Congratulations, you’ve decided to use a password manager to save and autofill your online passwords. But that’s only half the battle — you’ve still got to get all those passwords into the manager tool, reset any duplicates and check for stolen credentials.
Don’t panic, though: You don’t have to do it all at once.
Taking care of your passwords is sort of like taking care of your teeth, says Derek Snyder, the chief product officer at password manager company Dashlane. Just like regular cleanings are better than a root canal, a slow-and-steady approach is better than an all-at-once password apocalypse.
“I try to encourage people to start using the product gradually,” he said. “Over time, it saves them time but it also hardens their defenses against password breaches, phishing and other modern practices bad actors are taking part in.”
If digital hygiene is like dental hygiene, most of us aren’t even brushing. The most common password management strategy is writing them down in a notebook, according to an annual report from the National Cyber Security Alliance. The second-most popular is just remembering them. Despite evidence that hackers habitually take advantage of weak and duplicate passwords, people continue to punch in their pets’ names and the much-loved “password123.”
Password managers — which generate unique passwords and fill them in automatically — are perhaps the easiest way to whip your password hygiene into shape, experts say. But these tools require some setup.
Here’s everything you need to know to get your manager up and running.
You might already have a list of saved passwords
If you use an Apple device or browse with Chrome, there’s a chance you’ve said “yes” when prompted to save passwords with iCloud Keychain or Google’s password manager. Microsoft’s Edge and Mozilla’s Firefox browsers also let you save passwords.
To check on your Apple device, go to Settings then Passwords. To check your Google account, go to passwords.google.com.
Both companies let you download your saved passwords in CSV format and port them over to a separate password manager.
On a Mac, go to System Preferences then Passwords and click on the icon with the three tiny dots at the bottom of the list. Choose “Export passwords.”
In Chrome’s web app, click on the three dots in the top right corner of your window. Go to Settings and select Autofill from the left-side menu. Go to Saved Passwords, choose the three dots over to the right and select “Export passwords.”
Your password manager of choice should have an import tool that lets you upload the CSV file. Keep in mind: If you download your passwords, they’ll be visible to anyone who sees the file. Delete it as soon as you’re done.
Should I stick with my phone or browser’s password manager?
Using your browser or phone’s password-saving option is much better than relying on your memory, according to Andrew Shikiar, executive director at the Fast Identity Online Alliance, an industry association working on standards for password-less authentication.
“It’s kind of like arguing whether one should use a U-lock or a cable lock to lock a bike,” Shikiar said. “The most important decision is to use a lock, period.”
But dedicated password managers come with a few advantages, their developers say.
First, they can fill in your passwords across devices and applications, whereas iCloud Keychain doesn’t work on Android phones for example, said Darren Guccione, CEO and co-founder of Keeper Security which makes the password manager Keeper.
Second, stand-alone managers come with extra features like secure file and password sharing. In Keeper, for instance, you can send someone your digitized social security card or birth certificate without worrying about attaching it to an email. In Dashlane, you can share your Netflix passwords with another Dashlane user without ever sending it in plaintext. (That means the recipient can’t even see it, and you can revoke access whenever you want. Ex-boyfriends, beware.)
A Google spokesman said the Chrome app lets iPhone and iPad users autofill passwords without using Chrome as their primary browser, and Chrome can even walk you through resetting compromised passwords for certain sites. A Mozilla spokeswoman noted that browser integrations are convenient for people who don’t want the extra work of setting up a stand-alone password manager and that Firefox for Android and iOS can autofill passwords in other apps.
A Microsoft spokeswoman declined to respond to questions about interoperability and limited features. Representatives from Apple didn’t immediately respond to a request for comment.
Troy Hunt, a security expert who runs the compromised-passwords database Haveibeenpwned.com, says your focus should be: Is your tool leading you to create stronger passwords, or are you just using it to save and autofill the same old bad ones? (Full disclosure: Hunt is on a board of advisers for password manager 1Password.)
Tools with password generators that spit out unique, hard-to-guess passwords will improve your security. Otherwise, Hunt noted, you’re just getting some extra help remembering your insecure, reused passwords.
What if I’ve never saved a password?
If you’ve been keeping your passwords in an Excel document, you can upload them directly to a password manager after saving as a CSV file.
But if you’ve been storing them in a sticky note, notebook or (heaven forbid) your brain, you’ll have to input them manually.
Start with your most critical accounts, such as banks, medical portals and work accounts. Remember that password management is a long game, and it’s OK to work slowly. Each time you log into another account, your manager should ask if you’d like it to save the password. Over time, you can build up your vault and reset any duplicates.
Can I make my passwords even more secure?
No piece of software is unhackable, and that includes password managers, said Ted Harrington, an executive partner at Independent Security Evaluators, a team of ethical hackers helping organizations build more secure tech. But the benefits of using one outweigh the risks, he said.
“That’s definitely the way people should think: Hesitate before you give up information. But people should use password managers. They are wonderful. They enable every average person to improve their approach to security,” Harrington said.
If your passwords protect high-profile accounts or critical information, you can always add one extra layer of security, he said: Each time you create a password, add a simple string of letters or numbers to the beginning or end. Then, delete that string from the version you save in the password manager.
For example, the manager would save “gjdk & jT4k*Dh” while your real password is “TRHgjdk & jT4k*Dh.” When the manager autofills your passwords, all you have to do is punch in the same extra characters each time. That way, if someone got their hands on your bank of credentials, they still couldn’t log into your accounts.
Correction: An earlier version of this story misstated the name of Keeper Security.