I’m exploring password managers. I want to test my current opinion & biases against what actually works.
To do this, I’m designing and implementing my own password manager.
What exactly is a password manager?
In its simplest online form, a password manager is a scheme that automatically retrieves & presents to its associated website a password to satisfy a login challenge. A typical implementation involves storage of passwords mapped to users maintained in a commercial service which itself requires an authenticated login to utilize.
The widely-used offline form of password manager is a simple list of websites, user names & associated passwords. This might be kept in a notebook, a series of sticky notes or even as an electronic document on the user’s computer.
Each of these forms of password managers address one or more key needs of the user.
This is the most common reason a person uses a password manager. They don’t like remembering or tracking passwords, so pushing that job to a password manager is an easy decision. Consumers make convenience-based purchases all the time and this is no different.
An online commerical service that stores and manages passwords is by definition more convenient than using a notebook. Sorting a handwritten - or even typed - password document is essentially impossible. It’s easy to transpose characters or simply use the wrong one when ‘retrieving’ a password from a notebook or electronic passwords document.
Some consumers will assert that using a password manager service is more secure than typing in passwords themselves. I’m unconvinced. I’ll revisit this in-depth after this exercise.
Here is where online password managers really shine. It won’t ever make a typo entering a password nor will it confuse site passwords. Accuracy is a big win especially for sites that are aggressive in their incorrect-password lockout policies.
As noted above, hand-typing or copy & pasting passwords is error-prone. There’s no getting around the human aspect: it’s a process that requires precision & we don’t always have it.
This is another great benefit - online password managers are just really efficient. Visit the site and a popup appears either asking you if you want to login, prefilled with your credentials, or just logs you in immediately? That’s a pretty efficient use of your time. Over the course of a year, you’ll save a ton of time otherwise spent on this process.
Most online password managers are commercial services for which the user pays a fee. This is typically a monthly subscription like most web services. The two most popular services cost $3.99 - $7.99 per user per month, while one of these services does offer a free version for one user.
I have never paid for nor used a commercial password manager, but I can see the value here. Four dollars per month for the convenience & efficiency offered by these services seems reasonable.
Obviously, use of an offline password manager - a notebook or document - has no dollar cost. Ignoring the value of time here for a moment, use of a notebook is free.