Planner (0)
Password Managers
- English
Learning Objectives
Learners will:
Understand that a master password is used to open a password manager vault.
- Be able to give examples of when one can use a password manager (to remember passwords, notes, and even randomly-generated answers to security questions).
- Understand the difference between a stand-alone and a browser-based password manager.
- If there’s time: Have hands-on experience installing a standalone password manager.
Prerequisites
- Learners should understand how to choose a good master password.
Lesson Content
Warmup
Asking, “How many of you here have ever reused a password on more than one account?” is a good way to engage the audience and allows you to get a good gauge of technical proficiency. You can follow up with a variant of that question that highlights another way in which passwords can be reused: “How many of you have used minor variations on the same password between accounts?”
Follow these questions with something along the lines of, “That’s okay. With the number of sites we are forced to log into, it’s only natural we would want a simple way to remember them all. But reusing the same password on different websites is the number one cause of account compromise. Password managers can help!” This dialogue makes your audience feel like they haven’t been playing the fool all this time, and that they have the opportunity to improve their practices.
Knowledge Share
Different password managers will have different time commitments and characteristics. The two basic types of password managers are:
Standalone password managers: These often exist as separate files on your device and require you to copy-paste login information from the password manager to a given log-in screen. While this makes it harder to reliably sync across devices, standalone password managers can be good for users who would like to keep their passwords on a separate, offline device like a thumb drive. This can especially apply for people who use shared devices.
Browser-based password managers: You access them via a website, and can download them as a browser extension for your computer and an app for your phone. They are able to sync across devices. Most importantly, browser-based password managers are very good for defeating phishing attempts. While it can be hard for a human to differentiate a bogus sign-in page from a legitimate one based on visual cues, a password manager uses technical cues to tell them apart. If a browser-based password manager does not recognize a login page, that can be a sign to the user that something is off.
Some password manager companies offer both standalone and browser-based password managers, like KeePassXC and 1Password. EFF currently recommends KeePassXC, which is a standalone password manager that offers a browser extension as well. Depending on their threat models, participants may choose to use a different password manager, such as 1Password, LastPass, or Dashlane.
Activity
Learners who have an understanding of why they might need a password manager should be guided through the process of installing a standalone password manager. Refer to the steps in How To: Use KeePassXC and stop when you get to the “How to install the browser extension” section. Intermediate users will learn how to install the KeePassXC browser extension.
If you don’t have time to do hands-on training for this tool, consider using a visual aid to drive home the key concepts, such as our imaginary password manager.