It's hard to remember every login and password we use in our day-to-day lives to protect everything from online banking to our work.
Using a password manager can help, but how safe are they, and can they provide protection in the event of a data breach like the recent Qantas hack?
What is a password manager?
A password manager is a software app that helps create, store, and manage passwords and other sensitive information in a secure, encrypted digital vault.
It allows users to have strong, unique passwords for each online account without having to remember them all.
Password managers help "defend your online accounts", according to Suelette Dreyfus, a lecturer in the School of Computing and Information Systems at The University of Melbourne, on the traditional lands of the Wurundjeri people.
"A password manager makes sure your passwords are unique and strong," Dr Dreyfus says.
The federal government's Australian Cyber Security Centre (ACSC) says to access a password manager, you only need a single master password, key, PIN and/or biometrics (such as Face ID).
This means you only need to remember the master login to access all your stored passwords.
It says password managers allow you to:
- Generate strong and unique passwords
- Store passwords and other logins in one place from any device
- Save time and effort by automatically entering your password on a login page
- Reduce the risk of someone intercepting your passwords
How to choose a reputable password manager
Gohar Rind is a Yamatji man and managing director of Indigenous cybersecurity company Intaris, based in Perth/Boorloo, Western Australia.
Before buying or downloading a password manager, he recommends checking if the company and product have a good reputation.
"From a security lens, you want to understand where the password manager is being run out of. Which country? Where's the data stored?" he says.
"So, essentially, the password managers would encrypt your passwords or hash your passwords and store them."
Hashing passwords is a security practice that converts passwords into unique, seemingly random strings of characters, making them unreadable to unauthorised users.
Our experts say there are some "reasonable" free apps such as Google Password Manager or NordPass.
Paid versions can cost about $50-$60 per year.
ACSC recommends that the app has strong security and privacy features and gets regular updates.
Also, check if it supports:
- Encryption (prevents anyone from accessing your stored information without your master password)
- Multi-factor authentication
- Different devices and syncing between devices
- Browser extensions to automatically enter your password on a login web page
- Alerting you if one of your passwords has been exposed in a data breach
How can password managers help in data breaches?
To alert you to a potential data breach, Mr Rind says the password manager would need to have a function that allows it to check against leaked passwords.
"In the event like Qantas, the leaked passwords need to be public/on the dark web for the application to check against it or be picked up by notification from authorities of the compromise," he says.
Some apps will alert you if one of your passwords has been exposed in a data breach.
Things to consider before using a password manager
Password managers are attractive targets to cybercriminals, so consider what accounts you are putting into your password manager.
ACSC says some service providers, such as banks, may not cover losses for fraudulent activity if you store your password in a password manager.
Mr Rind says setting up multi-factor authentication (MFA) on your accounts "creates a second barrier for criminals".
"So, even if they get your password or passphrase, when they're logging on, they would need this secondary code to login," he says.
Mr Rind says a good habit is to change your password or passphrase every six months and immediately change any password exposed in a data breach.
Using passphrases instead of passwords
Mr Rind recommends people switch from using passwords to passphrases (a longer, more secure alternative, typically consisting of a string of four or more random words).
"These days there's a lot of technology out there that can sort of brute force [break into] your password," Mr Rind says.
"Passphrases are like a phrase that you would remember, and the length is long enough to make it complicated.
"So rather than passwords let's move onto using passphrases."
Dr Dreyfus says when you reuse a password multiple times, "the bad guys only need to break your password security once to get at all those accounts".
"If your LinkedIn password was breached by a large-scale hack, attackers can then run that known password on all your other accounts," she says.
"Don't for one minute think that adding 1, 2, 3 at the end of a password will make it unique for the purposes of a cyber-attack — the attackers figured that one out long ago."
She says reusing "weak" passwords is a big hole in your personal or business cybersecurity.
