Are you using the right Android password manager? Use approved ones

Here's why you should choose a password manager for your Android phone that supports Autofill

Password managers have become essential tools that we can’t live without because so many online services require one our brains cannot cope. Which one should you use on your Android phone?

It is easy to lose track of passwords and people cannot remember more than half a dozen, and that is only when they are very simple ones. However, simple passwords are easy to guess or crack and we are encouraged to make them as complex as possible, like tGfd!H4#8ahG.

I honestly struggle to remember a single complex password like this.

This means a password manager, an app to store all your login details for websites and online services, is essential. They are not optional anymore and you must have one or use the same password for everything to cut down on the number. That is a bad idea from a security viewpoint because if that password gets out, hackers have access to everything you do online.

The most secure way to use online services is to have a unique and complex password for each service, then if one is hacked, only that one service is affected and all your other online accounts are safe.

The problem with password managers is that in the past they have often not worked well on mobile devices. There are many password managers for desktop computers and numerous browser extensions. Visit a website and if you are required to enter a password, your password manager automatically fills in the details so you don’t have to.

Does that happen on your phone? At one time it didn’t. You would have to use a very awkward method when logging into sites and services using the phone’s browser.

You would have to switch to the password manager app, find the site or service, copy the username or email, switch to the browser, paste in the username/email, switch back to the password manager, copy the password, switch back to the browser and paste it in. Then you could log in. What a palaver!

Related: 12 dangers you should watch out for when using the internet

Android Oreo Autofill

Password managers have received a helping hand from Google in Android 8 and if you are lucky enough to have this on your phone, it now supports password managers and lets them provide usernames, passwords and other information when logging into apps, services and websites. It should work as easily and cleanly on your Android phone as it does on PCs and Macs.

This is because there is now an Autofill service in Android Oreo specifically designed to help password managers. It provides these apps with only the information they need in order to fill in form fields, such as website login details, and other information is kept private.

This is great news, both for password managers and for users and it is simpler and more secure. However, only those password managers that Google approves are able to use the Autofill service and they must meet Google’s security and function requirements.

We trust password managers with our passwords, credit cards, bank details and website logins and cross our fingers and hope for the best. However, we don’t actually have any way of measuring or testing the security of the password manager service, so is it really as secure as the provider promises?

Having Google approve password managers is no guarantee of perfect security of course, but if one is approved and can be used in Oreo, it means at least someone has looked at it, probably more closely than you or I could, and found the security to be pretty good.

These password managers are currently approved and more will be added over time.

  • 1Password
  • Keeper
  • Dashlane
  • LastPass

Beware of non-approved password managers. They may be OK but they may not be and if a password app has not been approved you have to wonder why. The Autofill service might help to weed out bad apps that are not up to standard.

Enable autofill in Android

If you have up-to-date Android 8 (Oreo) on your phone, go to Settings and use the search function to find ‘autofill’. There should be a Google Autofill service in the Languages and input section.

Press it and you can choose the service to use for passwords.

Android Oreo Autofill service
Source: Google blog

You may find that apps only show up after they have been installed, so how can you tell before downloading and installing a password manager? Look for support for Autofill in the password manager description in Google Play Store.

What about older versions of Android?

The Autofill service is only in Android 8, but some password managers are able to fill login details in Chrome on Android 7 and possibly earlier.

If you use Chrome on a PC or Mac and let the browser store your passwords, they are synced with Chrome on your Android phone and automatically used when logging into sites and services.

In Chrome on your desktop computer or laptop, go to Settings and click Advanced at the bottom. Click Manage passwords and turn it on. Also turn on Auto Sign-in so it automatically enters login details. As you browse the web on your computer, let Chrome store the passwords and then they can be used on your Android phone.

Enable Chrome passwords feature in settings

LastPass password manager adds an accessibility service which enables it to interact with web pages in Chrome and fill in login details. Apparently it is not what the accessibility service feature was intended for, but it is a workaround to enable password managers to fill in forms on web pages.

LastPass enters login details for websites in Chrome on Android

When you visit a web page with a login form, a pop-up message says Autofill with Lastpass and tapping it inserts your login details.

Other password managers may also use this trick to fill in forms. However, from Android 8 on there is no need and you should look for password apps that support Autofill.

Another way to improve security on your phone is by adding a VPN. See Two VPN services for Android to secure your phone connection.

 

Be the first to comment

Leave a Reply

Your email address will not be published.