Be able to give examples of when one can use a password manager (to remember passwords, notes, and even randomly-generated answers to security questions).
Understand the difference between a stand-alone and a browser-based password manager.
If there’s time: Have hands-on experience installing a standalone password manager.
Learners should understand how to choose a good master password.
Asking, “How many of you here have ever reused a password on more than one account?” is a good way to engage the audience and allows you to get a good gauge of technical proficiency. You can follow up with a variant of that question that highlights another way in which passwords can be reused: “How many of you have used minor variations on the same password between accounts?”
Follow these questions with something along the lines of, “That’s okay. With the number of sites we are forced to log into, it’s only natural we would want a simple way to remember them all. But reusing the same password on different websites is the number one cause of account compromise. Password managers can help!” This dialogue makes your audience feel like they haven’t been playing the fool all this time, and that they have the opportunity to improve their practices.
Different password managers will have different time commitments and characteristics. The two basic types of password managers are:
Standalone password managers: These often exist as separate files on your device and require you to copy-paste login information from the password manager to a given log-in screen. While this makes it harder to reliably sync across devices, standalone password managers can be good for users who would like to keep their passwords on a separate, offline device like a thumb drive. This can especially apply for people who use shared devices.
Browser-based password managers: You access them via a website, and can download them as a browser extension for your computer and an app for your phone. They are able to sync across devices. Most importantly, browser-based password managers are very good for defeating phishing attempts. While it can be hard for a human to differentiate a bogus sign-in page from a legitimate one based on visual cues, a password manager uses technical cues to tell them apart. If a browser-based password manager does not recognize a login page, that can be a sign to the user that something is off.
Some password manager companies offer both standalone and browser-based password managers, like KeePassXC and 1Password. EFF currently recommends KeePassXC, which is a standalone password manager that offers a browser extension as well. Depending on their threat models, participants may choose to use a different password manager, such as 1Password, LastPass, or Dashlane.
Learners who have an understanding of why they might need a password manager should be guided through the process of installing a standalone password manager. Refer to the steps in How To: Use KeePassXC and stop when you get to the “How to install the browser extension” section. Intermediate users will learn how to install the KeePassXC browser extension.