Why should we use password managers? We asked a security researcher.

The most common passwords in 2021 were (1) 123456, (2) 123456789, and (3) qwerty. The fourth through the tenth most common passwords aren’t much better. Despite security researchers touting the benefits of using password managers year after year, lists like these show that there’s still a long way to go before they’re widely adopted.

Sarah Pearman is a CyLab Ph.D. student who focuses her research on usable security and privacy. A few years ago, she co-authored a study on password managers. I sat down with Sarah to better understand why password managers are such useful tools in securing our accounts.

What are some common habits that we *know* are prevalent when it comes to passwords?

Sarah Pearman (SP): The two most common unsafe habits are using easy-to-guess passwords, and re-using passwords across multiple accounts. When we say “easy-to-guess,” we don’t necessarily just mean easy for a person to guess, but also easy for a computer to guess when it can guess many thousands of times: this includes passwords containing dictionary words or other predictable patterns. Re-using passwords is bad because if someone cracks your Target password, and you used the same password for your bank account, they can try to use what they know in your other accounts and be successful in breaking in.

In order to understand what makes a password “easy to guess,” I think it’s important to understand how passwords are obtained in the first place. First, someone breaks into a company’s servers and retrieve usernames and passwords for all or some sub-set of users of that website. Nowadays, fortunately, any reputable website is not going to have plaintext passwords in their database, they’re going to have passwords that are “hashed,” meaning the passwords have been scrambled mathematically such that scrambling them was easy, but unscrambling is very, very hard. So what an attacker will do is they’ll use a computer to generate a giant list of potential passwords and them scramble or “hash” them. Then, if any of the passwords they just hashed match any of the hashed passwords they stole from a website, they now know the password.

Where does the “giant list of potential passwords” come from?

SP: There are lots of publicly-available password leaks from years’ past online. Many researchers use these lists to study patterns and trends in passwords. You know those lists that go out every year that announce the most popular passwords each year? Those lists use these publicly-available collections.

What this implies is that, if a password that you use is in the top 5,000, 50,000 or even 500,000 most commonly-used passwords, it’s very likely to be guessed, or “cracked” as those in the field refer to password guessing. This is why using easy-to-guess passwords is bad.

How does using a password manager alleviate these habits?

SP: Many people today have dozens or possibly even hundreds of online accounts. Can the average person remember 100 different 12-character random strings of numbers and letters? No. That’s why they resort to making easy-to-guess passwords, and/or they re-use passwords. A password manager generates strong, randomly-generated passwords, and it remembers them for you so you don’t have to re-use any passwords across multiple accounts. If two passwords are the same, the password manager actually tells you, “Hey, you used this same password for this other account. That’s unsafe, I’ll help you change it now.” All the user has to do is remember one very good password, and that serves as the key to all of their other passwords.

Given that hackers *have* broken into websites and stolen passwords (and successfully cracked them), then who’s to say they couldn’t get my master password used for my password manager? What are the chances of that happening?

SP: The likelihood of someone successfully cracking your password manager’s master password is far lower than the likelihood of any of your accounts being compromised if you’re using easy-to-guess passwords or re-using them across accounts. Here’s why.

First, password managers have password generators that create completely random passwords. Then, those completely random passwords are hashed. This makes the cracking process very, very difficult, as I described previously. Secondly, most password managers use additional security measures such as secret keys and/or multi-factor authentication, which means if someone tried to log in to your password manager account on a new device, there would often be an additional piece of information or additional approval step. You wouldn’t recognize it, and therefore you would deny it.

So in summary, if someone were to breach a password manager company’s servers and get your master password—which would be hashed, making it really, really hard to crack because it would be a randomly generated password that presumably wouldn’t exist on any prior password breaches—they would then have to try to log into your account, which would send a notification to your phone asking you to either approve the login, or deny it if you don’t recognize it. There are just so many layers of security in using a password manager that makes using them so much safer than not, from a security standpoint.

Okay, I’m ready to make the leap to password managers. I’m convinced (good job!) Now, I assume there are ways to misuse password managers... what should I look out for?

SP: The first thing is: your master password is the linchpin of the entire thing. It needs to be a really, really good password. It is a good idea for this password to be randomly generated. It should be a bare minimum of 12 characters mine’s 20 characters. You have to make sure that password is long and strong and unique—not shared or partially shared with a password you use anywhere else. And you need to keep that master password safe. Don’t leave it in an unencrypted note on your phone or written on a note on your desk. I have mine written down in a safe place in my house in case I forget it, but I don’t take copies of it outside of my home.

Secondly, you should use your password manager’s password generator to get the security benefits. People might say that the passwords they create for themselves are strong and unique, but most people are not actually creative enough to generate unique, strong passwords themselves for all of their accounts. And there’s just no reason to waste effort coming up with passwords yourself when the password manager can do it for you.

If your password manager offers multi-factor authentication with an app like Authy or Google Authenticator, or with a physical security key, use it! (Text message multi-factor authentication is also better than nothing, but not as secure as other types of multi-factor authentication.)

It is important to make sure that you take the standard precautions (antivirus software, caution about downloading software and files from unknown sources) to avoid getting malware on your devices, since malware could include keyloggers that could steal your master password.

How safe is writing your passwords down on a sheet of paper?

SP: Before I used a password manager, I had a little book where I wrote down my randomly generated passwords for important work and financial accounts. From a security standpoint, that was probably reasonably safe. If you’re actually going to use strong passwords and unique passwords and write them down somewhere and that works for you, and you’re not a person who would be a high-risk target like a celebrity or politician, then you’re probably fine. But for me, that approach to managing passwords was not really very usable or convenient. Sometimes I would leave the book at home when I needed it at work or vice versa. Sometimes I would change a password and forget to change it in the book. But if it works for you, and you’re using good passwords—strong and unique passwords for each important account—and your book is physically safe, then you’re probably fine.

What password manager should I use?

SP: There are many good options. If you want a third-party password manager, there are a number of reputable options available such as 1Password, Bitwarden, and Dashlane. Some will require that you pay for a subscription to be able to do things like syncing passwords between devices. However, if you’d prefer not to install software or pay for anything, you can still consider using built-in password managers like the password saving features in Mac/iOS devices (which can sync among Apple devices using your iCloud account, if you have one) or in browsers like Google Chrome. If you do this, just make sure that you are using a strong and unique password for the account where your passwords are stored (e.g. your Apple ID or Google account), and use the password generator to create unique passwords! Some of these are not quite as secure as third-party password managers, but this is still better than reusing a simple password across multiple accounts!