Password Manager


Background


Passwords are frustrating. Remembering one password is not hard, but reusing a password across websites makes every account as vulnerable as the weakest link - and there are many weak links out there (as users of LinkedIn1, Yahoo2, eBay3, or Adobe4 discovered).5

That is why security experts recommend having a unique password for every account. Unfortunately, this means that even people who shy away from technology end up with dozens of passwords to remember, an impossible task. To cope, users rely on tricks, such as using easy-to-remember words, personal references, and/or changing out letters for symbols. Sadly, these are painfully easy to break into.

Given just ten tries, hackers can crack about 1% of passwords.6 Of course, attackers do not limit themselves to 10 tries; one candidate for Congress had his web server hacked after an adversary tried 130,000 different passwords.7 Automating the attempts and trying simple passwords (like common words with various capitalizations, reversals, and/or with symbols replacing letters) can crack up to 25% of accounts.8

For passwords to provide their intended level of security, they must be long, unique, and random. The most effective way to create and remember such passwords is to use a password manager.

Password managers can also sync account information, making passwords accessible on phones, laptops, or other devices automatically. A user creates a “master password” which they use to log into the password manager on any device. This makes it possible (though not required!) for users to only remember their one master password.

Most password managers come with browser extensions. To log into a website, users can just click a button in their browser, meaning they never need to type the underlying passwords again.

What are the benefits of using a password manager?

Having long and complex passwords makes it difficult for hackers to break into accounts. Password managers make that easier by remembering passwords for the user. In addition, password managers can help guard against phishing on look-alike websites. Because it only automatically fills in passwords on legitimate websites, it can be a clue that a user is on an imposter site when it fails to suggest the login information.

Password managers are one of the few pieces of security software that would be recommended even if they had no security benefits. The fact that a user does not need to remember or type any of their passwords makes users far more efficient.

Organizations that deploy password managers to all employees have additional benefits: password managers can store passwords to shared accounts, and administrators can give individuals access to only the accounts they need. If someone leaves the organization, their access can be easily revoked and passwords seamlessly changed for all.

Are password managers safe?

Storing all passwords is counterintuitive, but rest assured using a password manager is much safer than not. The passwords are kept safe within the application through encryption and by being locked behind a master password. Even if a laptop or phone were breached, attackers would not get access to its passwords without knowing the master password. Additionally, the makers of password managers design them such that they never have access to the underlying passwords, meaning that even if an attacker hacked the maker of a password manager, they would not get access to any user’s underlying passwords.

Many people also fret about forgetting passwords, worrying that they will lose access to their accounts. These concerns can be mitigated by signing in to a password manager on multiple devices, printing out backup codes / “security kit,” or backing up devices. Additionally, password managers do not need to be an all-or-nothing proposition from the start - many users begin using them for only a few passwords until they are comfortable, and then add more accounts to them over time.

Which password manager should I get?

There are many good options. LastPass has both free and paid options, both of which are secure. 1Password is $3 / month personally. Both are offered for free to political campaigns - LastPass is free for federal campaigns through DDC, and 1Password is offered more broadly to all election-related groups / campaigns.


Setting up a Password Manager


The rest of this guide is instructions for setting up 1Password and LastPass. These instructions are up-to-date as of October, 2020. The exact steps may change in the future - if so, visit their websites or youtube channels for up-to-date instructions.

How to set up 1Password

1. Make an online account with 1Password

If planning to use a family or business account ask the person who created the family/business account to invite you.

Personal account users follow these steps.

  1. Go to 1Password’s website. Click “Try 1Password FREE.” (Note, if setting up for a campaign, or if you yourself are a candidate, use the link for 1Password for Democracy).
  2. Choose a plan. Individual users click “Personal and Family.” Choose the option on the left and click “Try FREE for 30 days.”
  3. Enter name and email address.
  4. Look out for a confirmation email containing a 6 digit code. Go back to 1Password and enter the code.
  5. Choose a strong master password with a minimum of 12 characters. (This is the only password you WILL have to remember.) Click “Create your account.”
  6. “Meet your Secret Key” will pop up. Click “Download”, then open the file.
  7. This is the emergency kit. It is very important. It contains the “secret key” which is different from the master password. You will need the secret key to log in to a new device. Print out this document, write the master password in the space provided, and put it in a safe place.

