If you still aren't using a password manager, here are 5 reasons to start today. Password managers will keep your online accounts safe by using strong unique passwords and warning you of potential problems.
You can also watch this video at YouTube.
Watch more videos about related subjects: Security (131 videos).
You can also watch this video at YouTube.
Watch more videos about related subjects: Security (131 videos).
Video Transcript
Hi, this is Gary at MacMost.com. Here's why you should be using a Password Manager.
MacMost is brought to you thanks to a great group of more than 1000 supporters. Go to MacMost.com/patreon. There you can read more about the Patreon Campaign. Join us and get exclusive content and course discounts.
I think at this point most Mac users are using a Password Manager. Perhaps the one built into macOS, iOS, and iPadOS. But if you're not using any kind of password manager now here's why you should be.
So reason #1 is that Password Managers do more than just storing a password. They'll generate passwords for you as well. Most importantly they'll generate strong passwords. So a weak password is when you have a password like this. A name or a word or just some numbers or even a date in any format. Even if you try to make it more complex by adding some numbers or punctuation to it, it still a weak password and easily guessable by a program trying to break into one of your online accounts. There are all sorts of different techniques people use to make the passwords more difficult to guess. But they are still going to be weak and it's still just a matter of time before your account is broken into if you use a password like this.
A strong password on the other hand is randomly generated. Any password that comes from a human brain isn't going to be random enough to withstand an attack. You need to have something generated by an algorithm using random letters, number's case, punctuation, and all of that. A Password Manager will do that easily and effortlessly.
Reason #2 is that you can have long passwords with a Password Manager. It doesn't matter how long it is because you're not typing the password. Any password that is easy to type is going to be a weak password. You need to have this long random password and it is going to be typed for you by your Password Manager. It's going to fill it in. So it doesn't matter how long the password is. So now you can have these nice long strong passwords without ever having to worry about typing them.
#3. Another thing Password Managers do is they allow you to use unique passwords. If you use your own passwords, generate them yourself and keep track of them in your head or even on paper or in a document, it probably means you're probably going to end up reusing passwords. After all, in addition to maybe the dozen or so important sites you use, there are probably dozens or hundreds of other minor sites you use. Eventually you get tired of creating new passwords and you start reusing some of your favorite ones. When you do this if one site is compromised then any site that you uses that same password also has to be considered compromised. That password just gets added to a list and eventually the other site that you use that password at will get broken into. So it is important to use unique passwords. A different one for every single site you service. A Password Manager makes that easy.
#4. Password Managers will also protect you against phishing attacks. This is when you get an email, a text message, or some other alert telling you that there's a problem or some reason you need to login to a site, but you're sent to a fake site. You can't rely on your eyes to spot the difference. Sometimes you will. But it only takes just one time, maybe when you're emotionally charged because you think there's a problem, to not notice the difference. Entering your password could mean your site is now compromised. But a Password Manager won't fall for this trick. They'll only recognize exact site matches. So when you're sent to the wrong site, it's not going to match that wrong site with the correct password. So it will protect you from those phishing attacks.
#5. Finally, Password Managers will warn you when there is a data leak. So, this could be one of two things. One is a site is compromised. They report that their passwords, perhaps have been stolen and that you need to change your password for that site. Password Managers keep track of that and will alert you that you need to change your password. You don't need to read security websites all the time to know when this stuff happens. It will also recognize when your passwords have been found in some list online. This means there has been a data leak somewhere but maybe it hasn't been reported and it will alert you when you need to change that password.
Now I know despite these five very good reasons why you should be using a Password Manager there are people that still have concerns about them. So let me dispel some of those fears.
