Handling lots of different passwords can be a big challenge for any Internet user, and password managers offer a solution. However, using password managers will be new to many learners, and can take some getting used to! In this lesson we’ll explain the concept of a password manager and help learners start adapting their online routine to use them.
Gotchas and Problems You Might Hit
The user flow for a password manager may feel unfamiliar to many participants, unless they have had prior exposure to a similar tool. Participants will likely need to see how to do a given task within the password manager interface a few times, and will need some time to practice and demonstrate their mastery of the task on their own machines.
When making a new password for a critical service, such as to decrypt a password manager vault, there may be a few participants who will forget their new passwords. If people have changed the passwords for critical accounts or for their devices without memorizing their passwords, this activity may cause more harm than good. Consider suggesting people write down their passwords (on paper or in password managers). For those who write down their passwords, remind them to watch out for others peeking at their papers, and to keep these papers in a safe place!
It is also worth looking into memory retention techniques for those who have trouble remembering their passwords, like mnemonics, creating illustrations or imagery to accompany the password in the course of their memorization, creating a funny story around the password, and so on.
Anticipated Questions and Answers
Q: What if my password manager company gets compromised? Why should I trust them when I know that there’s no such thing as perfect software or perfect security?
A: This is a fantastic question, and shows that the person who asked it is thinking with a security mindset. Any security tool will involve compromises and tradeoffs, and password managers are no exception. The ultimate question may be: How does trusting a password manager compare to my password practices without one? For most people, a password manager protects against a relatively likely cause of account compromise (using the same password across accounts) for the tradeoff of exposing you to the less-likely risk of the password manager company itself being breached. Password managers such as 1Password and LastPass also store your passwords in a file that is encrypted with a key that only you have, so even if someone broke into the password manager company and stole your password file, they could not decrypt it.
Q: What if hackers break into my computer? Doesn’t having a password manager mean that all they need to do is look at one file to see all my passwords?
A: If hackers have installed malware on your computer that allows them access to all of your files, reading all of your passwords in one file is marginally faster than waiting for you to log into each of your accounts and enter your password manually.
Q: What if I forget my master password?
A: It’s important to make a master password that is memorable. As is the case with other encrypted tools, knowing your password affects whether you can access the encrypted information behind it. Be sure to memorize your master password!
It might make sense to write down your password on a piece of paper and keep it in a safe place, and then destroy it when you have it memorized. You may be thinking, Wait, aren’t we supposed to keep passwords in our heads and never write them down? Actually, writing them down, and storing a hardcopy of the password in a safe or other secure place, like your wallet, is useful so you’ll at least know if your written passwords go missing or get stolen.
Diceware is a great way to create a password that is strong, random, and easy to remember. If you find you’re having trouble memorizing your master password, you can create a story around the words used, or create a mnemonic for yourself. For people with memory loss issues who are not concerned about the people they live with, writing your password down might be a good idea. .
Q: Are password managers right for everyone?
A: For some people, a password manager may not make sense. People in abusive relationships, for example, may find themselves in a position where someone could force them to unlock their password database, exposing a list of their online accounts and a rough record on their online activity. The same might apply for children, particularly LGBTQ youth or youth with religious or political beliefs that are stigmatized in their household or community.
The goal here is to make sure that people use long, hard-to-guess, unique passwords for each account. A password manager is one way to achieve that goal, but may not be the right choice if someone has physical security risks like the ones described above.