How to create, manage and store passwords securely

How to create, manage and store passwords securely


Let’s face it: staying on top of your digital life can be a nightmare these days. The average person has more than 90 online accounts to manage, according to recent figures. By 2020, this number is expected to balloon to over 200.

Having robust login credentials is essential for protecting your identity and ensuring your data stays out of the hands of the bad guys. However, there’s simply no way to mentally keep track of all these passwords (particularly if you’re being a good digital citizen and using unique alphanumeric combinations for every single password).

What’s the solution?

In this article, we’ve put together everything you need to know as a business or home user to manage your passwords safely and securely.

Why is it so important to have a good password?

It’s important to have a good password for one very simple reason: it prevents unauthorized access to your physical devices and online accounts. If your password is easy to crack, a cybercriminal may be able to gain access to your bank, social media, email and other private accounts, which could have a devastating effect on your life.

The importance of having robust passwords is particularly pronounced for small businesses. Not only do business owners need to ensure their mission-critical data is safe in order to minimize company downtime, they also need to be doing everything they can to protect their clients’ personal information, which may be stored on the company’s system. Small businesses often find themselves in the hackers’ crosshairs, due to the fact they typically don’t have the resources to support a dedicated IT security team. Cybercriminals are well aware of this – in 2016, about half of all small- and medium-sized businesses in the US experienced a breach, according to figures collated by Keeper Security.

Of course, none of this should come as shocking news. In fact, you’re probably sick and tired of security experts telling you to improve your password hygiene. However, it seems that a pretty big chunk of the population has yet to get the memo, as far too many people are still relying on passwords that are about as secure as a wet paper bag (read: not at all). As SplashData reported, the two most popular (i.e. the worst) passwords of 2017 were, for the fourth year in a row, ‘123456’ and ‘password’. Other notable mentions included ‘qwerty’ (coming in at #4), ‘iloveyou’ (#10) and ‘starwars’ (#16).

How hackers steal your passwords


So, having a strong password makes it less likely for a cybercriminal to obtain your login credentials. But how exactly do hackers steal your passwords in the first place?

1. Password leaks

Every now and then a major company is hacked (Yahoo, Dropbox and Gmail to name but three), resulting in millions of passwords being leaked onto the web. Not only does this mean that a criminal can potentially gain access to your leaked account, they may also be able to use the leaked information to log in to your other accounts.


Well, if you’re one of the 87 percent of people who reuse their passwords, a hacker can simply use your leaked password and attempt to login to your other private accounts. Credential recycling can be attempted with passwords collected via any means (not just password leaks), which highlights the fact that you should never reuse the same password.

2. Brute force attacks

A brute force attack is an attack in which cybercriminals methodically try logging in to your account using every possible combination of characters until they get the correct password. As you might imagine, this would be impossible to do manually, so hackers use purpose-made tools that are capable (if run on the right hardware) of processing millions of attempts per second. The shorter the password, the quicker a brute force attack will be able to steal it.

3. Keyloggers

A keylogger is a certain breed of malware that runs hidden in the background of your computer. If allowed to go undetected, a keylogger can track every key you press on your keyboard and transmit this information to a malicious party, enabling criminals to steal your login credentials. An effective anti-malware product is essential for keeping your passwords safe, protecting your computer against malware and ensuring your system is clean of keyloggers.

4. Phishing

Phishing is a form of social engineering that preys on human nature. Essentially, phishing is all about tricking users to willingly divulge sensitive information (such as login credentials, credit card details and so on) by disguising malicious websites and apps as legitimate services. When you enter your information into the bogus website, you’re inadvertently sending the data straight into the hands of the criminals who can then freely assume your identity and login to your private accounts. Phishing remains incredibly prevalent, presumably because it’s proven time and time again to be an effective attack vector. Some reports indicate that more than 3 in 4 businesses were affected by phishing in 2017.

5. Post-exploitation tools

Another way that criminals commonly steal passwords is through the use of post-exploitation tools. As the name implies, attackers use these tools on systems they have already successfully exploited in order to gain better control of the device or network. The widely used Mimikatz tool, for example, can be used – among other things – to quickly harvest information that may be of value, including all the existing passwords on the compromised system.

