Skip to Main Content

Passwords, Two-Factor Authentication, and Security Questions

This guide goes into more detailed looks at passwords, password managers, and two-factor authentication.

Password Managers

A password manager is an app (browser extension, desktop application, etc) that manages your passwords. Common features include detecting which site/service you are trying to access and automatically inserting the password, generating new passwords, and sometimes password audits that track the relative strength of passwords. Many are under a freemium model (where you pay to get increased features but can use a limited, free version as well) or under a trial model where you can test them out for a month or so before paying for them. 

There are many different password managers and there is a variety of price points, feature lists, and OS/device compatibility. Some browsers, such as Google Chrome, can securely share passwords across devices and computers [for Chrome, you can see your master list of passwords at passwords.google.com]. Other browsers offer extensions/add-ons to sync passwords, and most browsers will store passwords on a given device/computer. 

To decide which password manager is right for you, you have to consider some questions:

  • Which devices/computers do you wish to have such functionality?
  • How many passwords do you want to save?
  • What additional features do you want [password generation, extra security, etc]?
  • How much are you willing to pay to get the full features, etc?
  • How safe do you feel using a given product [keeping in mind its background, the company producing it, etc]?

The advantage of using password managers is that you can store some/all of your passwords in a way that does not require constant recall. This means you can use longer, more complicated passwords and update them more often without having to worry about forgetting your password or having trouble remember exact details. With sometimes built in password generation, this makes password managers a valuable tool if you have lots of online accounts (and most of us do, nowadays). 

Disadvantages include sometimes having to pay to keep access to your passwords [though, again, most have a free version you can use indefinitely], having to trust a third-party to manage some of your most important data with that data being accumulated into a potential security breakpoint [admittedly, most password managers use some pretty hefty encryption], having times when you do not have access to your password manager [e.g., giving a presentation in a conference room and needing to log into your account to get your files], and sometimes running into specific site/service glitches where the password manager fails to retrieve the password or the right one. 

If you do use a password manager [and you might see them recommended regularly] then definitely keep your password/details for logging into the manager itself extra secure. 

Even if you use a password manager to better handle your passwords [or allow Google Chrome, etc, to manage them for you] it is still recommended that you identify passwords that you might need even if you lose access to your manager. This way you can enter said passwords when you need. This also helps to overcome issues like using some accounts on devices like Rokus or through apps like Steam where a password manager may not work or may not recognize the login process.

Storing Passwords without a Manager

Password managers are not the only way to store passwords, though often they are among the most convenient. Other methods include

  • Memory [the de facto storage method for most of us],
  • Writing them down in plaintext [either physically on paper, or digitally in a file],
  • Storing them in some sort of encrypted text file on a computer/device,
  • Compiling them into some sort of file which is encrypted through PGP/GPG/OpenPGP/etc style encryption.

Since these tend to be free (readily accessible) and often fit into our natural flow, these methods can be attractive. There are obvious security flaws, though, or at least flaws of retrieval. No matter how good your memory is, there is probably an upper limit to how much you can accurately recall. Storing them in plaintext on a single piece of paper might require you to bring around said piece of paper and risk losing it. Storing them in plaintxt on a digital file runs the risk of having it copied or shared. Encrypting it tends to require you to have either the device it is encrypted upon, or some way to decrypt it on other devices. Some encrypting methods still require you to have good strong security (including passwords) to make sure it is not decrypted without your knowledge.

If you use any of these methods (and most of us do, even if we use things like password managers) then the trick is to apply security-minded tactics to them. If we write them down, be extra careful with the physical copy (or the digital copy). If we memorize them, go back through and use memory techniques (such as logging into the website several time in succession) to keep our memory up to date. If we encrypt them, make sure we use good encryption methods and do not make the mistake of leaving plaintext copies around by accident). Make backups and store those securely (if nothing else, so that you know what accounts might be compromised if you lose one of the pages/files). 

You can do a few extra-credit, advanced tricks, as well. For instance, rather than simply write out your passwords [maybe with the site/service written nearby], try generating hundreds of random passwords and sorting them in four-columns to a page across several pages. Then, use various tactics to remember which password goes to which site (e.g., Amazon password is page 3, column 3, row 19). You can use symbols and/or column/row headings to simplify this. This won't make losing it any less dangerous if someone has time to brute force your accounts with all stored passwords, but it can slow down someone picking up your list and then giving it a quick whirl to see what they can find.