Getting Started with Access Management (Password Managers)

One of the most basic security related question I’m constantly being asked is “What password manager should I use?”. This mostly comes from people who have not yet done much for their personal cybersecurity at all, or it’s people who have been using LastPass…

I’d like to turn this into an access management miniseries where we will cover different types of access management strategies and best practices, including password managers, different 2FA solutions and more. But before all that, let’s start from the basics.

What password manager to use? There are two types, so let’s go over both of them.

Local password managers

These are applications which you run on your own computer. The passwords you store there are not being sent anywhere, and you’ll essentially have the full responsibility and control over the security of your passwords.

Most of the local password managers are open-source, which means that their source code can be fully reviewed by anyone. This is why more technical people often prefer to local password managers, they know what they get, and they have full control over their own data and security.

Another benefit of the local password managers is that they are generally completely free of charge. You download it, install it, and they serve you for a long time without reaching limits and getting exposed to the constant upsells.

Some of the local password managers to consider are: KeePass, KeePassXC and BitWarden

Cloud-based password managers

Cloud-based password managers are often great for teams. Your passwords and other secrets will be kept in the servers of the given password manager service provider, and you can access them from multiple devices.

Since your passwords and secrets will be kept in the servers of the service provider – the security and safety of your passwords and secrets depends on them. I usually recommend the cloud-based password managers to everyone who is not deeply technical, since they mostly have better UX, and you’re less prone to lose access to your data due to a mistake. You also pay for someone else to keep your passwords safe, which is always better than nobody doing it at all.

However, cloud-based password managers are a prime target to hackers since they are essentially a holy grail of access. There have been many cases in the past where cloud-based password managers have been breached (such as LastPass, OneLogin, etc) and user data and their encryption keys have leaked. This is also why many technical users who are capable of taking care of their own security prefer to use local password managers instead.

Some of the cloud-based password managers to consider are: 1password, NordPass and Dashlane

Master phrase, not password

When using either local or cloud-based password manager, you need to set up a master “password”. Some of the password managers also allow you to connect it with biometrics, passkeys, MFA, SSO and other methods for quick access to your password vault.

However, my recommendation to start with is to always use passphrases over passwords. Passphrases are longer, more complex and tend to be easier to remembered than complex passwords. It’s the key to your kingdom, so make sure it’s as strong as it possibly can be.

If you’re looking for a more detailed comparison of different password managers, you can find one from here (it’s not made by me, but I found it to be quite recent and very detailed): https://docs.google.com/spreadsheets/d/1b2zEEU8_YPsgo3nY1BJ72qgLXteP7Yt0_mnlYJ8m0RI/edit?gid=0#gid=0