6. Rainbow table

Even if you, as a consumer, devise a great password, it could still be stolen if the service you’re using it for uses poor password encryption practices. Most vendors nowadays are aware of the dangers of storing passwords in plaintext (more on that later), and instead store their passwords as hashes. A cryptographic hash is a mathematical algorithm that can be used to produce a checksum (a value typically used to detect data errors). With a cryptographic hash, it’s possible for a vendor to verify that a password is correct by crosschecking its checksum with the checksum in the database. The entire process takes place without the vendor ever knowing what the password actually is.

While this might sound like a very secure way of storing passwords, hashes do have their flaws. The most commonly used hashes (MD5 and SHA-1) have a known number of total possible hashes, which means they can be (and have been) precalculated. These precalculated values are stored in a list known as a rainbow table that criminals frequently use via simple lookups to reverse hashed passwords. Once they’ve stolen the hash and cracked the password using the rainbow table, the hackers can uses the login credentials on other websites where they suspect the user has reused the password. In this scenario, the length of the password is totally irrelevant as the table only takes the hash into account.

To counter this problem, vendors are increasingly looking to salted hashes, which incorporate randomness into each stored password to further obfuscate the password. With a salted hash, each individual password requires its own rainbow table to crack, making it computationally impractical for criminals to attempt.

Are you concerned that your login credentials might have been stolen without your knowledge? Use haveibeenpwned to put your mind at ease. Simply enter your email address and the site will crosscheck it with hundreds of the biggest hacks in recent history and let you know if you’re at risk. You can also use the tool to send you an alert if it finds your email address in any future data leaks.

How to create a good, strong password


So, a good password is an important part of your defense system, but what does this mean in practical terms? Well, in regards to password best practices, things have changed quite a bit in recent years.

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess” – XKCD.

In the past, the general rule of thumb was that your password should be as complex as possible. As a diligent internet user, you ensured your password included numbers, symbols, and uppercase and lowercase letters, and the resulting password might have looked something like this:


However, we’ve steadily moved away from this approach. The US government recently updated its password recommendations to reflect the modern take on passwords and even Bill Burr, author of NIST Special Publication 800-63 Appendix A (one of the first resources to encourage people to incorporate obscure characters into their passwords) recently admitted to The Wall Street Journal that there were some flaws in his original work. Simply put everyone’s finally realized something: computers are not humans.

While the above password would be undeniably difficult for a human to guess, to a computer it’s no more secure than any other eight-character combination such as ‘magazine’ or ‘princess’ or ‘umbrella’.

The good news is that creating a robust password doesn’t have to be difficult. Here are three basic ground rules when it comes to creating a secure password in 2018:

1. Length is the new king

The cornerstone of making a good password has shifted from complexity to length. Each additional character makes your password exponentially more resistant to brute force attacks. As such, a great password can be made by simply stringing a bunch of random words together into a long phrase, such as:


The longer, the better. We recommend aiming for a minimum of 16 characters.

2. Keep it unique

As we touched on earlier, reusing the same password for multiple websites, apps or devices exposes you to all sorts of unnecessary risk. Yes, you might have dozens or even hundreds of accounts to keep track of, but that doesn’t justify recycling your credentials. Make every password unique and secure, even if it’s for a service that you’re only going to use once or twice. There’s always a chance, no matter how slim, that one day you’ll give these ‘lesser services’ your credit card details and you’re highly likely to forget to strengthen your password when that time comes.

3. Make it random

In addition to length, it’s important that your password is also random. If you opt to use a string of random words as described earlier, don’t rely on your brain to conjure up a few seemingly ‘random’ words because there’s a good chance these words will be easier to guess than you might think. Instead, use a trusted password generator to produce truly random character combinations. Similarly, avoid using common phrases, pop culture quotes and references, and personally meaningful passwords such as birthdays, anniversaries, pet’s names etc. The latter increases your risk of being manually hacked by a particularly studious criminal who may scour your online presence for password clues.

For further tips on creating secure passwords, be sure to check out our previous blog post on the topic.

The best password managers of 2018

Do not store your login credentials in a text file. Storing all your passwords in a plaintext file means that a hacker can simply steal the entire list of passwords in one fell swoop and truly wreak havoc on your digital life. If you’re a business owner, storing passwords in plaintext also increases the risk of an internal security issue as employees are freely able to access login credentials. Just don’t do it.

At the same time, remembering dozens of lengthy random, unique character combinations is more or less impossible. The most secure way to store passwords in 2018 is to use a dedicated password manager.