First of all a lot of people are worried that all their passwords are in one place. It seems like things would be less secure when your passwords are all together in one place. But it's a very secure place. It's an encrypted vault. It's very difficult, really impossible, to break into. Most Password Managers store this vault online. That's actually a good thing! Because it means you can access your passwords on your Mac, your iPhone, your iPad, maybe a second Mac and so on. You want to make it easy for you to access your passwords while making it impossible for anybody else to do it. If you make it hard for you to access your passwords when you need them you're going to end up not using the Password Manager or using a password that is easy to type. Remember the vault with your password is encrypted and virtually impossible for anybody to break in to. Even if the service that contains those password vaults is somehow compromised all they get is the vault. Without the encryption key they can't actually get to your passwords.
People also feat that what if they need one of those passwords when they are away from their computer. Well, if you have your password stored in a vault and it's online you can access them, say, on your iPhone. So if you need your password somewhere else you should be able to pullout your iPhone and then get access to it through the app or the settings there.
Now having all your passwords in one place may invoke the fear of what if you loose that database of passwords. Well, if you're worried about that you can certainly backup your passwords. All good Password Managers have a way to Export or backup the passwords. It's even totally okay to actually print out a backup list and store it somewhere where nobody else has access to them if you're worried about this. Also people worry about having all their passwords stored in one place with a password and what if they forget that password. Well, like I said before, you can back them up. You can, of course, also backup that password. For instance if you are using Apple's Password Manager then your iCloud password and/or your computer password is your key to getting into that and you could basically write those down, put them in a secure place, as a backup to make sure you never forget those.
So using a Password Manager definitely has some pros and cons. But the risk of using a Password Manager are very small and the pros are huge. You should definitely be using a Password Manager. So if you haven't been using one up until now which one should you use?
Well, if you're an Apple user just use Apple's Password Manager. It is built-in to macOS, iOS, and iPadOS. You have it already plus it is free. It's not going to cost you anything extra and it automatically syncs across devices. So you signup for a website on your iPhone and you go to log into that website on your Mac. You have the password there because iCloud is available on both those devices. However, if you're using more than just Apple devices you may want to go with a third-party password manager to be cross-platform. There are four big names in this field right now. They are all really good. They range from free to costing a little bit and really your online security is totally worth spending a little bit of money every year to protect them with strong unique passwords stored in a Password Manager.
So if you haven't been using a Password Manager up until now I hope this convinces you to start. Thanks for watching.
I never knew Apple had a password manager !! So, I will search for the details. I signed up for 1Password twice and dropped it both times even after our Apple guru in our computer club in Tellico Village couldn't make it work on my Macbook Air.
Gary: agree with everything you said, but might be also worth mentioning that many reputable websites (banks etc) have two-factor identification which adds another level of security, especially if there are changes in the login routine.
How do I access the password manager built into Mac OS? The directions were not given with the excellent presentation: "5 Reasons Why You Should Be Using a Password Manager".
Thanks in advance.
G Perser: https://macmost.com/the-practical-guide-to-mac-security-part-3-password-managers.html
LastPass Hacked for Second Time This Year
https://www.macrumors.com/2022/12/02/lastpass-hacked-second-time-2022/
Just to know ...
Best regards
Alex: From the article: "Our customers' passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture."
Be careful not to penalize the company that is open and honest about this kind of thing. No passwords were stolen here. LastPass did the right thing being transparent even though the data stolen isn't the data (passwords) that most people will assume when they read the headlines.
The danger is that if with inflammatory headlines like this that other companies may instead try to hide data breeches instead of being honest and transparent like LastPass in this situation.
I don't use LastPass (I use 1Password) but if I did use LastPass this news wouldn't make me change anything. It would make me trust them more, in fact.
Gary : It was not my intention to cast a "bad light" on the owner. I just wanted to express my concern as I have had a bad experience with data breaches in the past.
Otherwise, a sincere thank you for all the effort you put into getting to know and learning about Apple's programs and applications.
Best regards
Seems like entire customers password vaults were stolen for the hackers to work on in their own time. Keeping passwords in a password manager the mandates storage of customers authentication details passwords and secure notes etc on the developers server is a risk just not worth taking.
https://www.bleepingcomputer.com/news/security/lastpass-hackers-stole-customer-vault-data-in-cloud-storage-breach/
Bruce: Yes. That was reported just a few days ago. The vaults don't do them any good without the keys. By some estimates it would take trillions of years to decrypt a single 256-bit AES file.
