Apple, Google and Microsoft need to realise that we’ve entered the age of password managers, and that means the old rules no longer apply.
Apple, Google and Microsoft need to realise that we’ve entered the age of password managers, and that means the old rules no longer apply
BARRY COLLINS
Occasionally, just occasionally, you lot come in quite handy. A year ago, when I was off on one of my hourly Twitter rants – this time about password managers – a reader called Brian suggested I should take a look at Bitwarden ( see p61 for our verdict on its latest iteration).
All the password managers I’d tried previously had been a bit pants, but Brian was right: Bitwarden is brilliant. It works near-flawlessly across phones, tablets and computers – in Windows, macOS, iOS and Android, as well as any web browser you can think of – and it doesn’t pelt you with pop-ups or smash your inbox with upgrade offers. The premium account is subtly offered in the settings menu and you can upgrade if you want. Which I just have because this kind of nonaggressive, treat-you-like-a-grownup approach should be rewarded.
As a consequence of my Bitwarden conversion, I’ve spent much of the past year hardening my password security. Whenever I’ve got a spare minute, I’ll change the password on one of the (gulp) 214 logins I have stored to something much stronger that’s generated by Bitwarden itself. Bitwarden’s password generator can be set to create passwords of between five characters (weak) and 128 characters (would take a gazillion years to brute force) in length, and will throw in capitals, numbers and special characters as you desire.
Why, you might wonder, would you choose anything less than 128 randomised characters? After all, the password manager memorises and autofills the passwords for you. It’s not like you have to remember them.
The problem isn’t Bitwarden, it’s the sites you use those passwords on. An astonishing number of websites refuse to deal with passwords longer than, say, ten characters or ones that contain special characters. And I’m not just talking about sites where you don’t really care if someone manages to hack into your account, but banks, insurers and other firms holding sensitive data.
Then there are companies that really should know better. Google rightly nagged me to change my password because it hadn’t been touched for a few years (I have two-factor authentication on the account, so was less bothered about changing that one). I did as I was told and switched my password to something as unmemorable as a Pret A Manger sandwich.
Google subsequently logged me out of every device, except the phone I use for 2FA, which seemed like a sensible precaution when someone has just changed their password. But when I went to sign back in on the family Chromebook, Google not only demanded the new password saved in Bitwarden but the previously used password too, so that it could unlock old content stored locally on the device. How daft is that? If that previous password had been an unmemorable string saved in my password manager I wouldn’t have a had a clue what it was because I’d have just saved over it with my new password. As it happens, Bitwarden is clever enough to save previous passwords, but this isn’t obvious: I’m sure that many people don’t realise their password history is available.
As a result, they’ll think they’re locked out of their local content unless they follow Google’s tedious recovery routine.
And then there’s Microsoft and Apple. You want long, strong passwords on their accounts, because they’re the ones protecting your devices. But, of course, the longer and stronger those passwords are, the more awkward they are to enter when you’re setting up a new device. Obviously, password managers can’t autofill before they’re installed, and they don’t autofill on device login screens anyway, so if you’ve got a 12-character strong password saved for one of these accounts, you need to fire up another device with the password manager on it and manually transcribe it.
You might think that the one-off hassle is worth it. After all, you can log in with Windows Hello, a fingerprint reader or even a PIN code after that initial setup. But you’ll be surprised by the number of times you’re asked for your Windows or Apple password subsequently – such as when Apple wants you to agree to a new set of terms or when you change your Windows Family settings.
The big companies need to realise that we can’t be expected to keep passwords in our heads, ready to recall at a moment’s notice. Not least because they’re the ones who will blame us when weak passwords result in accounts being hacked.
I’ve just upgraded because this kind of non-aggressive, treat-youlike-a-grown-up approach should be rewarded
The big companies need to realise that we can’t be expected to keep passwords in our heads, ready to recall at a moment’s notice