How to Safely Use Password Managers – Even If They Get Hacked

We’ve all heard it: Passwords should be long, complex, and unique. Long passwords exponentially increase the time it takes for attackers to crack them. Complex passwords—those using a mix of uppercase, lowercase, numbers, and symbols—make brute-force attacks even harder. Uniqueness ensures that if one site gets hacked, your credentials won’t work elsewhere.

But let’s face it: remembering dozens (or hundreds) of long, complex, unique passwords is impossible. Worse yet, you need to change these passwords periodically, making it even more difficult to manage all this.

What should you do?

The solution is a password manager.

A password manager is a tool that stores all your passwords in an encrypted vault. You only need to remember one strong master password to access the rest. It’s a game changer, simplifying your digital life while maintaining security.

However, there’s a valid concern: What happens if the password manager itself gets hacked? Security research—including our own—has shown that password managers can be compromised. If attackers pop the vault, they could gain access to the treasure trove of passwords saved in there.

Thankfully, there’s a way to use password managers that mitigates this risk: a technique that I refer to as The Manfred Modifier, named after the famed game hacker Manfred[1] who personally taught me this technique. (I don’t know if Manfred invented this technique, but he’s a badass, and that name sounds cool, so I’m going to run with it).

To illustrate, visualize a pen with a removable cap. The password manager stores the pen (most of the password), but the cap (a small, memorable addition) is something only you know. The complete password requires both pen and cap, but you only store the pen (without the cap) in the password manager. If the password manager gets hacked, all the attacker gets is the pen – but without the cap, the stored password is useless to hackers. 

If the password manager gets popped, all the attacker gets is an incomplete subset of the password. They can’t use it to log into your accounts.

Let me restate that because it’s important and awesome: even if the password manager gets hacked, the attacker doesn’t get your passwords.

It takes a little bit of habit change to implement this method, but once you do, it’s easy and effective. Here’s how to set it up and use it.

Quick Glossary:

• Base password: the long, complex, unique subset that you store in the password manager.
• Modifier: the short bit that you add to the base password. You remember this.
• Complete password: the base password plus the modifier. This is what you enter into sites and apps to login.
• Master password: none of the above, this logs you into the password manager. It is the only password you need to remember. 

Step 1: Set Up Your Password Manager

1. Choose a password manager. Download and install a reputable password manager. Trusted tech resources like Wired or CNET can give you recommendations for whatever is currently the best.
2. Create a strong master password. This is the one password you need to remember. Use a long, complex phrase that’s unique and easy for you to recall.
3. Set up your account. Follow the password manager’s instructions to create your encrypted vault.

Step 2: Create Passwords Using the Modifier Technique

When signing up for a new account:

1. Generate a long, complex base password. Use the password manager’s built-in generator to create a password with uppercase letters, lowercase letters, numbers, and special characters.
2. Add your modifier. Choose a short, memorable modifier (e.g., “abc”) and append it to the generated password. For example, if the password manager generates T9m$#P@Qw&hiUUt^r, your complete password will be T9m$#P@Qw&hiUUt^rabc.
3. Save only the base password. Store the generated password (T9m$#P@Qw&hiUUt^r) in the password manager. Do not include the modifier.
4. Use the complete password to register. When creating your account, use the full password (T9m$#P@Qw&hiUUt^rabc).

That might sound a tad confusing, so let’s visualize it:

Step 3: Log In to Accounts

When logging in:

1. Retrieve the base password. Use the password manager’s autofill or copy-paste feature to populate the login field with the base password (e.g., T9m$#P@Qw&hiUUt^r).
2. Add your modifier. Manually append the modifier (e.g., abc) to complete the password.
3. Submit the login. Enter the complete password (T9m$#P@Qw&hiUUt^rabc) and proceed as usual.

In Conclusion

To summarize what this method gets you and why it matters: the stored passwords in your password manager are incomplete – if it gets hacked, the attackers don’t get any complete passwords. They cannot log into your accounts stored in there.

Password managers enable you to use better passwords, while also making it easier for you in the process. Win-win.

To summarize, you should use:

• long, complex, unique passwords
• a password manager
• The Manfred Modifier technique in order to avoid compromise if the password manager gets hacked.

Remember: no system is “unhackable” and even this method doesn’t guarantee 100% security. Theoretically, someone could pop a password manager, somehow deduce that you’re using this modifier technique, somehow crack your memorized modifier, and then access your credentials. But that’s a remarkably high barrier, and one you can be comfortable accepting. By adopting this method, you put yourself considerably ahead of the standard user, and because the standard user is going to be an easier target, attackers are more likely to ignore you and focus on them.

This method may seem hard at first, simply because it requires habit change; you need to create passwords differently, use a tool you may not be used to, and alter the way you login. I’ll be the first to admit that it’s a lot of change to ask. However, each of these is easy. Better yet, once you implement this change, your life will be easier and more secure:

• No more remembering passwords (besides the master password and the modifier)
• No more using weak passwords
• No more re-using passwords across different sites

Take a few minutes today to implement this simple approach. It’s an easy way to safeguard your digital life while also delivering massive convenience.

~~

Ted Harrington is the #1 bestselling author of Hackable, the Executive Partner at ISE, and co-founder of both Start VRM and IoT Village. Learn more at https://ise.io

[1] https://www.kaspersky.com/blog/secure-futures-magazine/video-series/notorious-game-hacker-manfred/46197/