Q: Do you remember back in 2017, when the US National Institute of Standards and Technology (NIST), the industry go-to for all things security, told us that we’d been doing passwords all wrong and that we didn’t need to change them every 90 days? It also said that random phrases are more secure and easier to remember than a word with number and special character substitutions, such as ‘p@55w0rd’. Cue massive sighs of relief from users, sagely nodding heads from security experts, and companies mostly disregarding this advice. A postscript to the about-face (see Brainstorm, February 2018) was that password managers are a good idea. So, what is that all about? And are they indeed safer?

A: A password manager is typically a cloud-based, online service, including browser extensions and mobile apps, that acts as a master key for all your passwords. The service encrypts and stores your passwords in a digital vault on your device, and then, when you need to access them, on your computer, smartphone or tablet, you just need to remember the single master password. Or better yet, you can use biometrics, such as a fingerprint. The service then checks your encrypted vault for the specific password, and logs you in. Most are third-party services, but increasingly, password managers are coming baked into browsers or operating systems.