Password Management

As we saw in the previous lesson, it is necessary to use complex passwords that are both hard to guess and difficult to remember. At the same time, passwords should never be reused across sites. In this lesson, we’re going to look at a practical solution to the problems caused by this conflict.

Role of a Password Manager

Recall that passwords should be complex, difficult to guess, and thus also difficult to crack. These properties make properly created passwords difficult to remember. However, we cannot reuse the same password across sites and services, making it necessary to generate and memorize a large number of these nearly impossible-to-remember passwords. Obviously, this approach to passwords is not practical for a human being.

Fortunately, we can use a piece of software called a password manager to let us generate completely random and unique passwords for all the sites and services we use. We need only make and memorize one complex password, which is the password to the password manager itself. From there, we can use the password manager’s functions to generate random strings to use as our actual site and service passwords. Since these random strings aren’t based on dictionary words, they will be highly resistant to dictionary-based attacks.

Cloud Services

Plenty of cloud-based password management services are available, and articles with titles like “Best free password managers of 2025”¹ are readily available from technology news sources. Before reading and believing such articles, however, it is important to note that conflicts of interest abound. This cited article, for example, names 6 password management services, all of which are advertised through affiliate programs: Nordpass,² Dashlane,³ RoboForm,⁴, BitWarden,⁵, LogMeOnce,⁶, and Proton.⁷ The cited article, and articles similar to it, are all making money from these affiliate programs. Consequently, the recommendations made by these kinds of sources are neither objective nor trustworthy, nor are the services that are paying people to create these phony recommendation pages.

I strongly recommend AGAINST the use of ANY cloud-based password management service. These services represent security risks in their own right, since they become targets for criminal attackers. For an excellent example of this threat, one needs only to look at LastPass, which suffered a data breach in 2022.⁸ LastPass was then compromised a second time only a few months later.⁹ Security researchers only later discovered the true depth of the compromise, which allowed the attackers to break the service’s encryption and steal millions of dollars’ worth of cryptocurrency.¹⁰

Self-Managed Solutions

Since cloud services rely on centralized servers that require users to decrypt their data either with a password to the service itself or with JavaScript code running in a web browser, I would not be surprised to see other password management services suffer the same fate sooner or later. While I recommend that you use a password manager, that password manager needs to be a local application that runs on your own device.

Most web browsers provide some kind of rudimentary password manager, which many people use to store login passwords for various websites. While these browser password managers may be more secure than cloud-based services, the web browser is an application that has an enormous attack surface, meaning that there is a lot of code that the browser has to run in order to handle modern websites. For this reason, I suggest not using the browser’s built-in password manager. Use a standalone password manager application instead.

Fortunately, there are an entire set of standalone applications that use a compatible storage format to allow credentials to be shared across devices. KeePass is a project to develop a cross-platform password manager that stores data in local files.¹¹ While KeePass is certainly an option in its own right, the bigger story is that its developers documented its data format well enough that other projects created interoperable applications that are more user-friendly and work across a wider variety of devices. For example, KeePassXC¹² is available for desktop/laptop computers, KeePassDX¹³ is available for Android devices, and AuthPass¹⁴ is a KeyPass-compatible password management app for iPhones and iPads.

Since all these interoperable password managers encrypt and decrypt the password database locally (on your computer or phone) without the need for a browser, the database files can be safely synchronized across the devices as long as you use a good passphrase. Commercial cloud services could be used for this purpose. A more secure solution is to use a fully encrypted, volunteer-run file synchronization service such as Syncthing.¹⁵

The main drawback to the use of a local password manager is that you must remember to back up the password database file regularly. Without proper backups, a disk crash or a lost device will make it impossible for you to access all your various services, likely including your email. Since most services require email for lost password recovery, losing your one copy of your password data could prove quite inconvenient. To avoid this possibility, take regular backups, and ensure your backups are stored off-site.

Notes and References