In my first post, Getting and Using a Password Manager – For Real, This Time, I made the case for why all of you should be using a password manager – at least until something better comes along. In Part 2, having assumed I have convinced you of the need, it’s time to talk requirements. To paraphrase Clayton Christensen (and as Dennis Kennedy and I often repeat on our Kennedy-Mighell Report podcast), “what are you hiring your password manager to do?” Once you can define your requirements, finding the tool that meets those requirements is a much more straightforward process.
There are a few requirements I look for in a solid password manager – I consider most of these as must have, although you may only think of them as nice to have – your mileage may vary.
Secure Password Vault. Instead of the post-it note on your monitor or the notepad on your desk, you should keep your passwords in a place where no one can get to them. The best password managers store your passwords and other information in a “vault” to which only you (or others you trust) have the key. For most services, this key is known as a master password – the only password you really need to remember. Likewise, the service providing the password management tool should not have access to our passwords either.
Random Password Generator. This is probably self-evident, but what’s the point of having a password manager if it can’t generate random, complex passwords for you? The best password managers allow for very long passwords, and let you customize your password to include letters, numbers and symbols. Some will generate secure passwords that sound like actual words or phrases – although I tend to prefer the totally random password.
End-to-End Encryption. Most of the requirements have to do with security, and this is probably the most important. In the context of password managers, end-to-end encryption means that no one but you has access to your master password and to the password vault. It cannot be intercepted by hackers, or accessed by anyone at the service provider. But there’s a catch: if no one else can access your information, it is critical that you remember your master password. Because there’s no “forgot master password” option with these services; if you forget it, you’ll have to start over again. That’s why your master password should be something that’s memorable, but still difficult for anyone to guess.
Two-Factor Authentication. Your passwords are literally the keys to your kingdom, professional or otherwise. Bank accounts, email, client data – we use passwords to secure all of our most sensitive information. That’s why I think enabling two-factor authentication on your password manager as an extra layer of security is such a good idea. Yes, you will often (but not always) need to enter a 6-digit code to get access to your passwords. But the peace of mind 2FA will bring is, in my mind, easily worth the tradeoff.
Under Active Development. If you come across a password manager that hasn’t been updated in months, run away. When it comes to something as serious as passwords, you want to work with a company that cares about its product enough to keep it constantly updated, regularly patched, and continuously evolving to meet the latest security threats.
Audited by Independent Researchers. Any password manager company worth its salt will ask an independent auditor to conduct a full set of security tests to verify the strength of the platform. If a company isn’t willing to put its security to the test, do you really want to entrust your passwords to them?
Multi-Platform/Browser. In short, you should be able to access your passwords everywhere you need them. For me, that means I need to access them on my laptop, desktop, phone and tablet. Good password managers have versions available for:
- iOS and Android
- All major browsers – Chrome, Edge, Safari, Firefox
- Mac and Windows operating systems
Business/Family Features. Most of the good password managers offer Business or Family plans, which are nice to have if you need to share passwords with a group of people. Rather than keep passwords in multiple vaults, keep a single password in a shared vault that your co-workers or family members can also access. These also come in handy in case someone needs to access a password in your absence, or in the event of your death (most good password managers also offer functionality for how family members can claim your account in the event of your death).
What features did I miss? There are going to be other functions that may be important when choosing a password manager, but I think these are the major requirements. But let’s continue the conversation; leave a comment here or reach me on Twitter or LinkedIn.
Next up: my top 3 password manager recommendations.