I’ve talked a lot about password managers, but I’ve mostly focused on generating and storing passwords. That frankly should be reason enough to use one. But there are many other great reasons for using a password vault. The key thing to understand is that password managers are just digital vaults. They can hold all sorts of secrets and sensitive information. Yes, it’s a little scary – but they have one job to do, and they do it well. Nevertheless, I’ll address those concerns here, too.
As you read this article, think about where you’re currently storing this information. Then ask yourself if it’s more secure than a highly-encrypted data vault with two-factor authentication.
Storing Financial Info
After passwords, the most annoying thing to have to fill into a web form is probably credit or debit card info. There are lots of info fields and they’re hard to memorize. Any password manager worth its salt will let you store credit and debit card info: the card number, security code and expiration date, and maybe even the name on the card and the billing address. If this just seems too scary, then store everything but the security code, and memorize just that part.
Most password managers will also store less common financial data, like bank account info. This includes bank name, address, account type, account number, routing number and even esoteric fields like IBAN and SWIFT codes. Even if you don’t use it for filling out web forms, it’s handy to have that info where you can quickly look it up.
Other Common Form Info
Filling out your shipping address is also painful. Again, lots of fields and some of them can be long. If you make a typing mistake or just have a brain failure, the consequences can be significant. Most password managers allow you to create “identity” cards with all your key data: full name, address, phone number, email address, etc. Many will also store social security numbers, drivers license numbers and passport IDs. If you commonly ship to more than one location (e.g., home and work) or to other people (friends, family), you can create multiple identities.
I’m not sure about BitWarden or 1Password, but LastPass will let you save any form fields you want. If there’s some site you go to that always asks for some weird form values that aren’t typical, you can tell LastPass to remember all the filled-in fields and pre-populate them next time. It’s not well documented, but you fill out the fields you want to save, go to “Add Item” in your vault and scroll all the way to the bottom. There you’ll find “Save All Entered Data”. You can edit these fields after the fact, too.
[NOTE: I can’t recommend LastPass right now – see this article.]
Perhaps the feature I use most, after passwords, is secure notes. I just checked… I have 51 of them. It’s essentially an open-ended text field where you can save anything you want. Here are just a few ideas for what you could store here. And these notes can contain info about people other than yourself.
- WiFi passwords
- Computer login credentials (that you have to manually type in)
- Social security numbers
- Passport, drivers license and other IDs
- Passphrases for encrypted files, journals, Cryptomator vaults, etc.
- PIN codes for electronic devices
- Access codes for garage doors, smart locks
- Combinations for physical locks/safes
- Software license keys
- Serial numbers for computers or other high-dollar items
- Sensitive medical info (e.g., medication lists, medical procedure dates)
- Pet microchip IDs
- Gift ideas for others
- SSH keys
- FTP credentials and server info
The key here is to add searchable words to this note so you can easily find it later. Sure, give it a meaningful name, but inside the note itself, include other “tags” that you might use to find it. Just stop for a second and think to yourself: when I come looking for this a year from now, what words might I search on? Or maybe you want to tag it so that it groups together other related notes/items.
Secure Sharing of Secrets
And if all of this weren’t enough, most password managers today allow you to share these secrets with others in a secure (and revocable) way. Typically, you select an item in your vault and find the “share” option. You identify the recipient, probably by email address, and this will send them an invitation to share the secret item. They probably need to have an account on the same service, so be sure to send the email to the address that they used to sign up for the service. Once they accept the offer, they’ll have access to the secret item – until you revoke it, which you can do at any time. Of course, you should assume that they could have copied the information. But if you revoke the sharing and then change the secret, they won’t get that update.
With many password managers, it’s actually possible to share passwords with others without them being able to see the password. Since most password fields won’t show the actual password (it’s usually *****), they can still fill out the form and login, but still not know the password. Of course, they could then use this opportunity to change your password to something that they do know (and you won’t). Also, some password form fields give you the ability to view the password. So don’t count on this feature, but know that it’s there.
Which Password Vault Should I Use?
The next logical question is: which password manager should I use? I currently recommend BitWarden for most people, but 1Password is also good, as well. (Again, I can’t recommend LastPass right now.) If you’re concerned about putting all your eggs in one basket, you’re normal. It’s a perfectly logical thing to worry about. But again, these guys have one job and they’re highly incentivized to get it right.
But there are also things you can do to mitigate the risks. First and foremost, set up two-factor authentication for your password manager using an app like Authy (not SMS). Second, you can also pepper your most important passwords, which would protect them even if your vault is somehow cracked.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!