1. KeePass


What KeePass lacks in flashy user interfaces, it more than makes up for in smooth functionality. The free, open-source software features portable installation, which means you can run it straight from USB. It supports an impressive slew of security features, including a password generator, secure notes and a range of password entry options. There’s no official browser or Android implementation, though there are a number of unofficial options.

Login credentials are stored locally, meaning it’s less well-integrated than some cloud-based solutions (making it best suited to people who want a single device solution), but the upside is there’s also less risk of your passwords being leaked. As with all open-source software, you’re more than welcome to inspect the inner workings of KeePass, which gives technically minded users the opportunity to look for potential flaws in the code.

Price: Free

2. Dashlane


Dashlane is a cinch to use and comes packed with a bunch of features designed to keep your passwords safe. In addition to storing your login credentials and auto filling them whenever you may require them, Dashlane also boasts a robust password generator and a digital wallet that manages your credit card information securely, allowing you to make online purchases quickly.

If you use the sync feature, Dashlane will store your encrypted data in the cloud; should you disable sync, your data is permanently deleted from their servers, leaving it stored locally on your computer.

Price: Free for one device, $39.95/month for premium.

3. Sticky Password


Another user-friendly option, Sticky Password boasts some decent features wrapped up in a decidedly clean, if slightly outdated, design. As with many password managers, Sticky Passwords allows you to securely store and manage unlimited passwords on a single device or, if you upgrade to premium, sync your login credentials across multiple machines. In contrast to some password managers, Sticky Password can also handle application logins, which is great news if you regularly have to use password-protected software.

Being able to choose between syncing data on the Sticky Password servers or over your local Wi-Fi is a very nice touch for those who want an integrated solution without compromising security.

Price: Free for one device, $29.99/year for premium.

4. 1Password


1Password might just be the best looking Mac password manager on the market (but comes in Windows and browser flavors as well). It can do all the things you might expect of a good password manager, with some other goodies thrown into the mix such as organizing and syncing your software licenses and files. It’s worth noting that, unlike just about every other password manager, 1Password doesn’t use any form of 2FA and instead relies on end-to-end encryption and secret keys to ensure you are who you say you are.

Price: $35.88/year.

5. RoboForm


RoboForm doesn’t bother with fanciful features or a beautiful GUI, and instead focuses its efforts on stellar password management. In addition to secure encryption, RoboForm supports application logins, note storage and emergency access. The highly customizable password generator is one of the best around and the company recently added support for limitless logins in the free version, making it a great choice for budget-conscious users in need of a great password manager.

Price: Free, $19.95/year for premium.

6. bitwarden


bitwarden comes highly recommended from members of the lab team here at Emsisoft – and for very good reason. The open source software features 2FA, end-to-end encryption and, unlike most of the other entries on this list, the free version even includes unlimited syncing across devices! bitwarden also packs a competent password generator and is compatible with a bunch of different operating systems and browsers. The icing on the cake is that you can choose to host the bitwarden infrastructure on the platform of your choice, meaning you don’t have to rely on bitwarden’s cloud service if you don’t want to.

There’s no native desktop application just yet (you have to run bitwarden through your browser), but apparently it is in the works and should be arriving soon.

Price: Free, $10/year for premium.

7. LastPass


LastPass frequently tops the list in any roundup of best password managers. Compatible across a range of operating systems and featuring a robust password generator, security challenges and 2FA (even with the free version!), LastPass has been the gold standard of password managers for quite some time now. However, it’s also worth keeping in mind that LastPass has been hacked in the past, though its advanced hashing meant that the criminals likely weren’t able to crack the stolen passwords.

Price: Free, $24/year for premium.

Securing passwords: No more excuses

It’s simply not possible to manually keep track of all the passwords that part and parcel of modern life. The best way to securely generate and store your passwords in 2018 is to use a trusted password manager. It only takes a few minutes to set up, and the time investment is absolutely worth the peace of mind knowing that your login credentials are safely stored away.

Be sure to use a proven security solution such as Emsisoft Anti-Malware in conjunction with your password manager to ensure your system is free of keyloggers and other malware that may compromise the safety of your login credentials.

Do you use an awesome password manager not mentioned on the list? Let us know in the comment section below!

  • Great article, I enjoyed reading this and love seeing this from your team. I learn each time I read your blog.

    I ended up not trusting any password manager and instead use free VeraCrypt (with a 16 digit pw and keyfile) to store what I need in an encrypted file….which of course, should be unmounted when not in use.

    Thanks Emsisoft team! The more you write like this, the more people like myself (who do not surf and do not read) remember “where to go” when we have a question about security.

