Is It Worth Paying for a Password Manager?
Amid the explosion of COVID-19 phishing emails, fake coronavirus "treatments" and pandemic unemployment scams, it's easy to forget about the basic steps you should be taking to protect your identity online.
Major data breaches are still happening. In the last few weeks alone, the company behind Resident Evil announced a hack affecting up to 350,000 customers, 46 million players of the children's game Animal Jam had their account information compromised, and 3 million card numbers got stolen from the Dickey's BBQ Restaurant chain.
Experts generally recommend you use a password manager to keep your data close to the (virtual) chest. But should you take it to the next level and pay for a password manager subscription?
Dave Hatter, a cybersecurity consultant with Intrust IT in Cincinnati, says it "depends on what you’re trying to accomplish.”
Hatter says he feels safe recommending anyone check out highly rated tools like LastPass, Dashlane and Keeper. Not only do those brands have free options that provide customers with a virtual password vault, but they also all have staggered membership tiers with premium features like dark web monitoring, syncing across devices and tech support. Costs vary — Keeper has options that cost $2.91, $4.87 and $6.01 per month, while Dashlane offers $4.99 and $9.99 monthly levels.
LastPass is Hatter’s personal favorite. And he says the free version “is an amazingly good fit for most people who just need a secure password manager.”
Luckily for your budget, there’s no big correlation between fees and security here. When paying for a password manager, “you’re not really getting safer — you’re just getting more advanced features, more options,” Hatter adds.
Paying might be worth it, of course, if you feel you need emergency access or encrypted file storage. But in general, the free version probably does what you need.
From there, the hurdle is coming up with a master password to unlock the manager. It must be something you can remember but others can’t guess.
Hatter says that password guidance used to suggest more complicated, mumbo-jumbo passwords were better. But a couple of years ago, the National Institute of Standards and Technology changed its best practices. Now, it’s generally thought that a coherent passphrase is the way to go. (Lengthy passwords, especially with special characters, take longer for brute-force hackers to crack.)
To make this master password, Hatter recommends you start by writing out a passphrase that you'd know but nobody else would. Something like mintchocolatechipismyfavoritetypeoficecream might work. Next, he says you should mix it up with symbols and punctuation. Maybe mintchocolatechipismyfavoritetypeoficecream becomes m1ntchoc0latechipismyf@voritetyp3oficecre4m!
“It’s still easy to remember, but someone would have to know which characters you replaced and get the whole phrase right to get in,” Hatter says.
Note that this phrase theory doesn’t apply to the individual sites you keep within LastPass. LastPass will come up with, store, and fill crazy-complicated passwords for those for you. We’re only talking about the master password, which is worth taking the time to make sure is secure. If someone guesses it, “they have the keys to my entire kingdom,” he adds.
Bottom line? For most people with basic purposes, a free password manager will do just fine.
There’s no need to pay to upgrade unless you need special features. Compare LastPass, Dashlane, and Keeper and see which appears like it’d work best for you, then think hard about a good master password. If you combine a long, number-studded, unguessable passphrase with multifactor authentication, you should be good to go.
More from Money:
The Extra Step Everyone Should Take When Shopping Online This Holiday Season
Is Letting Google Chrome Autofill My Credit Card Number a Huge Mistake?