...we all have them. But do you have them with your password manager? Like seriously, how the heck are you supposed to find one that's good? And how can you determine which is better than another? Let's talk.

Hi. I'm Jon Fedor and this is InCyber Regular, edition ten.

I talk about cyber security issues and awareness for smaller enterprises, the cyber-curious, and the security-conscious. And today is a milestone: WEEK TEN. I'm not sure I've ever done something consistently for ten weeks in a row.

They say there's a first time for everything. First car, first rollercoaster, first phone, first time someone told you to examine your zipper. Etc. For me, this first time (10-week-streak) feels like an ice cold beer in the shade on the porch after spreading eight yards of mulch in 90 deg F heat.

Thanks for journeying with me. And thanks for your feedback last week!

If you didn't send in feedback last week...here's another chance.

What about password managers, fool?

Some of the best questions and topics I get come from readers. This one comes from someone in my literal family (what up, fam). I'm going to quote it because it's too good:

"So, I gotta ask...you've been promoting 1Password on your newsletter..how does it work, exactly? And how can someone know it's secure, especially with all the cybercrime, hacks, and bullshit happening?"

Glad you asked.

Minimum viable features

1. Strong password generation (24+ characters with randomization)
2. Built in time-based one-time passwords (TOTP) for multi factor authentication (MFA)
3. Breach and data-loss detection (does your password manager regularly alert you on accounts that have experienced hacks or been breached?)
4. Syncing across mobile and desktop devices
5. Auto-filling web forms on mobile and desktop
6. Encrypting master password when authenticating

Dos and Don'ts

1. Do pay for your password manager. It's a utility (like gas, water, electricity, and internet) and it's important.
2. Do find a product that's relatively *easy* for you to use. You won't use it if it's too difficult to use.
3. Do use your password manager for MFA. I'll be covering this in a later edition.
4. Do use a password manager that checks and alerts you when accounts in your vault have experienced a data breach or loss so you can update your account credentials ASAP.

1. Don't use LastPass. Their product was once free. They tracked activity of users especially on mobile devices using multiple trackers embedded in the software.
2. Don't use free products. When you use a free tool: YOU are the product.
3. Don't wait. Find a tool you trust today and start learning it. Start with updating the password on the account you use most (I know it's Facebook...)

How do I know this password manager is a secure?

1. The research is out there. Do some homework
2. Your master password and password vault(s) are encrypted
3. Your master password should be encrypted in-transit as well (as you are entering it). Most companies will show you how they encrypt passwords and what their security model looks like. Read about it!
4. It's not free. Get over it. Unless you're using an open source tool like KeePassXC and managing all elements of your vaults yourself, the tool shouldn't be free. Pay someone else a small fee to work FOR you to make sure your information is secure. You can't manage everything. Don't try.
5. Ask multiple sources - don't just take my word for it. Ask people what they use (most people will probably say nothing or a free product).
6. If you're finding it difficult to find security details about the password manager you're considering, pass and look for something else.

This is getting to be a bit much

There's a lot that goes into selecting the right tool. Personally, I've used a lot of tools in the past:

1. EnPass
2. Keeper
3. Passportal (an enterprise tool from SolarWinds)
4. LastPass (I know I know, but this was a long time ago and I was just testing).

The point is to find what works best for you and STICK to it.

This coming week, we'll dive into exactly HOW these tools work and what it looks like to deploy them in your everyday life.

Affiliation

It's true I've been promoting 1Password. It's true I'm an affiliate of 1Password. I've been using 1Password for. ever. Ok, ~8 years. Muuuch longer than the life of this newsletter.

Quick story: I applied to be an affiliate with them and they said no. Twice. So I emailed them and said, what the heck, and they said ok, you can be an affiliate.

I have really good 'what the hecks.'

The point here is to find and buy the right tool for you to use so that you can create, store, and manage passwords that *don't suck*. If you want, get 1Password. If another one sounds better - get that one.

But don't not get one.

Thanks!

I love writing this thing for y'all and I want to keep doing it. And I want it to get better weekly. So let's make it happen already.

Have a good'un, Good Lookin'.

~Jon 1Password Fedor