Security researcher Troy Hunt recently discovered and revealed what is perhaps the largest cache of stolen emails and passwords in hacking history. Bundled together in a collection ominously called “Collection #1” are some 773 million emails, 21 million passwords, and over one billion unique combinations of the two, an 87 GB package of stolen credentials. The source of the data, or multiple sources, isn’t immediately evident.
You can check if your email or password was included in the enormous bounty by going to Have I Been Pwned, which has been updated to include the new data. But whether or not you were caught in this breach, you should assume that you will be caught in one in the future. That doesn’t mean giving up on security, but it does mean treating your username-password combinations in a different way. Specifically, it means assuming they eventually will be stolen. And the best way to protect yourself in that scenario is to use a password manager so you can make sure, with relative ease, that every one of your passwords is long, complex, and, most importantly, unique.
If you’re unfamiliar, password managers such as 1Password or LastPass offer a simple service: They will store all your pesky passwords (and help you generate new ones if need be) and then dole them out to whatever service you’re logging into through the use of browser add-ons and apps. They’re much like the password tools already built into your browser itself—the ones that ask you if you want to save your password for this site so you don’t have it enter it again. (Here are some good reasons not to rely on those.) Password managers, however, were built for this specific purpose and include a suite of tools that let you access the same library of passwords across your devices. This cache of passwords is, of course, protected by a super-password of its own—one you obviously need to choose wisely.
Yes, this does pose a risk of its own, as you might already be screaming at your screen. Having your passwords all in the same place does mean they’re a target for hackers and the vault your passwords are stored in is not necessarily impenetrable. Over the years, LastPass—Wirecutter’s pick for the best manager and my personal choice—has fallen victim to hacks and vulnerabilities. Thanks to encryption and prompt fixes, however, there hasn’t been an avalanche of passwords released onto the internet. 1Password, meanwhile, was vulnerable to the recent “CloudBleed” hack, though encryption mitigated the damage there as well.
Those problems may seem like a deal-breaker, but let me tell you why they’re not. Take a moment to consider the alternative. No, not the IT department’s fantasy world, that never-gonna-happen scenario where you create a strong, unique password for every account, memorize each one, and refresh them every few months. We both know it’s not like that. The reality is that in your attempts to handle all those passwords yourself, you will commit the cardinal sin of reusing some. That is actually far more risky than using a password manager. If a single site that uses this password falls, every account that uses it is compromised. You’ll need to remember all the sites where you reused that password and then change them all.
With a password manager, on the other hand, it’s trivial to make all your passwords unique. I don’t even know what half of my passwords are, because they are impossible-to-memorize 30-character nightmares of numbers, text, and symbols that I never actually type. When I have to change them now and then, no problem. LastPass even has a feature that will auto-change your passwords for supported sites. If the very worst should happen and my passwords are somehow exposed, my most crucial accounts are protected by two-factor authentication, and yours should be as well.
While the risks of password managers are pretty much outweighed by the ease with which they allow you to make your passwords strong and unique, they do have their downsides. Apps like LastPass and 1Password are available on virtually every device, but you will have to download them on new gadgets before logging in to other things. This also makes logging into your accounts on someone else’s device a strange and potentially risky proposition.
Inevitably, you’ll stumble across a device that isn’t supported, and then you’re spending five minutes typing your incomprehensible Amazon password onto a Kindle manually while looking back at your phone for reference all the while. (It pays to keep a handful of the crucial passwords strong, but still something you can memorize.) And for the full suite of features any password manager offers, you’re going to have to shell out a little bit of cash. It’s worth it for the convenience and peace of mind.
A password manager is a crucial piece of security kit, so long as you’re aware of its limitations and risks. You can use LastPass for free on your desktop and phone, or sign up for a $2 per month premium plan. You can also try 1Password for free for 30 days before the $36/year subscription kicks in.