Thoughts on Password Management and Storage

Where do you store your passwords? Do you maintain a notebook with them all written down? How about an excel spreadsheet? Some other document on your computer? The “Notes” app on your phone? These are inferior ways of storing your passwords for a variety of reasons including; security, convenience, password-generation, etc…

Last month, I learned my wife, Michelle, was using her phone “Notes” app to store her passwords! But it’s not just my wife. I’ve had many clients over the years use similar storage methods. Often, clients lose passwords, forget where they are stored, fail to update them, or simply don’t have access to their passwords when needed. Because of these issues folks tend to use the same password (or some version of it) across all their logons, which is a huge mistake!

To address these issues I started researching password managers several years back. Personally, I wanted something that could be accessible on all my devices (phone, tablet, computer) but also secure and easy-to-use. I came across a free password manager called Encryptr created by SpiderOak.

If you’re not familiar with SpiderOak, it’s actually the program Edward Snowden recommended back in 2014. Now, I’m sure my readers are divided on their impression of Edward Snowden, but one thing is undeniable –> he probably knows a thing or two when it comes to encryption, security and privacy!

The premise behind Snowden’s recommendation at the time, per a Wall Street Journal article from 7/17/2014 titled “Snowden Says Drop Dropbox, Use SpiderOak,” was that most cloud storage providers maintain the encryption key on their end as well, which means they could technically access your files or hand your data over to government authorities. SpiderOak, on the other hand, does not maintain the encryption keys on their end which “makes it difficult for the government to access any user data, even with a court order.”

Per the article, “SpiderOak has users encrypt data on their machines – before they send it to the company’s servers. The company maintains it keeps no readable version of users’ passwords or data.”

So the foundations of Encryptr seemed promising to me. I started testing it and have never looked back. The things I like about it:

  1. It’s accessible on all my devices so I always have my passwords at my fingertips.
  2. It’s extremely simple and easy to use. VERY user-friendly.
  3. They don’t ask for any of your information (no name, email, address, etc…). This means I also don’t get spam email from them either.
  4. It’s free.
  5. It appears to be secure.
  6. It includes a password-generation feature if you’d like it to generate long, secure passwords for you.
  7. You only need to remember one password ever!

Before writing this commentary I also searched for some criticism in order to try and provide a fair and balanced view especially since I am not a technology expert by any means. Some criticism I found:

  1. There is no linkage between Encryptr and your browser so you’d have to manually copy and paste, or type, passwords when needed as opposed to auto-fill. Encryptr doesn’t wipe your memory so the copied password will remain in your computer’s memory until wiped or copied over.
  2. There is no two-factor authentication option yet.
  3. If you forget your Encryptr password you’re SOL because there is no way for them to reset your password since they don’t maintain an encryption key on their end. Although, this is the major benefit of Encryptr. Just make sure to remember your one password or write it down and store it in a safe, security deposit box, etc…

Now, I’m sure I have some folks who specialize in technology reading this and yelling at the paper because they would recommend something completely different or maybe I misstated something gravely. I am not a technology expert by any means so I welcome your feedback. Shoot me an email at ken@melottefa.com

I am neither getting paid to discuss Encryptr nor affiliated in any way. I’m simply passing along something I’ve found to be helpful in my own life.

Some other good practices regarding cybersecurity suggested by a tech-savvy buddy of mine:

  1. Use the longest, most complex password you can (doesn’t make it harder to remember when copying and pasting from a password manager)
  2. Never re-use passwords
  3. Always enable 2-factor authentication
  4. Use passwords even for security questions (these can be stored in the “Notes” of the respective entry within Encryptr)
  5. Use a VPN to connect to any WiFi network you don’t own
  6. Encrypt your hard drive

I hope you found these tips helpful!