Step 1 for securely accessing your online accounts: Create a complex, unique password for each account. Step 2: Actually remember those passwords, or store them safely.
There are plenty of tools to help with Step 2, some safer than others. Some people use password managers, while others use locked notes on their phones. And then there are people who write their passwords on a piece of paper or depend on memory tricks.
We assessed the security of these four popular password-management strategies. Read on to find out what works, what doesn’t and what you can do to make your password-storage tactics stronger.
Safe: password managers
The best way to save your passwords, experts say, is to lock them up in a password manager such as Dashlane, Keeper Security or LastPass. These tools let you set up unique passwords for all of your accounts, and you only have to remember the master password that lets you into your password manager’s vault.
Yet many people don’t use them. In a 2022 global survey from password manager Bitwarden, only 30% of respondents reported using a password manager.
Password managers aren’t immune to vulnerabilities. But the chances of a hacker breaking in and stealing your information are slim, experts say. Managers don’t store master passwords on their servers, so a hacker digging for one there would come up empty-handed.
You could be vulnerable if you keep your master password in an insecure place on your device. But otherwise, to get into your account, a hacker would have to either crack the encryption—typically an improbable, slow and expensive process—or guess the master password, says Jeremi M. Gosney, who until recently was chief executive of a startup that sold password-cracking machines to corporations, agencies and military clients before it shut down during the pandemic.
“Unless you’re using a ridiculously simple password,” Mr. Gosney says, it’s unlikely someone will guess it. “The cost and time needed to even try a million guesses against someone’s master password is astronomical,” he says.
Your browser or operating system’s built-in password manager, such as Google’s Password Manager or Apple’s iCloud Keychain, is another relatively safe place to store your credentials, Mr. Gosney says. The biggest risks here are browser security vulnerabilities caused by malware, or a person using your device who could access your passwords if you’re signed in.
When choosing a password manager, make sure your selection has a password generator that can create complex passwords for your accounts. To come up with a strong master password that you remember, you can use the generator for help, or think of a passphrase using random words. (Bonus if some of those words are in different languages.) If you forget your master password, you can reset it.
Experts also encourage using two-factor authentication, which requires you to respond to a prompt sent to your computer or phone after you enter your password to gain access.
Safe-ish: the mental system
About 55% of Bitwarden’s survey respondents said they sometimes rely on their memory to manage their passwords, making it the most popular password-storage option world-wide. The strategy has its benefits: Hackers can’t access what’s in your brain and neither can authorities, even with a warrant.
Still, the average American internet user has 150 accounts that need password protection, according to Dashlane. So unless you have a photographic memory, you might reuse the same password over and over, which is a big security risk.
Other potential pitfalls: Some people keep their passwords simple to make them easier to remember, often using the minimum number of characters required, experts say—and that makes them easier to crack. It’s also common to incorporate personal information into passwords, as well as 123, QWERTY or the name of the website you’re logging into. All those techniques are easy for hackers to figure out.
And just as you shouldn’t use the same password on multiple sites, you shouldn’t use similar variations of it on multiple sites either, says Rita Gurevich, chief executive of Sphere Technology Solutions, a cybersecurity company. For example, using a password that only differs by ending with 123 on one site and 456 on another isn’t very clever. Even if you have a system you swear is foolproof, it only takes one or two data breaches for a hacker to catch on to it.
While it’s likely impossible to remember all your account passwords, you could memorize a few of the most important ones. After you create strong passwords, train your brain to remember them by regularly entering them manually.
Safe-ish: physical copies
A lot of people simply write their passwords down on a piece of paper. About 32% of Bitwarden’s survey respondents said they sometimes keep track of their passwords this way.
The probability of someone stealing a written password is low—unless you leave it in plain view for others to find, like a note stuck to your computer. A written password should be stored somewhere that’s easily accessible to you but not to other people.
Consider your circumstances before using this method. Some experts advise against keeping physical copies at work, including under your desk or keyboard. Even storing your written password at home can be risky, especially if you are at risk of domestic abuse. You might consider a drawer or container locked with a key you keep with you.
You can also keep a list of passwords in a place where family members you trust can find it in emergency situations. If you do this, Mr. Gosney recommends putting the list in a freezer so it has a better chance of withstanding a fire or other disaster.
Unsafe: documents and apps
Roughly 23% of Bitwarden’s survey respondents reported sometimes storing their passwords in a document on their computer.
It’s better to store your passwords in a document locked with a password than in an unlocked one. But ultimately, neither is a good idea. A password list can be found even without direct access to the device it’s stored on. Attackers can use malware or social-engineering tactics to trick users into giving them remote access to their devices and can then search for a password document and its credentials on the drive or in memory, Mr. Gosney says.
Copying your password from a document and pasting it into a website’s login field could also make your account vulnerable to hackers. Applications running on your device that have access to your clipboard could view passwords in plain text, says Joseph Carson, chief security scientist at Delinea, a cybersecurity company.
Some password managers, on the other hand, have measures in place to prevent this. For instance, 1Password can automatically remove passwords from your clipboard so third parties can’t access codes you copied. Autofill can also be a safer bet since it sidesteps the clipboard altogether, says Craig Lurey, chief technology officer of Keeper Security.
This article was written by Cordilia James and published in the Wall Street Journal on June 7, 2022.
Spectrum Wealth Management, LLC is an investment adviser registered with the U.S. Securities and Exchange Commission. Registration does not imply a certain level of skill or training. Additional information about Spectrum’s investment advisory services is found in Form ADV Part 2, which is available upon request. The information presented is for educational and illustrative purposes only and does not constitute tax, legal, or investment advice. Tax and legal counsel should be engaged before taking any action. The opinions expressed and material provided are for general information and should not be considered a solicitation for purchasing or selling any security.