A Recommendation for Password Managers

The Intro

You have separate keys for your house, your desk at work, your safe, your car, your bike lock…right?


Clearly, it’s so that when you hand over your car keys to your mechanic for an oil change, you are reasonably assured you won’t find him, or someone who tricked him, at home in your den perusing your tax returns.

But so many people are effectively doing just that by reusing one or just a few passwords over and over again every time they are prompted to create a username and password.

Doing it wrong

Maybe you’ve learned from other’s mistakes, and you’ve stopped repeating your passwords so egregiously. But you can’t keep track of them all in your head! So you have a file (on your computer, or even a piece of paper in a safe place) with your passwords in it. You have a feeling that’s not ideal and want to use something “more secure” or otherwise “better” for storing your passwords. Good for you!

That’s almost OK

A file containing your passwords (or other sensitive data) is basically what I recommend to you, but with a layer of encryption on top of it.

The old-school approach is to use a program to apply encryption to this password-containing file — or any other sensitive file. That can be rather fiddly. It requires a lot more discipline than most users are willing to demonstrate; if you make a mistake on any of the five steps below, your stuff could be lost or exposed to nefarious types.

  1. put all your username/password combinations into a file
  2. secure it with encryption for storage when it’s not in active use
  3. decrypt it when it’s time to read or update the file
  4. encrypt it again after saving (if there were any changes)
  5. (securely?) delete the decrypted version of the file

How about something more user-friendly?

Enter password management applications: they handle the last four of those five steps above for you every time, and all you have to do is remember one master password to start the password manager program.

I have been using Password Safe for many years, since my employer recommended it for use on their computers. It works on Windows and there are clones of it for the Mac and Linux operating systems. It’s free software on Windows and costs a little on Macs and iPhones. It’s not very usable on Linux, unfortunately, but that doesn’t bother most people (just me, I guess). The original version was written by Bruce Schneier, an industry expert on cryptography.

Link to Password Safe for Windows:

App Store link to the Mac version of it:

iOS App Store link to the iOS version of it:

If you only had one computing device and you always had it with you, you could stop reading here and be pretty well covered. But that’s not realistic for most of us anymore: with smartphones, tablets, and computers, and some or all of those devices duplicated between home and business use, you cannot expect to maintain your list of passwords in triplicate or beyond.

Multi-device support

The iOS version of Password Safe, pwSafe, includes a Dropbox synchronization feature, which is nice. It means you can change or add a new entry for a password on your Windows computer and iPhone and Mac computer will get the updates synchronized automatically. This works because changing a record in Password Safe means changing your file, and Dropbox is in the business of replicating updated files among the computers you own. And it requires two additional things:

  1. a Dropbox account (don’t have one? Use my referral link to get one and they’ll give me a little extra storage space for referring you), which is free.

  2. a Dropbox program installation on your Mac or Windows computers to receive the updates to your Password Safe (Windows) / pwSafe (Mac) files.

Those programs all work quite well for me, and have done so for many years. I am transitioning, however to another program called KeePassXC, that does the same thing, but with better Linux support in addition to Windows and Mac computers. It is also free, versus the payware pwSafe programs on Mac and iOS.

KeePassXC’s homepage is here: https://keepassxc.org/

The iOS app I use to view/manage my KeePassXC file is called KeePassTouch, and here is its App Store page:

It also offers synchronization via Dropbox.

Other password managers, which I don’t recommend:

  • LastPass — recent security hole problems.
  • 1Password — recently switched to a monthly subscription model. They want to get paid, natch.
  • Passwords kept in your browser — browsers come and go; Firefox, Chrome, Safari, Vivaldi, Brave, even the dreaded Microsoft Internet Explorer and its suck-cessor, Edge. Your passwords should not depend on any browser, or any one computer. Besides, the risk of someone sitting down at your computer and gaining access to your stuff is higher than you think, unless you lock your screen religiously.

Password generation

All password-managing programs I have ever seen are able to generate passwords for you upon demand, but I rarely use them. They often look like this:


… which is pretty good for

  • satisfying those arcane requirements from your employer or bank or whatever about at least one capital letter, lower-case letter, number, and typographical mark
  • making sure you’ll never remember it, and therefore
  • eliminating the temptation to re-use your password on more than one site (and we all know how one should never EVER do that, right?), and
  • preventing anyone (even you!) from reading it off of one device’s screen and typing it into another. Imagine you’re reading one of those strings of characters into a crappy mobile phone connection with a sense of urgency — it could get very frustrating quickly.

Instead, inspired by “correct horse battery staple” I wrote a password-generating website that I use. It has what I consider an acceptable compromise between entropy and readability in that large chunks of the generated passwords are human-readable words punctuated by numbers and, well, punctuation. https://ssl.cliff1976.net/pw2 is the site if you’d like to use it. It’s also just kind of fun to see what random combinations of words come out of that thing.

Assembling the pieces

When I need a new password, I

  1. go to my password-generating site,
  2. generate one and save it into my password app, and
  3. let that new entry replicate onto all my devices.

Some password generators offer more reader-friendly passwords, but these trade human readability for less randomness, and the overall result is much longer than a purely random string generated from the set of all possible characters. Those longer results from the generator (still!) don’t fit into many websites, which still expect you to cap your passwords at 16 or 20 characters in length.


