Why you must use a password manager

So first let's review how websites should be storing your passwords: Hashing and Salting.

Hashing takes a piece of data and returns a fixed length string made from that data. When the same intial data is entered and the same algorithm used, the same fixed length string is returned.

You can try hashing "hello" by entering this into you terminal:

$ echo "hello" | sha256sum

Spoiler, the result looks like this, and always looks like this:


Now if passwords are hashed before they are stored, the website and it's developers cannot see the plain text password, only the hashed version.

Hashing is a one-way-function, meaning the data that went into the hash cannot be recovered. At least not within the lifetime of the universe.

However, many people use common passwords, such as '123', or 'password.' These can also be hashed, however everyone using the same password will have the same hash. If the website store password hints these can be cross-referenced by an attacker to figure out what the password is.

Salting is adding a random string to a users password and then hashing the concatenated password and salt.

This means if every user has the same password the hashes are all different and cross-referencing is useless.

Tom Scott explains it here

However, websites must use a securely generated random string as the salt, which is hard to do in a server room without much noise for the computer's random number generator. Additionally, it must be a secure hashing algorithm with lots of iterations, costly in terms of computing power, so some website don't bother.

Now if a website does all that, it can still be hacked and leak data. Not your passwords, but you password hashes. This shouldn't be a problem since the website has done everything they can to stop hacker simply reading off passwords. But programs can be made that guess passwords, add the salt, then hash them and compare that to the leaked hash data. It's a brute force attack, but effective against simple passwords like '123.'

And even against more complicated passwords, such as words with mixed case and concatenated numbers. These can be guessed using a dictionary attack that swaps around common letter and numbers, or tries other common password creation techniques. Even quite sophisticated passwords can be discovered this way.

And that's with the website doing everything correctly, what if they don't. What if they use a much to simple hashing algorithm or don't hash at all. I've had some websites send me my password in plain text via email. Guess what sort of hashing their doing!

All this leads to why you must use a password manager. Not should, absolutely must!

People tend to use the same password, across many different sites, even if you have a 500 character long password (which most sites will not let you have, even Google limits to 100 characters) how do you know that every one of those sites is storing it securely?

A password manager let's you use one secure password, while randomly generating highly secure passwords for every website you use. And you don't need to remember any of them, if you do, your random generation settings are too low.

So, when logging in, instead of trying to remember which password you used, and worrying that it's the same as your email, and wondering whether you should change it; simply open you password manager with your master password, search for the website your logging into and copy the random password into the password box.

A master password encrypts the password manager's database, so no one can access any passwords without it. This should be a highly secure passwords that has never been used anywhere else before.

Some password managers add extra security by letting you speify another file to use with you password to encrypted it.

It doesn't really matter what password manager you use as long as it is released under a free software license, (if not it could simply be stealing your passwords.) and has all the features you need.

I personally use FPM2, which has the extra file encryption option.

To setup a random file to use with you password for extra secure encryption enter this command: (completely optional)

$ cat /dev/random > ~/my_random_key_file

Now move my_random_key_file to a portable thumb drive and a backup location - you will need it to access you passwords.

When setting up you password manager select my_random_key_file and in conjunction with you secure password. Now to unlock the password manager you need two pieces of information: the key file and your password. If someone guesses your password, they need physical access to your key file. If they find your thumb drive, they need to guess your password. Do not store the key file online, if possible, and you care about security enough, keep it on your person at all times. If not, don't bother with the key file, but at least, use a password managering and long secure master password, that has never been seen online before.