You can start without risking high-value passwords

If the above risks make you reluctant to use a password manager for all your accounts, consider starting with those passwords that you would least worry about losing or being compromised.

For example, you probably don’t care about a password used to create a seven-day trial subscription to a software program, news articles, or research. If you shop at many different websites, you might have dozens accounts which all protect copies of the same information: your credit card number, phone number, and address. None of this information is very secret, your liability is limited if your credit card number is stolen, and it’s easy to reset the password for most shopping sites by receiving a password-reset email.

By starting with your lower-value passwords, you can familiarize yourself with how password managers work while the consequences of mistakes are low. As you gain experience, you’ll also better understand the risks and benefits. You may find that when you no longer have to create, remember, and type those lower-value passwords you can put some of that saved effort into protecting passwords for higher-value accounts.

You can also use your password manager to generate random passwords that you shouldn’t save. You’ll probably want to write those down. You should be able to learn random passwords for a few accounts over time just by using them.

Most users can get started without buying or downloading new software. If you primarily use Safari or Chrome, both browsers have password managers that will generate random passwords for you. I’m not going to cover Brave, Edge, or Firefox because, at the time of this writing, they don’t generate passwords.

While you should consider stand-alone password managers, especially if storing passwords for your more valuable accounts, you can easily import into them the passwords you saved while trying out the built-in password managers in Chrome or Safari.

One reason to move beyond Chrome is that it will not identify which passwords you have re-used between sites [5]. Auditing for re-used passwords is essential to getting the security benefits a password manager can offer. Most stand-alone password managers offer an audit feature, and Safari’s built-in password manager (Apple’s Keychain) recently added one as well.

Even if you try not to store important passwords in your password manager, it’s still worth periodically reviewing which passwords you’ve saved and which are re-used — some accounts that seemed valueless when you created them may turn out to be more valuable over time. Some password managers will also point out if some of your passwords are obviously weak (e.g., if they appear on common-password lists.) If you want to replace your old passwords, the amount of work may be daunting. You don’t have to wait until you have enough time to change them all at once; prioritize and get started.

Alas, password managers that test whether you’ve re-used a password will only do so if you allow them to store that password. If you only store passwords for low-value accounts, the password manager will only be able to tell you which of your low-value passwords have been re-used. I know of no password manager that will alert you if you type a password you’ve saved for another site into the current webpage [6] [7]. There’s no technical reason most password managers couldn’t alert you to such password re-use, so I hope some will soon.

Learn a strong master password

Most password managers protect your passwords with yet another password —commonly called a master password. Stand-alone password managers will ask you to create a master password when you start using them. If you use Google’s Chrome browser to store your passwords and share them across devices, your passwords will be stored by Google and protected by the password for your Google Account (along with any second factors you may be using). Apple’s iCloud Keychain relies primarily on your device passwords and unlocking features to protect its data on a regular basis, but has a fallback master password called an iCloud Security Code [8].

Don’t use a master password you have used for anything else. This bears repeating because you’ve probably learned to warnings against password re-use having received such advice for accounts you don’t care about. Unlike those valueless passwords, the master password that protects all your other passwords really should be unique.

If you’re using the Chrome password manager sync’d via your Google Account, and are not 100% certain that your Google Account has a strong and unique password, create a new one (after making sure you have a recovery plan for if you forget that new passwords, as discussed below). This is also a good time to re-evaluate whether you should have two-factor authentication for that account. Similarly, if you’re using Apple’s iCloud Keychain, don’t reuse a password as your iCloud Security Code.

Your master password should be randomly generated and long enough to protect your password even if attackers get hold of a website’s encrypted password list and try to break that encryption. To ensure your password is truly random, let your password manager generate it (or use dice and a word list). Many people falsely believe they can generate randomness by summoning letters to their mind or pounding on their keyboard, but many of the mental processes we think of as random actually aren’t truly random. A good password manager will use a cryptographic random number generator to ensure your password is sufficiently random (and dice are a time-tested source of physical randomness that you can check for fairness simply by rolling them).

Your master password should be at least 12 lowercase characters or five words. Why use lowercase characters or words when you’ve probably been told (and coerced) to use uppercase characters and symbols in the past? If you have to enter the password on a device with on on-screen keyboard (like your phone’s), each uppercase letter or symbol may require extra key presses. You can get the same security, and save yourself a great deal of frustration, by making your all-lowercase password just 30% longer than if it were mixed case [9]. In other words, a randomly-generated 13-character lowercase password, which can be entered with 13 keystrokes, is as secure as a 10-character mixed password, which may require many more.

Don’t expect to learn your new master password immediately — very few people can learn a long randomly-generated string in one sitting. Rather, the best way to learn your master password is to write it down and use it often. Configure your password manager to require you to re-enter it at least once a day until you know it, and only dispose of your paper copy after you’ve reliably entered it from memory for many days. While people’s ability to learn random passwords isn’t well studied, research my collaborators and I have performed suggests that it will take between 10 and 30 uses to remember it. (That research investigates techniques password managers could use to help you learn strong master passwords, but none currently offer any help.)

Finally, don’t assume you won’t lose your paper copy of the master password before you’ve memorized it, or that you won’t forget later.

