Far too often, if you ask an InfoSec professional how to be more secure, your answer will be similar to that of Charlie Brown’s teacher, as you hear a bunch of technical jargon and details of specific vulnerabilities or attacks. This is not really specific to InfoSec, but more a general issue with experts - an occupational hazard, where people understand their field of expertise, but don’t yet understand it well enough to explain it to a non-expert.

You may also encounter people who take the “rules” as some profound “Truth” which applies universally.

Take passwords as an example.

I’ve written about passwords and related topics before, and most InfoSec people will say that you need a password manager.

Everyone. Always. All the time.

Um... Hold a sec.

As with most things, there is room for nuance. I’ve discussed “credential stuffing” before, but to summarize, most sites use your email address as your account name, and most bad actors who gain access to a service will grab the passwords if they can, and then try to use them to log into every other service they can. The bottom line is that, if you use a long, unique password for every single service, the impact of one service being compromised will be limited to that service.

In some cases, for some people, the most appropriate approach might be to write those passwords down in a book that you keep at home. If you don’t travel much and are anxious about technology, this might work for you, particularly since the most likely way people are hacked is remotely – the risk that someone down the street will break into your house in order to find your password book and use it to compromise your accounts is relatively low. And if someone is doing that, you have other problems on your hands.

In any case, as a general rule, password managers are an option which I would recommend for most people, but the “best” option for an individual will depend on that individual’s needs.

First, however, it’s useful to understand a bit about the ecosystem. For personal use (and setting aside hardware-based solutions for another time), password managers can be roughly divided into browser-based, local, and cloud-based.

Browser-based password managers are those which are built into web browsers such as Firefox, Chrome, Edge, and Safari. They are easy to use, and low/no-cost, but are generally limited to a specific platform and may lack features like strong encryption or syncing across devices. If you use a single device for your web browsing, this may be a good option for you, but if you use a variety of devices or platforms (say, Firefox on your desktop and Safari on a mobile device), you may want to consider other options.

Some password managers are locally installed on your device. This can provide good security, but may be limited to that device.

Several of the most popular password managers are cloud-based, which can make them more flexible and easier to use across multiple platforms and devices. This approach is arguably the most flexible, but is highly dependent on good design, implementation, and maintenance by the vendor. Over the past 20+ years, we’ve figured out designs that work, and bad actors have helped identify what doesn’t.

Password managers are a bit of a strange beast, actually. While they can dramatically increase the security of our accounts overall, compromising the password manager is, well, very bad. This is why the companies which focus on password managers usually spend an enormous amount of time and effort in designing their products to be as secure as possible, and in ensuring that issues are addressed quickly and correctly. (You still need to do your homework, though – all password managers are NOT created equal)

This is one argument for using a password manager built by people for whom it is a top focus – they’re the ones who are the experts, and their business depends on their ability to keep their core product secure. To paraphrase Kyle Reese from Terminator, “That’s what they do. That’s all they do.”

The transition to using a password manager can seem daunting, but after getting used to it, you quickly wonder why it took you so long to start using one. The easiest way is to just start using it with one account, then add more as convenient. (Soon, you’ll probably want to migrate everything else as quickly as you can, but that’s your choice). In my own case, I installed it on my phone, and started adding accounts as I used them. That approach can very quickly migrate the majority of your accounts, and the others may be accounts you are less concerned about.

While you can transcribe your existing passwords easily enough, or create new ones manually, most password managers provide very flexible options for automatically generating passwords, ranging from PIN codes of a specific length, to multi-word passphrases with variable separators, right up to random strings of letters, numbers, and symbols. It’s up to you. For accounts where you expect to need to be able to type in a password (for example if you will be using a public computer), you might want to consider a “memorable” passphrase as opposed to random gibberish, but most password managers give you enough flexibility that you’ll be able to do whatever you like.

Many password managers also have browser extensions, which allow you to access your vault almost seamlessly. This gives you the flexibility to use your password manager with whatever browser you wish, and makes it easy to migrate from one to another.

And then there’s the ability to define different vaults for different purposes, or the ability to define family/corporate plans which allow for selective sharing of different vaults. Consider a family where each parent has their own vault, then a shared family vault (for things like the family wifi), and then a vault for each child. And if you want to separate some group of accounts – say, for a hobby or side-project – just create another vault. Most password managers provide an enormous amount of flexibility.

Now, you may have heard about things like “passkeys” and “passwordless” approaches, but it’s unlikely that passwords will be going away any time soon. And, even if they do, most password managers support passkeys in any case, so the biggest change might be to change the name from “password manager” to “passkey manager”. Perhaps more on that another time.

Cheers!