If you aren’t aware that reusing your passwords among services is a bad idea, this post isn’t going to help you. But I hoped to have shown that it’s quite feasible to mitigate the risk by never reusing passwords, whether you’re using one device or many, on the go or at home.

Post-Script: Extra Geekery


If you are feeling game for it, give GPG a go. It is an old standby in the realm of public key cryptography.1 It’s got some powerful features on the command-line, for those who like to tap away at the keyboard and script stuff. There are some pretty nice, modern, user-friendly applications built on top of it for Macs http://GPGTools.org or anyone using Thunderbird Email (via the Enigmail plugin). Not only will you be able to securely save stuff for yourself, but you’ll be able to encrypt stuff for others, as well.


GPG isn’t the only (or even most) secure way of sending stuff to other parties. Consider ProtonMail. From ProtonMail user to ProtonMail user, it’s very secure, in that no meta data (sender, recipients, subject line) leak out in transit. But there is a convenient secure option you can use to send messages (including file attachments) to a non-ProtonMail-using contact person, provided you have agreed upon a shared password with that person in advance. Example: I want to send a secret contract document via my ProtonMail email address to the non-ProtonMail user MaxMustermann@gmail.com. I can check a box in the ProtonMail composing screen and set a password on my message. I then communicate that password to Max out-of-band (like calling him on the phone or sending it via instant messenger2 ), and then Max has to enter that password before he gets access to that message containing my secret contract document.

Watch a TED Talk about it here if you like.

  1. Try Wikipedia’s explanation of it, if the term is unclear. []
  2. Try Threema or Signal — I’ve written about them before. []

Pseudo-Random Observations

I’ve been building a password generator the past few days. It takes words from the dictionary at random* and then combines them with punctuation and numeric characters.

I have elaborated on a few methods of personal information security before (here and here). I still prefer to

  • never use a password for more than one site/service/login, and
  • not even know most of my passwords, and
  • let software generate them for me

But I guess I can see a need for passwords that are memorable, or at least easy to visually read and type in on another screen (perhaps a miniature one, or a computer you don’t own). Continue reading Pseudo-Random Observations

2-step verification for Google Accounts

Information security is a PITA. But less so than not having any. What measures do you take to keep your online stuff safe?

I’ve written about some simple steps I’ve taken to improve the security of my online stuff before. The video below describes an extra step you can take if Google is a provider of a service you use (Gmail, Google Documents, Google Maps, etc.). Tons o' AppsMy thanks to @Yellifers for tweeting about this article, which called my attention to these options. Apparently Google has offered these for over a year, but I’m just now hearing about them. I’m using them now to try to reduce the odds of nightmarish Google Mail filter manipulation to hide someone’s nefarious online activities about me from me. Continue reading 2-step verification for Google Accounts

So many usernames and passwords

Where do you have to put in a username and password in your daily computer geekery? Here’s what it looks like for me.

Work stuff

my laptop running Windows • our crappy corporate email client • our crappy corporate travel provider • the software that controls the phone on my desk • lots of other programs not smart enough (or not allowed) to authenticate me based on other methods

Personal stuff

our Mac at home • our Linux desktop at home • our Linux laptop • our email provider • our bank • Skype • Paypal • Amazon.com • Amazon.de • iTunes • Twitter • dozens, if not hundreds more

I imagine your situation is similar. With the personal stuff, you really should not be using the same passwords at multiple websites. Just one site being sloppy about security and getting breached by hackers is enough for them to send email in your name and steal money or service from you — look what happened to usernames and passwords recently at Gawker Media. You probably know someone whose account got hacked with real-world financial implications — I know two people to whom this happened in 2010 (and a third who got hacked but apparently didn’t lose any money). It happens all the time.

You and I both know you this is not a safe practice. But what can you do about it? With so many usernames and passwords in your daily life, the natural inclination is to stick to just a few username/password pairs and reuse them entirely or perhaps modify them slightly. Writing down passwords and usernames onto paper might be OK at your home, I guess, but that means you need to carry that piece of paper with you out into the world if you are going to do any sort of mobile computing. Writing those usernames and passwords onto paper at the office is a terrible idea; don’t ever let your IT people know that you do it.

password safeInstead, you can use Password Safe on Windows or a compatible program like Password Gorilla on Windows / Mac / Linux — and even on your iPhone or iPod Touch via the PasswordVault app. Instead of those hundreds of username/password combinations to remember (or look up), you only have to know one password to get into your “safe.” From there, you can copy usernames and passwords with the mouse (and keyboard shortcuts) from the “safe” into whatever application is requesting your credentials. Password Safe can randomly generate passwords for you based on policies you define: minimum password length, exclusion of easily mistaken characters (like zeroes/O’s or ones/L’s), inclusion of punctuation characters, etc. Lots of cryptologically sound practices there. “But how will I ever remember those randomly-generated passwords?” you ask? Well, you won’t. You’ll have to remember the one password to get you into the “safe” and the application will remember the rest for you.

I keep my “safe” file updated on my Windows computer, and then synchronize that periodically to my Mac and Linux machines via Dropbox. From my Mac, it synchronizes into my iPod touch. This means I am carrying that piece of paper with all the sensitive info on it around with me after all, but in electronic and encrypted form: I still have to enter the password to open the “safe” on all those computers/devices in order to get a glimpse of the content.

But hey, I can remember one password pretty easily, especially if it virtually eliminates the chances of someone stealing my purchased Skype-out credits or impersonating me via a hacked Gmail account.