If you’re reading this, I hope it means you’re using a password manager and are just looking to maximise on the security of your passwords, data and accounts.
I think most people understand the need for strong passwords and multifactor authentication these days, but some struggle to putting their faith in single data store for their passwords.
To help you overcome these fears, I have put together these are my top 15 tips for maximising the security of your passwords, when using a password manager.
Tip 1 – Use a reputable company
Now that might sound obvious, but in a world pull of phishing emails and apps with malicious content, you want to be sure you can trust the app / service that you use. I don’t think I’d be too quick to rush out and try a new one, if it popped out. My recommendations would be:
1) 1Password – This service works perfectly, especially with teams where you need shared vaults. It’s my preferred password manager.
2) Enpass – I’ve used this for years, and it works well. You can also store your data in your own OneDrive / Google Drive if you wish, or use it completely offline.
3) Bitwarden – This recommendation is based on feedback from other IT professionals that I’ve spoken to. I’ve not used it, but I head great things.
There are many others, but I’ve kept it to my top three for now.
Tip 2 – Choose a strong master password
Be sure to choose a strong master password / encryption key, but also keep in mind that you need to remember this one, as you whilst you can put it in your password manager, it won’t help you much if you can’t get in. So you need to find a nice balance between strong and memerable, without making any of the classic password mistakes.
Tip 3 – Enable MFA (Multi-Factor Authentication)
Like with every single online account you have, where available, enable MFA (Multi-Factor Authentication). This essentially asks for you username, password, secret / encryption key and a rotating 6-7 digit rolling code. If you don’t know what app to use for this, I’d suggest taking a look at Authy.
Tip 4 – Use a hardware authentication device
Technically this probably comes under tip 2, as it’s a type of MFA, but instead of an app, use a physical hardware device such as a Yubikey 5C NFC (there are lots of different ones, and depending on your devices, will depend on which is right for you).
With a hardware key, instead of using an app on your phone, you need to connect a physical device to you computer, or tap it for NFC. Where this comes in handy is if you break or lose your phone, you have this (it’s worth having two too, one for every day use, and one as a backup which is locked away). Now it could be considered more secure too, as you have to have this device to get access. However, if you’re the sort of person who couldn’t keep this on you at all times, then it’s not for you.
Tip 5 – Consider your next of kin
It’s sad to think of this, but what as your do with your finances, you should consider what happens with your passwords if you were to die. You don’t need to necessarily put it in your will, but it’s worth printing your password manager recovery information and storing it in a safe. Oh, and don’t forget to have your next of kin save the password in their password manager.
Tip 6 – Use different email addresses for each account
With password managers autofilling your information when creating accounts, it’s too easy to use your mail email address for convienience and for password recovery, but it also make it easier for others to try and phish you / hack your accounts.
Plus, if they start using or sharing the other email addresses without your permission, you will know who leaked it.
You can integrate 1Password with Fastmail, but at a cost, of course. If you are an iPhone user, Apple has an easy way to set these up, and they simply forward to your main email address.
Mozilla do also offer a service (Firefox Relay), which may be easier to use if you’re a Firefox user.
Just make sure you trust the email forwarding provider, as you don’t want emails to be breached or for the company to go out of business and you lose service.
Tip 7 – Listen to the advise from your password manager
Most password managers will advise you if a service you use (have stored a password for), has suffered a breach. If that happens, change your password.
They usually offer advise on which accounts haven’t got MFA enabled, which passwords are weak or shared, so you can address these too.
Tip 8 – Use randon answers for security questions
As you’ve got used to using randon long password, which are different for each account, why not do the same for your security questions. Then those random facebook questions asking you to share your first car etc, aren’t a risk to your online security. That said, I’d still recommend you ignore them, as that’s just a good online practice.
Tip 9 – Use shared vaults
If you have to use shared passwords, then consider using a shared vault so colleages or family can access items stored in them. This means you don’t have to comprimise the security of your account by sharing password insecurely, and actually perhaps it make tip 5 from this list irrelevant.
Tip 10 – Use strong passwords
This should be a given, but use long and strong passwords and let the password manage create it for you, based on the complexity you tell it to use.
Tip 11 – External sharing
If you have to share a password, and I mean really have to, then use the tools sharing features where you can say only specific people can access the link, and set an expiry date.
Tip 12 – Use travel mode
If you’re travelling, and are worried your phone is more at risk, enable travel mode which will remove the local copy of your passwords.
Tip 13 – Backups
This might be less important if you sync with a cloud service or your own cloud storage, but taking regular backups and encrypting them is a good way to ensure you don’t lose anything. Keep in mind though, that this comes with it’s own risks, so zipping it with a password (long and strong), or putting it inside another password manager is probably the way to go.
Tip 14 – Keep updating
As with any software, it’s important to regularly update your password manager to stay secure, and to make the most of new features that might be added.
Tip 15 – Use passkeys
Last, but by no means least, if your password manager supports passkeys, then I recommend using them as they are more secure than the traditional username, password and MFA approach.