Password managers are one of the best ways to make your digital life more secure. By remembering just one master password, you can automatically create strong passwords and fill them into sites without having to remember them on your own.
However, when you use a password manager, there are some dangerous behaviors that will negate these benefits. It's a good idea to make sure you aren't making password manager mistakes and living with a false sense of security.
Let's look at common password manager mistakes, why they're an issue, and how to avoid them.
1. Staying Logged In All the Time
Password managers are usually accessible through a browser extension, desktop app, or mobile app. If you always stay logged into your password manager app, all someone has to do is open the applicable program to gain access to all your password and other sensitive info.
While it's not extremely likely that someone will get physical access to your computer or phone, it's possible. What if you forget to lock your laptop when you get up to grab coffee, or someone is able to figure out your phone passcode? Someone who got into your password manager could steal the keys to your banking, email, social, and other accounts and cause a lot of damage.
To mitigate this risk, you should make sure that your password manager automatically logs out when you're done using it or not around for a while. Depending on which service you use, you can set it to log out when you close your browser, when your computer goes to sleep, or after a certain period of time.
For example, 1Password has an option to lock the app when your computer is locked, or after a set amount of idle time. The mobile app also lets you lock 1Password every time you exit the app, or after some time passes.
LastPass even has an option to force another entry of your master password upon accessing specific information. This is a smart way to keep any snoopers out of your most private data. Combined with making sure you lock your device when you're away from it, this will keep your password manager safe from physical intrusions.
2. Using a Weak Master Password
Although your password manager will generate and remember strong passwords for all of your sites, you still need to set a good password that unlocks the manager. While you of course want to use something memorable so you don't get locked out of your account, it's important that you don't use a weak master password to protect all your other accounts.
Selecting a short, obvious, common, or otherwise lousy password for your password manager is dangerous. If someone were to crack or guess it, they would be able to get into all the accounts you have saved in your vault.
Follow our advice for making up strong passwords that are still memorable when setting your master password. Use a tool like How Secure Is My Password to make sure what you came up with is strong. If you're worried about forgetting it, write it down and keep it locked in a fireproof box or similar.
And make sure you don't use this master password anywhere else!
3. Not Using Two-Factor Authentication
While a strong password goes a long way, using two-factor authentication (2FA) is another one of the vital ways to secure your online accounts. You should do it with as many accounts as possible: email, cloud storage, financial sites, and anything else that allows it.
As you'd expect, since password managers are security-focused apps, they allow you to use 2FA for more protection. While this makes logging into your password manager on new devices a bit more of a hassle, it's well worth it. By protecting your password manager with 2FA, someone couldn't break into your password vault even if they obtained your password.
Look in your password manager's security settings for the option to turn on two-factor authentication. For best results, use a 2FA app like Authy instead of SMS authentication, as SMS-based verification can be spoofed.
4. Reusing Passwords
If you just started using a password manager, chances are that you use the same passwords on a lot of sites. Instead of storing your old duplicate passwords in the manager, you should take the time to generate unique ones for every account.
This makes it easy to make passwords for new accounts—just let the password manager do it for you. Once you save it, you won't have to think about that password again unless you need to change it for some reason.
If someone figures out one of your passwords, or there's a breach on a site, you can just change that password without worrying about people getting into any of your other accounts.
5. Choosing Weak Passwords
Using a password manager doesn't do much good on its own. The strength of using one is that it lets you set strong passwords on your accounts without having to remember them yourself.
To that end, using your password manager to store weak passwords defeats the purpose. Just because you don't have to remember the password doesn't mean that it's necessarily protecting your account properly.
Every major password manager has a generator feature that lets you create a password that's as complex as you want. You can pick the length, which kinds of characters to include, and whether it should be easily readable.
Instead of using mediocre 10-character passwords with low complexity, take advantage of your password manager to make 24+ character passwords with a mix of all character types. It takes some time to set this up initially, since you have to change your password on each site individually. But once you do, you'll have drastically increased security everywhere.
A lot of password managers have a section that collects your accounts with weak passwords, so you know which ones need updating. You can also see a quick summary of your password strength when you select an account, too.
6. Not Taking Advantage of Extra Features
Most password managers have some extra cool features that you can take advantage of to improve your security. And while skipping them won't necessarily make you less secure, in many cases they can make your accounts more secure. For example, LastPass Premium has a feature called Security Dashboard that looks at all your passwords and gives you a score of your overall password health.
1Password has the Watchtower function, which alerts you to sites where you could be using two-factor authentication, sites that had a known security breach, and similar. There's also a Travel Mode option for removing some vaults from your device when crossing country borders.
Poke around in your password manager to see what capabilities you could use to further secure your digital life. Chances are you'll find something quite useful, especially if you pay for a premium password manager subscription.
Don't Risk Your Password Manager Security
It's not particularly enjoyable to bulk up your password manager security, but using these steps, you can eliminate the most common risks. By making every password stronger and adding more protection to your password manager account itself, you'll be safer than most people are online.
Don't forget to disable your browser's built-in password manager so you aren't saving passwords in multiple places. And if you have a lot of items in your password manager, it's a good idea to organize and clean it out too.