For Internet users, the week of April 6 was undoubtedly one of the most annoying and harrowing in recent history. OpenSSL's Heartbleed bug was simultaneously patched and publicized on April 7, and over the next few days, we learned that our login credentials for a great many websites had potentially been compromised. Google, Yahoo, Facebook, Dropbox, and numerous others were all affected. What followed was a mass password resetting effort the likes of which the web has probably never seen.
For me, the Heartbleed fiasco instigated a change of approach. Until those dark April days, I'd been using a mish-mash of alphanumeric passwords and passphrases, all stored safely in my noggin. I wasn't nearly as diligent as I ought to have been about freshening them up, but that never got me into trouble. I made sure to use long, difficult-to-crack passwords with double-digit character counts, and I tried not to use the same ones for different services.
That all fell apart when I was faced with the daunting task of conjuring up—and then memorizing—a cornucopia of new passwords for a large and growing list of services. My friends and colleagues suggested password-management software, and I could think of no better alternative.
So, over a period of a few hours on the evening of April 10, I tried and subsequently discarded several of the most popular password-management tools available—until, like Prince Charming with the glass slipper, I came upon The One.
- It started with LastPass, a well-reviewed and highly recommended solution. I tried it, uninstalled it, tried it again, and uninstalled it again, so overpowering was my revulsion. My mind has forever censored the specifics of that gruesome experience, but I'm still haunted by flashbacks of hideous user-interface design and confusing configuration panels. LastPass is probably fine once you get to know it (why else would everyone be recommending it?), but I had neither the time nor the inclination for a third date. Shudder.
- Next was 1Password, a popular alternative to LastPass. I didn't mind the interface as much, but the Windows application still felt a little clunky, and I was put off by the pricing structure. 1Password charges $69.99 for a Mac and Windows cross-platform license, and that fee doesn't include subsequent upgrades. I may lead a glamorous and exciting life as a writer for a computer hardware review website, but I'm not made of money. Next!
- KeePass is a favorite of one of my most technologically gifted friends. It's the only free, open-source offering of the bunch, but it also turned out to be the highest-maintenance one. KeePass has no built-in cloud synchronization feature and no built-in browser extensions. What it does have is a dizzying array of customization options and an extensive supporting cast of third-party tools. The best word to characterize KeePass is probably "linuxy." Hard-core nerds might love it, but those of us trying to find an easy-to-use password manager late on a Thursday evening probably won't.
- Finally, there was Dashlane—on whose proverbial foot, after a little pushing and twisting, the glass slipper popped at last. Dashlane doesn't appear to be as popular as the others, but it was recommended by David Pogue in the New York Times. I found it to be the cleanest, lowest-effort solution of the bunch. It imported all my saved passwords from Chrome, presented me with an elegant and uncluttered interface, and surprised me with a slick and solid iOS app. Dashlane costs $29.99 a year for a Premium subscription that covers Windows, OS X, iOS, Android, cloud synchronization, web access, and support for two-factor authentication for the master login.
Dashlane's browser extension can be a little overbearing, and I found it to make mistakes on occasion. A couple of times, it offered to generate a new password... and then promptly saved the old one, leading to a few minutes wasted waiting for "I forgot my password!" e-mails. There's an easy workaround, though: manually generate a password via the extension's menu, and keep that password in the clipboard until you're sure the right credentials had been saved. Easy enough.
That little kink aside, I really can't complain. For a guy or gal with limited time and a lot of passwords to change, Dashlane does a pretty great job. It even saves payment information and addresses for online shopping, although I haven't set that up yet. Maybe I never will. I like the idea of not keeping all my eggs in one basket.
So anyway, that was my experience as a wide-eyed and quivering newcomer to the password management scene. I feel a heck of a lot better now, with a bunch of gibberish passwords that I can change at the drop of a hat, all without aggravation or memorization coming into the picture. I can access those passwords from any one of my computers (or my phone), and even if someone cracks my master password, two-factor authentication will leap to the rescue with its ever-changing six-number codes. I've never been safer.
Unfortunately, none of that really helps the average user. It doesn't help mom or pop or grandma, or that struggling small business owner you see in political ads.
My biggest takeaway from this experience is that passwords suck. They didn't suck so much back in the prehistoric days of the 1990s, when you only needed a handful of them. But today, with every little site on the web requiring its own login credentials, there's just no way for John K. Average-Smith to make sense of it. I imagine old Johnny has been using "fido777" as his only password for the past half-decade, and someone in Iran is using his credit card details to buy enriched uranium as we speak.
We need something better. I think some manner of biometric authentication is probably the way to go. A lot of laptops—and now phones—have fingerprint sensors built in. If those become more widespread, and their security can be guaranteed, then I wouldn't mind having to swipe my finger to log into Facebook or Gmail. It'd certainly beat fido777... or coughing up $29.99 a year for Dashlane.