# Celebrate World Password Day with a Password Manager

03 May 2018

Did you know that May 3rd is World Password Day? One of the things that I suggest to all my friends is that they have a different password for every single login. I personally do this with the help of a tool called a password manager. Password managers can generate a different password for everything you use and remember it for you. I will freely admit that I don’t know 99% of my passwords, and that is a good thing, since not only are they all rather long and complex (usually I will use the longest length the site allows up to 99 characters, with maximum complexity), but they are also all unique. This is important since if you use the same password for everything you are at risk - criminals are constantly breaking into password databases, and if they manager to get one of your passwords, they have them all.

There are a number of really good password managers out there. I personally use one called LastPass, and pay for the subscription. The service is worth it to me since I like to have my passwords synced across multiple devices, but you can also use it for free. Unfortunately, LastPass is not an open source tool, and you have to trust that they are protecting your data adequately.

If you want a free and open source password manager, I can highly recommend KeePassX. It has the added benefit of not having to worry about syncing your data to the cloud - you control your own password list entirely. A coworker of mine introduced me to this tool, and I have since tried it out. It works really well, and can even automatically type in passwords. The only downside is that you have to worry about syncing your data manually if you wish to do so, and you are responsible for keeping password backups. If you lose these, getting access to your accounts will be quite painful.

In observance of world password day, I will be reviewing and changing my older passwords in LastPass, and I suggest that everyone else do the same. This improves your overall security, and removes access to your accounts in the case that someone has managed to get your old password.

While I’m writing about security, it is worth mentioning that in many cases, having a password alone is not sufficient for proper online security. One thing that everyone should be taking advantage of, especially because of the ubiquity of smartphones is two-factor authentication, or 2FA. 2FA is the idea of providing two pieces of data to login to your account - one that is based on something you know, a password, and one that is based on something you have.

With modern 2FA like Google Authenticator, a pre-shared secret key is used to mathematically generate a numerical token based on the current time. This token is only valid for 30 seconds or so. When you enroll your device, the token is only sent to the device once and cannot be retrieved afterwards, so it cannot be duplicated. Because of this, you need your phone or authenticator application, such as Authy in order to get the token needed to log in. I use two-factor authentication on pretty much everything that supports it, and this provides me with an extra layer of security, as even if you can compromise the password, a malicious actor would need to have physical access to the device containing the token in order to login.

Anyways, happy password day, and stay safe out there!

Dylan Taylor
Software Engineer