2. Download 1Password

  1. Download 1Password for Mac or Windows.
  2. Open the 1Password 7 Installer that just downloaded.
  3. Follow the installer’s instructions. (If you run into issues make sure that your computer has enough space to download 1Password).
  4. When “Installer is trying to install new software” pops up, type in the password that unlocks your computer.
  5. When “The installation was successful” pops up, click “close” and then move the installer to the trash.
  6. Sign in to the 1Password account within the app.
  7. Click your name and choose “get the apps.”
  8. Click “add your account directly”, click “allow.”
  9. Go back to the app. Your details should be auto filled. Enter the master password and sign in.

3. Add it as an extension to your web browser

  1. Now that the application is installed you have to add it as an extension to your browser. If you use a Mac and Safari, it is probably already there.
  2. Click this link. Windows users click the windows icon. Scroll down to where it says “Or, download the companion app extension” install the app for your preferred browser.
  3. Follow the on-screen instructions.
  4. Once set up, a little 1Password icon will appear in the right corner of the browser. In order to use it, click the icon and enter the master password. From there you can generate new passwords and save new login information.

4. Set up the 1Password App on your phone

  1. On iPhones, download the 1Password app from the App Store. For Android go to the Play Store instead.
  2. Tap “1Password.com.”
  3. Tap “Scan Setup Code.”
  4. Remember that Emergency Kit? Use the phone to scan the Setup code at the bottom of that page.
  5. Enter the master password and tap Done.

Now the app is all set up! In order for passwords to fill automatically there are just a few more steps. Here are the instructions for iPhones.

  1. Make sure notifications are enabled for 1Password.
  2. On the Home screen, tap “Settings.”
  3. Tap “Passwords & Accounts”, then “AutoFill Passwords.”
  4. Turn on AutoFill Passwords.
  5. Select “1Password.”
  6. Congratulations! Your app is all set up!

(Still confused? Head to the 1Password youtube channel for helpful video instructions)

How to set up LastPass

1. Make an online account with LastPass and add it as an extension to your web browser

  1. Create an account on LastPass.
  2. Enter email address and create a master password. Choose a strong master password with a minimum of 12 characters. This is the only password you WILL have to remember. If you prefer, set a (non-obvious!) reminder in case you forget your password. Click “Sign up.”
  3. Click “Install LastPass.”
  4. Add it to your web browser.
  5. In the upper right corner of your browser there is now a gray LastPass icon. Click on it and enter email address and password and log in.
  6. The LastPass icon should now be red. That means it’s ready to use!

2. Set up the LastPass App on your phone

  1. On an iPhone, download the LastPass app from the App Store. For Android go to the Play Store instead.
  2. Open the app. Click “Log in.” Enter email and master password. Click “Log in.”

Now the app is all set up! In order for passwords to fill automatically there are just a few more steps. Here are the instructions for iPhones.

  1. On the Home screen, tap “Settings.”
  2. Tap “Passwords & Accounts”, then “AutoFill Passwords.”
  3. Turn on AutoFill Passwords.
  4. Select “LastPass.”
  5. Congratulations! The app is all set up!

(Still confused? Head to the LastPass youtube channel for helpful video instructions)


1Cory Scott. “Protecting Our Members.” May 18, 2016.
2Jonathan Stempel & Jim Finkle “Yahoo says all three billion accounts hacked in 2013 data theft.” October 3, 2017.
3Steve Ragan. “Raising Awareness Quickly: The eBay Data Breach.” May 21, 2014.
4Brian Krebs. “Adobe Breach Impacted At Least 38 Million Users.” October 29, 2013.
5Users can enter their email address into haveibeenpwned.com to see a partial list of breached accounts, and almost everyone has some accounts with public successful attacks.
6Joseph Bonneau. “The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords.” IEEE Symposium on Security and Privacy. 2012.
7Andy Kroll. “Documents Reveal Successful Cyberattack in California Congressional Race.” August 15, 2018.
8Daniel Klein. “Foiling the Cracker: A Survey of, and Improvements to, Password Security.” Proceedings, UNIX Security Workshop II. August 1990.