Factor recovery into choosing a password manager

Since the one of the biggest differences between password managers is process to recovery your data if you lose your master password, you shouldn’t choose a password manager without researching its emergency recovery process. After you make your choice, the first thing you should do, along with choosing your master password, is to set up this recovery process. You may need it very soon, as you are most likely to forget a master password shortly after creating it, and before you have learned it through repeated use.

While the consequences of losing your passwords may seem small when you’re setting things up, and don’t have any saved passwords to lose yet, you may quickly become dependent on your password manager. You might incorrectly assume that, once you’ve learned you password, you’ll never forget it. While it’s most common to forget passwords shortly after creating them, it’s also common to forget them after a period of not using them. For example, you might forget after that next vacation you have planned, or, as a friend learned a few years back, after an unplanned hospital stay.

Why does every product handle recovery differently? In part, because it’s a really hard problem even for companies that are among the world’s biggest, best funded, and best known for great usability. Consider Apple’s iCloud, which stores the iCloud Keychain used by Safari. One way to recover an iCloud account is via customer support, but hackers have tricked support agents into compromising user accounts, including for a high-profile reporter in 2012. So Apple also offered users the option to store a randomly-generated password to use for recovery (Apple called this a Recovery Key) and configure their accounts so that customer support could not change their password. Few users adopted recovery keys, and some who did were upset when they discovered that, in fact, customer support could no longer help them when they needed it. Apple stopped offering Recovery Keys in 2015 [10]. Apple currently allows passwords to be reset after verifying customers via their phone number, despite this process being quite vulnerable to attack.

If that weren’t bad enough, the requirements that determine whether customer support will reset a user’s password or other credentials are not available to the public. Of companies that allow customer support to reset users’ account credentials, I know of none that share the rules they use to make decisions about what is required to get back in. Without those rules, users can’t know the conditions under which they will be able to recover their account and under which conditions an attacker can take over their account. It’s worth repeating this: these companies expect you to trust them with your account but won’t tell you the rules that dictate whether you will continue to be able to access it or whether an attacker can steal it from you [11].

Rather than rely on opaque customer support rules, many password managers use solutions that are less vulnerable to attack, but more vulnerable to accidental loss.

Open source password managers KeePass and PasswordSafe (the original password manager) leave it to you to find a way to store and backup the file containing your passwords, along with the key used to protect (encrypt) the data in those files. So, if you want to share your passwords between machines, you’ll need to create an online file storage account (e.g. DropBox). Your backup could be a written copy of the master password and the password for the file sharing account. If you use two-factor authentication on that account, you’ll need a backup for that too.

LastPass, Keeper [12], and Dashlane let you pre-authorize emergency contacts to access your account…so long as they also have an account with the same password manager. That requirement is in place because these products use cryptography to ensure your friends, but not the companies, will be able get get access to this data. This helps protects you if their service is hacked or if an attacker successfully impersonates you to their customer support staff. The downside is that an attacker who compromises your contact’s account may then be able to compromise yours. You can reduce the chance of that happening by putting a time delay before your information can be released to your emergency contact. If you know people using one of these products who you would trust to be your emergency contact, that product may be better for you than the ones which your contacts don’t use.

With 1Password, your master secret is actually in two pieces: a secret key, which the software stores on every device you’ve put your passwords on, and your master password. To use a new device with 1Password, you have to transfer your secret key to it. You can backup your secret key by generating an “emergency kit”, a PDF which you can print that contains your secret and space to write down your master password. (Hopefully your handwriting is better than mine.) Like LastPass and Dashlane, 1Password has designed their online service so that they don’t keep these secrets and so customer support cannot help an attacker — or you — get access your data without them. Unlike LastPass and Dashlane, their recovery process doesn’t require any interaction with the service, or anyone else. This makes 1Password arguably the most private option, but there’s a cost to every customer having this level of privacy: 1Password can’t know what fraction of customers have printed out recovery kits, how many have successfully used them, nor how many have lost their passwords forever. The only data they get to help them improve the reliability of their recovery process comes from what users volunteer if they contact support.

If you’re using Chrome with a Google Account and two-factor authentication, you can get ten one-time-use recovery passwords (eight-digit numbers they call backup codes) which can substitute for one of your two factors [13]. Google recommends that you “print or download” these. Google also stores these codes and so, unlike well-managed randomly-generated passwords, your codes could be compromised if Google suffers a breach.

If you use a printed recovery secret with Chrome or 1Password, or if you create your own for KeePass or PasswordSafe, you’ll need to decide where to store your recovery secrets after you print them. A safe deposit box or a home safe may be appropriate, especially if you already have one or need one anyway. There’s no technical reason you couldn’t share printouts of your recovery secrets with friends. If you were to, you might not want the sheet to say who it’s for, as excluding that fact might provide a small amount of defense if it’s stolen. Another option is to give two trusted contacts half of a code, or three trusted contacts two thirds of each code (so that any two contacts could help you).

If you don’t like any of the above options, you could print all your passwords periodically or write them down. If you print, you’ll be relying on your printer being secure and having a safe network connection to that printer.

Your primary email password also requires special consideration when planning your recovery strategy, since many other passwords can be reset by email. This may be the most important password to change to a randomly-generated password, but it’s also the one you’ll need the most of you lose access to your password manager. If you’re changing that password, you should considering writing it down or backing it up as well.