is particularly insecure because hacking the password database of one service immediately makes all accounts insecure.

Too few Internet users know what a password manager is - and even fewer use one.

So what is a password manager?

A password manager is software with which users can store, manage and use access data and passwords in encrypted form.

This provides a central password management in one place. The access data can be grouped thematically (e.g. in a tree structure) - and in addition to login name and password, the access URL and other data (e.g. IBAN) for the account can also be stored. In this way, accesses can be protected from unauthorised access and at the same time be used conveniently. Handwritten notes and unprotected text files are now a thing of the past.

Other confidential data such as ID card data, health data, secure notes and SSH keys can also be stored.

Some password managers are also able to generate strong passwords based on the requirements of the online service in question (e.g. at least one upper and lower case letter, one digit and one special character). In addition, they can also evaluate the security of existing passwords.

With the "Auto-fill" option, it becomes even easier. There, the automatic filling in of login name and password in the web form can be configured. An alternative are browser add-ons that fetch the data from password managers via a local port.

The password manager is accessed by default with a "master password". This encrypts the internal database of the password manager, which is why this password is also considered particularly worthy of protection. It is therefore recommended to choose a particularly strong password for it.

Access can be additionally secured by:

• Master password + key file
• Hardware (FIDO key)
• Fingerprint scanner

Some password managers are also able to generate one-time passwords (OTP), which offers another advantage. This saves the additional use of smartphone apps. One-time passwords are only valid for a certain period of time (usually 30 seconds) - and are usually generated via a hardware token or an authenticator client (e.g. Google Authenticator or Microsoft Authenticator).

There are several types of password managers, including both paid and free options, as well as open source and non-open source solutions.

Paid password managers:

• LastPass (not open source)
• 1Password (not open source)
• Dashlane (not open source)
• Bitwarden (open source)

Free password managers:

• Browser's Built-in Password Manager (not open source)
• Smartphone Apps (e.g., Google Password Manager for Android; iCloud Keychain for iOS) (not open source)
• KeePass and its derivatives (e.g., KeePassXC) (open source)
• Passbolt (open source)
• Psono (self-hosted) (open source)
• Teampass (open source)

Since the passwords are stored in an encrypted file (for KeePass, for example, in KDBX format), users can also quickly move them to a new computer or smartphone by copying the file.

If you want to use passwords across several devices (e.g. PC, smartphone, tablet), you can either synchronise the password files via the provider or take care of the synchronisation yourself (e.g. via cloud services). For an exchange of data, export and import with different formats is important.

Does the use of a password manager also have disadvantages?

The initial set-up of a password manager can be somewhat of a hurdle for users. It is necessary to install the password manager once and to familiarise oneself with how it works. In addition, individual accounts must be set up in the password manager. If necessary, one must also make an effort to obtain the secrets for generating one-time passwords. Those who wish to use browser add-ons must also set these up on their own. It is also advisable to deactivate the browser's integrated password manager if it was previously active.

In addition to this barrier to entry, there are two main problem cases:

• The master password (and/or the key file or hardware key) is lost. Here one must either retrieve the lost elements or rebuild the password file.
• The data carrier with the password database is defective. For this reason, one should always have a backup concept (and live it). Otherwise, the password file must be rebuilt here as well.

Conclusion

The comparatively low effort required to set up a password manager is definitely worth it. Users get a good overview of their accesses as well as a convenient tool for managing access data. In addition, password managers encourage the creation of strong passwords and different passwords per service, thus increasing password security. Above all, password managers have become indispensable for many for secure use on the internet today.