    As a website owner who uses gravity forms, I am consciously aware of the dangers of re-using passwords for important things – as not all websites on the internet are as concerned about privacy as we are!
    Thanks again. I appreciate what your company is doing, and know it will continue to succeed.

  • Luis

    Why is not advised to use the in-built password manager in the browser? For example, in chrome you can even protect with a secret phrase with you already password for sync. And using some page that generate random secure passwords for example the norton identity website

    • thegeekkid

      The built-in password managers in the browser are not secure at all. My background is in forensics – if I needed to get into an encrypted document/container, the first thing I would do is check to see if the person used the built in password manager and extract their passwords from there to build a wordlist and throw that into my scripts to run a dictionary attack against the document/container. If that fails, most forensic tools allow you to generate a wordlist using unencrypted data on the HDD; so I would expand it to that… but you always start with the low hanging fruit – that just happens to be the built-in password managers.

      • Robert Bonomo

        And what if those “passwords” are not just words in the dictionary but some thing like what comes out of Norton Identity or other? Exclude encrypted document/container. I’m only talking about signons.

        Then explain how you break the built-in password manager in the browser if again it is not a word(s).

        I also like the paper idea below or the grey cells

        • thegeekkid

          The built-in password manager (by default) on browsers is either not encrypted (meaning the passwords are stored as plain text somewhere), or at best it uses machine reversible encryption (which means that it doesn’t take much for someone with a decompiler to reverse the encryption). This means that I don’t need to know a password to get in, I just use a standard tool to extract the passwords from the local database. Yes, depending on the browser, there may be ways to change that; but if you are going to store passwords on your computer, it would generally be considered preferable to use an application that is specifically designed for that (and therefore better prepared to handle the security implications).

          • Robert Bonomo

            Let’s look at Mozilla. I don’t use Chrome. I realise that if you do not use a master password on Firefox then then it is as you say. It’s useless. Now throw in a password. One like the above K3s+zL4xq&KW*H, or just a long enough phrase like !le?pickle^elephant*chien++

            They are words in 2 languages. But you will never see that phrase in real life.

            The question me and the other poster are really asking is how strong is the Firefox encryption of the passwords file provided you use a good password and not 12345 because what you described in your first post is you are able to break bad practices by looking at the low hanging fruit. I’m certain you can.

            Brute force could be used but in how much time and I’m not talking about a Nation State Agency breaking the top terrorist’s computer.

            I’m talking about a normal Jane Doe on the street who was compromised. Will that malware writer spend ages breaking that password file or move on to something easier which has a better chance of success like a burglar not wasting time breaking into a wired house and move the the neighbour who is not wired.

          • thegeekkid

            Honestly, it’s been awhile since I’ve needed to get into a password protected Firefox password manager (the large majority of people don’t set the master password). The last time that I did, I found that there was no encryption what-so-ever even with a master password. I believe I read somewhere that it may have been added in recent years. I’ll spin up my sandbox VM tomorrow and experiment with it and let you know what I find. :)

          • thegeekkid

            Ok… so I just ran a test on the latest version of FireFox. Assuming you use a (strong) master password, the passwords themselves are fairly safe. The problem is that there is still information disclosed in plain text that would not be in a fully encrypted password manager such as KeePass, LastPass, dashlane, etc.

            You would honestly be better off using KeePass (which is free) with the browser extension – it would perform the same ease of access as the built in manager, and wouldn’t have the information disclosure issue.

          • Robert Bonomo

            Looking into KeePass now.
            So what did you use for your test?

          • thegeekkid

            I booted up a testing VM from a pre-configured snapshot (fresh Windows 10 install with browsers, notepad++ and a few other misc applications installed), updated FireFox to the latest version, set a master password, then submitted fake credentials to a random login page and saved the credentials. Once that was done, I attempted to use a password extractor from nirsoft which failed. I then inspected the db3 and db4 sqlite files and the json file that contains the passwords. I did confirm that the username and password was encrypted, but the (substantial) metadata stored in the password manager regarding each login was not.

          • Robert Bonomo

            Ah OK. I thought you may have tried brute force. Yes I opened the password file with DB sqlite reader and the login URL was not encrypted and wondered why not. Will have to presume Mozilla did their due diligence and is using something strong for encryption. Otherwise they would be the laughing stock.

