More than 8 characters and at least one symbol

"What password manager should I use?" is a question dozens have tried to answer. Should you just heed the praises of your favourite tech YouTuber? Nevermind having your data leaked, over, and over, and over, and over again.

Trust

That's the biggest thing that matters in choosing a password manager. No matter what you go for, you must trust someone at some point down the line.

With password managers like LastPass, 1Password, and Dashlane (non-exhaustive), your data is supposedly stored in a proprietary vault encrypted with fancy sounding words such as AES-256 and PBKDF2 key strengthening (that sounds super fancy). You have to trust that these companies did exactly what they say, and trust the auditing firms to have done a thorough job.

On the other end of the spectrum, you've got open source, self-hosted alternatives such as KeePass and BitWarden. With the ability to self-host, you are no longer at the bane of the rather talented security teams running the show of online password managers. Your data is yours to secure, your way.

Personally, I don't trust online password managers much. But I trust myself even less to keep my shit secured.

Multi-factor Authentication

It goes without saying that multi-factor authentication (MFA) is a must when it comes to securing your most precious Habbo Hotel passwords. But exactly what factors should you use?

Something you know

This is the basic one, most password managers refer to this as your "Master Password". Memorise this, never write it down, and for god's sake keep it to yourself. This is the best factor of authentication because there is simply no way for an attacker to know what's inside the mushy thing in your head. Unless your attacker is world-famous mentalist Derren Brown or the CIA, in which case you should probably familiarise yourself with the terms "Guantanamo" and "waterboarding".

Something you have

For most people, the attackers are virtual; bots or online stalkers from smelly Denmark. By requiring you to present something physical to your device, you've put a stop to most remote unauthorised attacks.

Most online services offer SMS-based 2FA. This is a type of a "something you have" security factor as you "have" your SIM card to receive an SMS. Unfortunately, SMS is wholly insecure and given the choice you should opt for a time-based OATH-TOTP token through an app such as Google Authenticator or Authy. But for the best peace-of-mind, you should use a physical security token whenever possible.

Many suppliers of security tokens are available but by far the most common is the Yubico YubiKey. These FIDO2 keys are supported by any computer via the USB port and most phones via NFC and optionally USB/Lightning (the former is preferable).

Look for a password manager with support for U2F/FIDO2/WebAuthn (they've really got to get the names ironed out). These are common open standards that security tokens can use to communicate with apps and browers cross-platform. LastPass is notorious for only supporting the proprietary Yubico OTP standard and should be avoided (I mean, if the half dozen security breaches haven't already convinced you).

Something you are

In other words, biometric authentication. Just like in the movies, a retinal scan is an example of something you are. Despite fingerprints being only somewhat unique, the important idea is that your attacker is unlikely to possess an identical set of fingerprints as you do.

The requirement for a unique individual to be physically present is a strong factor of authentication. However, many governments have the right to compel you to unlock biometric security (not good).

In my opinion, just buy a security token and destroy it in a BlendTec® blender in the off-chance that you'd prefer your collection of Martha Stewart recipes kept away from the government.

If you're still entranced by how cool it would be to have a fingerprint reader, look for the FIDO2 Yubico YubiKey Bio series.

Implementation

This is where it gets slightly tricky. Some password managers only use MFA as an authentication layer to their user interface. This is not what you want. Ideally, all your authenication layers should be part of the encryption of your password vault.

For example, according to section 1.4 of their whitepaper, Dashlane generates a new symmetric key from both the Master Password and a "User Secondary Key". The "User Secondary Key" is only provided to the client to decrypt the vault after a successful MFA authentication. Good!

On the contrary, LastPass (yes, them again) simply uses MFA to protect access to the web UI. If an attacker already has your vault and Master Password, they are able to decrypt the vault without MFA authentication. You can confirm this behaviour by reading their source code.

By now you would've noticed that I haven't recommended any specific password manager. This is intentional as I believe that there is no "correct" answer. My goal with this article is to help you make a more informed decision on your own, based on your own beliefs and goals. Good luck picking your poison.