If you don’t use a password manager, you should quit your tech job…or any job.

Posted by

Look, a lot of people aren’t going to like what I’m saying here:

If you’re not using a password manager, you should just quit your job in tech.


UPDATE: you should also quit any other job with any level of power or authority. Especially if you happen to be a president that wears his Twitter password on a hat.

A well regarded ethical hacker has reported he accessed Trump’s Twitter account like this

So, why should you quit any job with any authority? Especially a tech job? Well…

You wouldn’t trust a technology consultant emailing you from a domain like: Yahoo.com or AOL.com. Neither should you trust someone who is relying on some terrible combination of memory, password re-use, or browser password storage.

Why would I make an outrageous claim like “If you don’t use a password manager, you should quit your tech job”? Because not using a password manager when you work in tech is indicative of either professional negligence, professional ignorance or professional laziness.

Your passwords have been breached. I promise. 10 BILLION accounts have been compromised.  You can check if yours was among them here (at havibeenpwned.com maintained by security researcher and Microsoft Regional Director Troy Hunt.)

This could be a big, long, blog on how important it is to use a password manager, but lots of people have made videos about that and that’s even more fun to go consume than reading.

Here’s a fun one from Vox Media

Fun! Anyway…

Just use a password manager. I recommend and use lastpass– it has a free tier to get started (disclosure: the above is a referral link they’ll give us each a free month of the premium service if you sign up… But get started with or without my link).

There are lots of very well reviewed ones, here’s the G2 Grid for best of the best:

Pick whichever you like from the right hand side…. but you must begin using one, because 2020 was the year of the breaches, and so were all the years before it And 2021 will be too… Just do it. Today. Right now. Stop reading this and start setting up a password manager. Here’s an independent how-to from EFF: a security and privacy non-profit here. Seriously this blog will wait, go do it.

Are you back? Did you do it? Can you keep working in tech- or any position with any level of authority?

Additional updates by request:

Some people have specific questions and asked that I address them. Don’t let concerns delay or dissuade you from making things better. Don’t let an imagined perfect delay you from an implemented improvement.

Question: How do I know I can trust a P-word manager?

Answer: Depends on your threat-model but. LastPass (and likely many others encrypt your passwords and your vault on device before transmitting the blob into the cloud for storage and retrieval by other devices whether a mobile device or browser plugin on a laptop. We know this because even when LastPass was breached, attackers never got access to passwords, merely to emails (user IDs) and password reminders (for the password to access LastPass itself (and if you’re careful, those wont help an attacker because you chose an 8 random word passphrase like we talked about here).

Additional Answer: Read takes by external independent security researchers. Like Steve Gibson, or Brian Krebs , watch how the software provider reacts to security vulnerability disclosures and breaches/attacks.

Question: what about Multifactor (or 2 Factor) Authentication?

Answer: Yes! Use it all. Use MFA to access your password manager vault AND all of the accounts whose passwords it prevents.

Question: But don’t I also need to think of other things too? Like password reset questions? Re-use of login-IDs and so on?

Answer: Yep – if possible generate passwors for usernames if they’re allowed to be anything and make your password reset questions untrue at least, ideally generate new passwords for those and save them as notes in your file for that account on….your password manager! Or if you must have a robust backup print them out and put them in a safe along with your password to access your password manager and 2 or MFA seeds and recovery items.

Question: but… but.. but…

Answer: Security is a process not a product. There is no perfect solution out there for you, nothing will fix it all for you. If you are not using a password manager your answer better be one of these 3:

1.) I am a hacker and I use my own open source security password management software hosted in encrypted cloud plausible deniability drives, secured by strong passphrases I have memorized and do not re-use, in combination with several MFA including hardware keys
2.) I do, but there are some passwords I cant use it for (government systems etc that wont allow installation of PW manager software)
3.) I’m sorry, I’m starting today