I recently decided to switch to a new password manager and thought it would be worthwhile to share my experience with the larger community. No need to get into which one I left and which one I picked. I was unhappy with the old one and found one that addressed my issues. For those interested, there was some good discussion in our Slack space last month on this very topic. The new password manager made it very easy to migrate my 320+ passwords (good grief!) from the old platform. That feature is definitely something to look for if you’re considering a move of your own!
There were other features which were also very important to me:
- Multi-Factor Authentication (MFA) on the vault(s). I’ve said it before, and it bears repeating. Your password manager is all that’s protecting all the passwords that fill your life. Make sure you’re using MFA to protect that data in the unfortunate event of your vault password ever being compromised!
- Support for multiple forms of MFA on multiple platforms. I have an iPhone and an iPad. I have a MacBook. I have a personal Windows desktop and a work-issued Windows laptop. I tend to use Safari on the mobile devices and Chrome on the others. And I need to easily access my passwords from the multitude of mobile apps that periodically make me reauthenticate. The tool I chose supports standard OTP apps, like Google Authenticator and Microsoft Authenticator. It also supports Windows Hello, Security Keys, biometric unlock on Android, Face ID on iOS, and Touch ID on MacBook and iOS. That ought to cover things.
- A family plan. I’m not the only one in my household with passwords. Therefore, I wanted to have a good family plan so we can all be protected and even share some passwords.
Now, as it happens, the triggering event of my migration was a breach that has me concerned about the safety of my passwords. I actually think I was probably safe based on how I was using that service (following best practices, etc.), but I didn’t want to take any more chances with that vendor, so I jumped ship. However, my (healthy) paranoia also insisted that I should reset my passwords, just in case the miscreants managed to open my old vault.
This brings up another critical feature: a good user experience using it! The one I chose has a much better UI than its predecessor, so that was an upgrade. It also interacts with the fields involved with passwords very nicely. As I worked through changing my passwords, it popped up with suggested passwords right in the “new password” and “confirm password” fields, making it super easy to change each password and then save it in the vault. Was it perfect? Nope, but I’m happy to give it a score in the low to mid 90s, which is a decent grade in anyone’s book.
If you’re about to embark on a similar journey, here’s my best advice. Prioritize your high value accounts first. Since so many of the various services we all use leverage e-mail in their password recovery ceremonies, that should be among the first to get a fresh, strong password. Next, update the password for your mobile service provider. Your Google account is another high priority given it’s used to log into other services. Same for your social accounts (Facebook, for example). If you’re an iOS user, go protect your Apple ID with a fresh password. If you have an ISP, include an update there (i.e. those of you with vanity domain names, like me). The point here is to protect your internet security foundation first, then build from there.
Next up in the priority list, at least for me, were:
- Other authentication services and MFA providers you use
- If you deal with the US government (IRS), time to update ID.me
- Financial institutions (banks, credit cards, retirement accounts, pension plans, investment accounts, insurance, etc.)
- Amazon.com (I’m just going to assume almost all of you use it)
- Anything related to healthcare (insurance plans, patient portals, online pharmacies, veterinary care, etc.)
- Home security systems
- Online accounts for your vehicles
- Other frequently used online shopping accounts
- Travel related (airline, rental car, and hotel loyalty programs)
- Any other cloud storage you use (Box, Dropbox, cloud backup, etc. I’d mention Google Drive, but by the time you’re this far into the list, you should have changed that one hours or days ago!)
- DocuSign and similar services
- All your streaming services
- Everything else
A natural outcome of this exercise should also include a reduction in the number of passwords in your vault. I found duplicate account/password combos, sites I never use anymore, and sites for defunct organizations. Also, this isn’t something you’ll want to do all at once, which is another reason to prioritize. This is a project to chip away at over a number of days. I’m still not finished, but I’m much less concerned about the ones that I still need to hit. I have mixed feelings reporting that I’m down from 320 to 252 passwords. That’s better, but still way too many. Really looking forward to that passwordless future. 😊
Chair, IDPro Editorial Committee
Greg Smith is a Solutions Architect with Radiant Logic where he serves as a trusted advisor for new and existing customers. He has been implementing Identity & Access Management solutions for over 35 years. He holds BSEG and MSBA degrees from Bucknell University, where he also began his professional career before moving into the pharmaceutical industry in 1996. Following a 25-year career there, he retired in November 2021 from Johnson & Johnson, where he led the engineering team for J&J’s single sign-on, risk-based authentication, multi-factor authentication, access governance, directory synchronization and virtualization, provisioning automation, and PKI services. He has spoken at Identiverse® and other industry events on numerous occasions. He was CIDPRO™ certified in October 2021 and is also a founding member of IDPro, where he currently chairs the editorial committee.