Skip to Main Content

Digital Security and Privacy

Password Management Software

The problem with complex passwords is they are hard to remember, and writing them down is obviously counterproductive. Password managers were developed to generate and store complex passwords for you so that you only need to remember a master password (which should still follow our previous recommendations).

While many companies offer such services, NGOs interested in Internet security for activists usually recommend the following:

  • KeePass (for Windows) is free and open source. It is also installed by default on computers at the Graduate Institute. It stores your passwords offline, on your own device. You can synchronise the encrypted password database through cloud storage.
    • KeePassXC is a fork of KeePass which can also be installed on Linux and OSX.
  • Bitwarden is a freemium password manager. It is open source and some of its options are locked behind a subscription. Storing your passwords online should still cause concern. See encryption information.
  • 1Password is a paid online password manager. A basic single-device account is free, but subscription models offer you additional options. Storing your passwords online should still cause concern. Learn about their security model.

Other online password managers exist, but their track record is not up to par with those listed above. Lastpass for example was breached in 2022 with devastating effect after numerous security specialists alerted them about vulnerabilities they did not fix correctly.

Firefox's integrated password management tool (formerly Lockwise) is an interesting option, but it requires adding a master password to be safe.

Things You Should Know

Are password managers safe?

Technically, if someone gets your master password or your password manager of choice gets hacked, all your accesses will be exposed. This makes them a single point of failure and an obvious target for hackers. On the other hand, if your primary e-mail password gets exposed, all your other accesses are also at the mercy of a simple "forgotten password" procedure, so you already have a kind of vulnerable master password.

Make your master password complex, but easy to type and to remember

You will be typing this password a lot. Your future self will thank you for keeping it simple, especially if you use it on devices that do not have a standard keyboard such as a phone or tablet.