How to protect and secure your password manager

Creating and remembering a unique and complex password for each of your accounts is virtually impossible without some help. And these days, that help can best be found in a password manager. A good password manager will create, store, and apply strong and complex passwords across the board, thereby securing your accounts. I’ve used a password manager for years and wouldn’t be able to juggle all my online accounts without it.

However, since your password manager is home to the sensitive login details for all your accounts, you need to protect the password manager itself from any potential compromise. Any reputable password manager vendor will certainly encrypt your account data, but there are options you should take on your own to safeguard your account as well.

The first option is to devise a strong master password to defend your account from unwanted access. The second option is to activate biometric authentication for the password manager on your PC and mobile device. And a third option is to enable two-factor authentication to prevent someone from signing into your password manager account should it ever be compromised. Let’s look at each option.

To go through the different steps, I’m using RoboForm as an example, but the overall process should be similar for any of the major password managers.

Create your master passphrase

When you first set up your password manager, you’ll be asked to devise a master password at some point. That password should be strong and complex as it’s the key line of defense for all your login details, both on your own devices and in the cloud.

But you will need to enter your master password from time to time, so you also want it to be one that’s memorable and not too difficult to type. That’s why I recommend using a passphrase instead of a password. Consisting of different words or phrases, the right type of passphrase can be more secure than a complex password yet easier to remember.

To devise a solid passphrase, use a series of words or phrases with some meaning or significance to you so that you’ll easily recall it. I also like to include a mix of uppercase and lowercase characters as well as numbers and symbols. Just make sure you’re able to remember your master passphrase. If you forget it, you’ll have to start from scratch with your password manager.

This ZDNet article offers several useful tips on creating a healthy passphrase. 1Password offers an online Password Generator that will suggest and help you fashion passphrases. When you’ve concocted the right one, type it and then retype it at the appropriate window for your password manager (Figure 1).

Use biometric authentication

Biometric authentication provides a secure and convenient password-operational alternative, especially with a password manager. Instead of having to type your master password each time you want to activate the password manager, use your face or finger to verify your identity.

Most password managers should allow you to adopt whatever type of biometric authentication is built into your device or operating system. On a Windows PC, that means Windows Hello. On an iPhone or iPad, that means Face ID or Touch ID. And on an Android device, that means facial or fingerprint recognition.

Check the security settings for your password manager and look for an option to switch to the built-in form of biometric authentication. You’re asked to enter your master password to confirm the switch (Figure 2).

From then on, you’ll be able to open or activate the password manager using your chosen form of authentication. You may still be asked to enter your master password at certain intervals or to make specific changes. Otherwise, your face or finger will do the trick (Figure 3).

Enable two-factor authentication

Should a hacker ever learn your master password, you want to be sure they can’t sign into your password manager account on one of their own devices. For this, you can turn to two-factor authentication (2FA), which most password managers should support at this point.

Look at the settings for your specific password manager to see if it offers an option for two-factor authentication or a one-time password. If so, enable that option. If given a choice among email, SMS, or the authenticator app, choose the authenticator app as that’s the most secure method (Figure 4).

The next time you try to use your password manager on a new PC or mobile device, you’ll be sent the one-time password via your preferred method. Enter the one-time password when prompted, and that new device will now be cleared to use your password manager. Your password manager’s account page may also list all the devices that have been enrolled so you can check for any suspicious ones and remove any you no longer use.

Beyond the three security options I discussed, different password managers may offer additional ones. Your best bet is to check the security settings for your specific product and avail yourself of any that will help protect your account and login information from abuse or compromise.