Gary, I have to use a PC on some occasions. What would you suggest I use? Thanks for all your help.
Heather: I show the most popular ones at the end of this video. Maybe 1Password?
I appreciate the vault file is secure but there seems no sense in hosting it on any password managers developers server (such sites are a big target) where it can be stolen by criminals. Encrypted files do get broken. Eg https://interestingengineering.com/innovation/math-theorem-cracks-us-encryption-algorithm
Password managers that don't mandate hosting my data on their target server is preferable to me.
Off line no subscription managers could be mentioned, but almost nobody does.
Bruce: Worried about quantum computers breaking into encrypted vaults? So what's your better solution? Should regular users have to find their own servers to host their own password vaults?
Hi Gary,
Thanks for this great explanation.
I have tried using Apple’s built-in password mgr, but it does not remember the passwords and log-ins if I switch browsers, say from Safari to Firefox. Your video makes me want to try password managers again though. But right now they seem overly complex to set up and use. I heard that Apple is developing a major improvement for password management. Can you produce a video about it when it is released? Cheers.
Jon: Right. Firefox isn't using Apple's password manager. If you want to use Firefox, then get a third-party password manager that has extensions for both Safari and Firefox (most do).
Hi Gary - thanks for all your work.
You wrote "Should regular users have to find their own servers to host their own password vaults?"
I did with mSecure, a PW manaer which offers Wi-Fi syncing along with cloud syncing. I use Wi-Fi syncing and any change to the vault is sycned between all my devices as long as they are active on that network.
My concern with online vaults is giving my information to a third-party.
Fabian: Thanks for the recommendation.
Seems like the stolen vaults need do not need a quantum computer to access them : Leo Laporte at https://www.youtube.com/watch?v=c50T7X4x-7g. All the Meta Data at LP in the clear, inadequate hashing etc etc.
Bruce: Can you point to a specific time in that video where he says that? My understanding is that any password vaults that may have been stolen were encrypted.
Hashing 5000 iterations was default which today is inadequate. Lastpass default recently increased to 100100 iterations. With older 5000 databases a GPU password cracker can brute force access. Here it talks about iterations https://www.youtube.com/watch?v=c50T7X4x-7g.
Change every password in your vault for every site you access : https://www.wired.com/story/lastpass-breach-vaults-password-managers/
Tavis Ormandy on password managers: https://lock.cmpxchg8b.com/passmgrs.html
Bruce: You still didn't provide me with a TIME in the video you keep linking to that says that the vaults are easy to decrypt. I looked it up in the transcript though and there are a lots of IFs and guessing and speculation. The Wired article doesn't have any details either. And the third link doesn't even mention LastPass. Not trying to defend LastPass either (I have never used them). I just don't like alarmist reporting.
Lastpass themselves "say you should consider minimizing risk by changing passwords of websites you have stored" and "The threat actor may attempt to use brute force" and "target customers with phishing attacks, credential stuffing, " https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
TIME: GPU password cracker burn thru that quickly 7:13. Also see 6:05, 7:05, 9:15 and 16:59. 5000 iterations PBKDF2 ain't enough.
By all means dismiss it as alarmist.
Bruce: I almost agree with you. But you are doing the same thing, making it seem worse. What LastPass actually says is this, referring to master password length and PBKDF2 settings above this quoted text:
"However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored."
Does this make it seem worse?
https://9to5mac.com/2022/12/29/lastpass-security-latest/
Bruce: Yes, though no need to panic. If you use LastPass, first check to see if you are using the easier-to-guess old master passwords (they have info on their site) and if you do, then start the process of changing your passwords in order of importance (email accounts first, then important things like iCloud, financial, social, shopping, etc.) Then consider moving from LastPass to something else. See https://askleo.com/lastpass-breach-2022-my-recommendation/