Password Manager: Recommended Practices

Healthy-Paranoia
MFA Passkey Passphrase Password TOTP
Page content

TL;DR

Use 1Password because it’s the best password manager. Create randomly generated passwords or passphrases and do not reuse them. Monitor for breaches so you know if/when to change passwords. Use MFA for every account.

Terms & Tech

A password manager helps you securely store a password for each account. A password manager may be local to a device or it might be cloud hosted. Features vary among password managers. It may be free or it might cost money. It might operate on multiple platforms and if it does, it might sync account details across devices. Be sure to thoroughly research any password manager you consider using to be sure their practices will confidently protect your information. The best in class password manager is 1Password and the recommendations below will include some of their features. A newer form of authentication is the passkey. Passkeys are used for subsequent logins after an initial, successful authentication that was originally made with a password and second factor. Passkeys are useful because the login and password aren’t transmitted.

Recommendations

  1. Use the cloud-hosted subscription. This enables you to access everything you need across multiple platforms, including Time-based One Time Passwords (TOTPs). This also allows you to securely share individual logins and credentials with others in your family.
  2. Generate randomly constructed passwords using a mix of upper and lower case letters, numbers, special characters that are at least 20 characters long. There’s math about the length and complexity.
  3. Alternatively, generate three to four randomly assembled words. Separate them using special characters, add a number here and there, and modify at least one of the words to something you won’t find in a dictionary. Examples: classRoom@strikebreaker4$Fabricatioalnist, mailBoxer+jawbone6*committee, and airPort8^unpredictability#atlantanite.
  4. Whether you choose a string of complex, unintelligible (non-human readable) characters or a passphrase, a good password manager can help you find randomized words. It’s up to you to take it from there to take each phrase beyond dictionary words so you can properly defend against brute force dictionary attacks against your password. It’s also recommended to review the random characters to be sure they’re truly random. It’s ok to replace some characters and add extra punctuation. Each login has its own rules about what it allows, so take full advantage of the site’s permissions for length and obscurity.
  5. Do not reuse passwords.
  6. Use 1Password’s Watchtower to manage: lists of compromised websites which may have exposed your username/password, vulnerable passwords, reused passwords, weak passwords, unsecured websites, sites where you haven’t enabled Multi-Factor Authentication (MFA), and items expiring soon (credit cards, driver’s license, passport, etc.).
  7. 1Password can create complex passwords and strong passphrases. Use this feature to generate password recovery answers and modify them described above.
  8. Read through NIST Special Publication 800-63B. It offers guidance about authentication and lifecycle management.
  9. Always enable MFA. The preferred order is: Passkey, U2F key, software-based TOTP, hardware-based TOTP (software > hardware when considering availability and reliability), emailed TOTP (to an email account protected by MFA), and text-based TOTP to a Google Voice number via a Google account protected by MFA. The tie for last place is between a SMS-based TOTP and a personal identification number (PIN). SMS is not encrypted and the codes are unavailable to you if your phone is inaccessible. A password combined with a PIN is 2 Step Verification (2SV), not MFA, since two items are known instead of one item known and one item held.