          • harish arsham

            Please trial

          • thegeekkid

            Nope… and actually, I just used 12345 as the password since I was just testing whether or not it was stored in plain text or was machine reversible if you didn’t have the master password (I wasn’t testing for password strength or attacks on the password, I was testing for attacks on the data at rest).

            Not only is the url not encrypted, but neither is metadata such as when the site was last accessed and others. Sure… probably not a huge deal; but the more a potential attacker knows about you and your habits, the easier their job becomes. In terms of the data that *is* encrypted, it looks like AES128; but I’m not 100% sure on that… I didn’t actually try to figure that out. Like you, I figured it would have to be a decent algorithm.

  • Im using KeePass (portable) since 2012, great product, recommend)

  • Frederick O’Brien

    Excellent article which has me wondering if what I’m using is in need of being replaced. I am currently using Avast Passwords but I’m not sure if it has solid encryption. Should I be thinking of one of the apps in this article instead?
    Also a question: I see frequent mention of something called “2FA”. What is that and why is it an issue one way or the other?

    • hello @frederickobrien:disqus

      2FA = Two Factor Authentification, to be simple, it is using a second verification mechanism to be sure the person inputting the password is the true owner of the account. Those 2FA often involve an app on your phone (generating a number you will input after your password) or a special usb device. You may have heard about Google or Micrososoft Authentificator.

      About Avast Password Manager, i can’t tell about its efficiency, i don’t use it and surely never will, not because it may be weak or not, but because i have more trust on dedicated apps; personally, i am now use Bitwarden and before i used to use Last pass.

  • A low-tech solution to the password list storing problem is paper, because is simple, reliable and everybody knows how to use it. People (or 3-letter agencies) coming in all over the internet cannot get your passwords that are on paper!

    So I use a FREE Printable Password Log Excel Template to store unique passwords!

  • Nevi Løvfelt

    So true.
    When my Google account was hacked I started to use LastPass. I have signed up for “have I been Pwned”? too. Finish with all that shit.

  • I keep having the feeling that using a password manager adds one point of entry, and if somebody gains access to that, they have everything (encrypted as it may be, but passwords stored by sites should be encrypted as well). And now with Meltdown/Spectre, when exploits will start being used for those, and with Intel apparently not even planning to fix the hardware flaw even in future generations of CPUs at least for a few years and leave it to performance-lowering software patches that can be enabled or disabled to make an awkward workaround, it also seems that they’ll be particularly vulnerable.
    Still say it’d be nice to be less restricted in the sort of passwords you can create. Some sites still require you to have uppercase and lowercase and/or numbers, making just for those weird passwords that XKCD strip is talking about (was about to link to it if you wouldn’t have, immediately think of it when the topic comes up), others on the contrary may not allow spaces or simbols or nonstandard characters, some limit length, including a maximum one I mean, and I’m not aware of any accepting line breaks. And while somebody who knows you and specifically targets you is likely to eventually stumble upon it, for typical use stuff like favorite quotes or song lyrics (hence the line breaks) I’d say would definitely make for passwords easy for the user to remember but pretty much impossible for a computer to guess.

  • Stefan Brunthaler

    Good information indeed.
    One question remains unanswered for me: Why ist Lastpass “trusted”? If a wealthy and powerful organisation uses a decent amount of “social engineering” upon the employees of lastpass, then all login credentials of every user of lastpass are open to the international web optimization community.

    What about that?

  • Michael Hach

    I’m guessing that you said BitWarden cannot be run as a native application yet has shown itself to be the case as I tried to use it with my current version of Chrome and the developers at Bitwarden said that the Beta version of a new Chrome is required to run it, at least wrt importing the password list that the Browser automatically stores for me, at this time. I guess I’ll have to make a selection from your list of candidates – any suggestions of one over another??

    • hello,

      I’m running Bitwarden with the latest stable Chrome, no issue so far.

  • diwul62

    Definitely a great article (sorry for this late reaction).

    I hope, one day, there will be an article about using secure password / password managers whilst using Android browsers.
    Q: How save are the built in password managers, when using a master password?

    My experience is that rd party desktop password managers, that are working fine on desktop pc’s and usually have good add-ons for Windows Internet browsers in place, well, they very much fail when using wellknown browsers on a tablet.

    Personally I use Chrome (Windows) and Chrome on Android its built in password manager for non-financial sites (like forums).
    I never use my tablet-browser for banking purposes though..

    I use Roboform to log into banking sites (or some other, strictly personal, sites).