The same thinking goes for password managers. Just because there is a chance someone somehow<\/em> could get in doesn\u2019t mean you should not use one. You must put on your \u201cseat belt\u201d with a password manager to better your odds because the alternative of password reuse (walking) is not worth it. <\/p>\n\n\n\n The car analogy is probably not the best because getting your password manager breached is far less likely but it does help demonstrate the idea. <\/p>\n\n\n\n When I have someone who is afraid to use a password manager I show them the peppering your passwords method<\/a>. This method is so smart that I rarely have someone not give a password manager a shot after learning about it. <\/p>\n\n\n\n Peppering your passwords removes the fear that many people have when it comes to password managers. I wouldn’t pepper every password only the important ones like email and banking. <\/p>\n\n\n\n The fear people have over password managers is from a misunderstanding of how they work. Movies portray hackers getting in with a few keystrokes and destroying everything. <\/p>\n\n\n\n Life is not like the movies<\/strong>. <\/p>\n\n\n\n The way password managers work is by encrypting your entire passwords in a vault. To decrypt this vault, you need the master password, the one password that rules them all. <\/p>\n\n\n\n Then the question of, \u201cwhat if they crack my master password<\/em>\u201d comes up. <\/p>\n\n\n\n To answer that question depends on how strong your master password is and what encryption is being used on your password manager. <\/p>\n\n\n\n Despite what the movies say and what many people think, cracking a password is not an easy task. <\/p>\n\n\n\n I wrote an entire post on how long should your password be https:\/\/passwordbits.com\/password-how-long\/<\/a><\/p>\n\n\n\n In that As you can see, adding just one more character to our password makes it exponentially stronger. And this is with a computer so fast that it might not even exist. Your home computer would be nowhere near these numbers. <\/p>\n\n\n\n It gets to a point where if your master password is at least 15 characters long then you\u2019re fine from pure brute-force guessing. <\/p>\n\n\n\n Coming up with a good master password is easy to do, this guide will show you how<\/a>. <\/p>\n\n\n\n When it comes to master passwords, it’s best to keep it simple but strong, and that is what we do in that post. <\/p>\n\n\n\n Beyond having a strong master password, the password manager also helps to keep your account secure. Most, if not all, strengthen your password. <\/p>\n\n\n\n They use what is called \u201cKey Expansion Algorithm.\u201d In simple terms, it\u2019s like taking a number X and multiplying by another number Y so many times. Where the number X is your plain master password. <\/p>\n\n\n\n Depending on what algo they use the number of times they perform the math can vary. Some They do this because it requires time to calculate each guess. If it takes 1 second to calculate one guess, this greatly slows down a brute force attack. If you ever wondered why when you log in to your computer or password manager, and it seems to hang for a second, this is the reason why. This slowing down is used in many places to stop brute force guessing of passwords. <\/p>\n\n\n\n The \u201ckeeping your eggs in one basket<\/em>\u201d gets thrown around a lot when password managers are mentioned. Let me start by answering that with this question. <\/p>\n\n\n\n What do you trust more\u2026 <\/p>\n\n\n\n If you\u2019re not using a password manager, then you\u2019re more likely to reuse passwords. Then that password is only as good as the security of the server it\u2019s stored on. With so many websites still storing passwords in plain text<\/a> or using a weak hashing algorithm do you really want to run the risk?<\/p>\n\n\n\n All it takes is one site you signed up for to get breached or even worse their 3rd party partner who they shared their data with to get breached. It happens more than you think<\/a>. Now that password is known, and since so many people reuse passwords it will get tried on many other websites, this is call credential stuffing. Now you\u2019re screwed and have to clean up this mess and remember all the sites you used that password on. <\/p>\n\n\n\n If you used a password manager, you could have given every account a unique password. If one of those sites gets breached no big deal as the password was not used anywhere else. All the rest of your passwords are stored securely in your password manager. <\/p>\n\n\n\n The hand full of you who say you give every account a unique password because of some algo you created I have a post just for you<\/a>. <\/p>\n\n\n\n And yes, I hear you\u2026<\/p>\n\n\n\n A central location full of people\u2019s passwords sure does seem like the perfect thing to hack. Its been done to companies before, example<\/a>. <\/p>\n\n\n\n This is where it\u2019s important to understand how each company stores your data. Some do it better than others, and some are just lazy. Just like buying a car it\u2019s important to look at their safety The way most password managers work is that they\u2019ll store your database of passwords, but they won\u2019t save the key. <\/p>\n\n\n\n If they don\u2019t have the key, no one can open the vault. <\/p>\n\n\n\n How do you know they don\u2019t have the key? They tell you if you lose your master password they can\u2019t reset it. This is why you must not forget your master password, write it down and put in a safe if you have to. <\/p>\n\n\n\n Since they don\u2019t store the key and use \u201cKey Expansion Algorithms\u201d it\u2019s not worth the time or effort especially if they use a secret key<\/a> to further make your master password stronger. <\/p>\n\n\n\n The data that they can take from a breach of a password manager server is useless unless they have the key. To get the key and figure out all the little nuances of how the data is stored and who the information belongs to is not worth the time and effort. It\u2019s not like these password manager companies are storing passwords in a bucket for anyone to dump their hands in. They plan for these things to happen as their business depends on it. <\/strong><\/p>\n\n\n\n It honestly would be easier to go after low hanging fruit of people who reuse passwords or phish it from them. Another great thing about password managers is that they help fight phishing attacks, the plugins they use won\u2019t fill in the login details unless the URL matches 100% correctly. <\/p>\n\n\n\n This whole argument gets thrown out if you don\u2019t use a cloud-based password manager like KeePassXC<\/a>. Your vault is kept local so to get to it you need to be local too. Even if you stored it in your Dropbox account, it\u2019s still far more secure then someone else\u2019s server full of passwords. <\/p>\n\n\n\n The issue with local password managers is that you must manage them and back them up yourself. This is a trade-off many people are willing to make. <\/p>\n\n\n\n This brings me to my next point and something you should consider doing. <\/p>\n\n\n\n When it comes to passwords, it\u2019s easy to separate our important passwords from the not so important ones. <\/p>\n\n\n\n I bring this up to help the people who are worried about keeping all your eggs in one basket. You can have multiple baskets – strong secure baskets. <\/p>\n\n\n\n There is no rule saying you need to use only one password manager or you can\u2019t have multiple vaults. <\/p>\n\n\n\n With a password manager like KeePassXC, you can have as many vaults as you want. Don\u2019t go overboard with the idea; two should be fine because the more you have, the more master passwords you need to remember. <\/p>\n\n\n\n You can have one vault for your important passwords like banking and email accounts. The other vault could be for boring everyday passwords like twitter or that one forum you go to all the time. <\/p>\n\n\n\n I talk more about the 2 password manager method here<\/a>. <\/p>\n\n\n\nTry Peppering Your Passwords!<\/h2>\n\n\n\n
![\"\"](\"https:\/\/passwordbits.com\/wp-content\/uploads\/2019\/07\/Peppering-passwords-in-your-password-manager-featured-image.png\")
<\/figure><\/div>\n\n\n\nA Misunderstanding<\/h2>\n\n\n\n
Why Cracking Your Master Password Is Hard<\/h2>\n\n\n\n
How To Come Up With A Mater Password<\/h2>\n\n\n\n
Password Manager Strength<\/h2>\n\n\n\n
But The Eggs In One Basket!<\/h2>\n\n\n\n
What If The Password Manager Company Gets Breached?!?!<\/h2>\n\n\n\n
Important vs. Non-Important<\/h2>\n\n\n\n