The lead: Do you really need a password manager?

Plus: Google’s new storage plans, Alexa eavesdropping fears, and a better way to use iTunes

Welcome to the second of three free Advisorator newsletters. Become a paid subscriber today to keep receiving Advisorator after the trial period and lock in a permanent 20 percent discount. Your credit card won't be charged until June 25, and you can still cancel before then at no cost.

You know the old saying: The only certainties in life are death, taxes, and having to change your password on a website that got hacked.

Even major web services like Yahoo and LinkedIn aren't immune to security lapses, and whenever they happen, you’ll find countless articles imploring you to install a password manager such as LastPass, Dashlane, or 1Password. By using these programs, you can give every site its own complex password and avoid bad habits like applying the same password across multiple sites.

If you’re like me, you’ve probably ignored this advice for years. Who wants to learn a new way to sign into websites, especially when it involves trusting a random company with sensitive information? Your own memory might be imperfect, but at least you know how it works.

A few weeks ago, inspired by a question from a reader and Twitter's recent password leak, I decided to take the plunge with LastPass. What I’ve learned is that password managers can be useful, but they’re not as essential as they’re sometimes made out to be.

How password managers work: Password managers can run as an extension within your web browser or as a standalone application, in both cases storing all your passwords behind a master password that you create. (This should be strong but memorable, and also kept somewhere safe on paper). Once installed, the manager will recognize when you're logging into a website and offer to save your credentials. Then, it can automatically enter those credentials the next time you log in.

What’s the point? Password managers are partly about convenience, providing a secure place to look up all the passwords you’ve stored. But over time, the idea is that you’ll create more secure passwords that are different for each site. Most password managers can generate random codes for you, and some (including LastPass and Dashlane) can even change passwords automatically on your behalf at some popular websites .

Are they safe? Security experts have occasionally found vulnerabilities in password managers, and a few years ago LastPass suffered a security breach in which it prompted users to change their master passwords. Still, experts generally agree that password managers are safe, and promote better habits than remembering passwords on your own.

What are the downsides? Using a password manager isn’t always so convenient, especially on mobile devices. While you can install a password manager app on your phone or tablet, you won't get the same automatic login capabilities as your web browser unless the app you're signing into supports it. That means you'll have to copy and paste (or drag and drop) your credentials into the app manually. Game consoles and streaming boxes can be an even bigger hassle because they don't support password managers at all. If you've created a complex password for a service like Netflix, for instance, and want to log in on a Roku, you'll have to look the password up on your phone or computer, then type it in by hand.

What are the alternatives? Most web browsers can store passwords for you without a third-party manager, and so can mobile operating systems such as Android and iOS, but these won't help you create complex passwords or retrieve them on other devices such as game consoles. A better alternative is to generate fewer passwords in the first place. Many sites, for instance, offer a "sign in with" option that works with your Google, Facebook, or Twitter account. Those accounts then act as a master key that you can lock down with two-step authentication, which requires an extra code or prompt sent to your phone. This way, you get an extra-secure master account and fewer passwords to remember.

Ultimately, any approach you choose involves trade-offs between security and convenience. Using the same easy-to-remember password across every website is convenient, but drastically increases the risk of password theft. Two-step authentication is a pain, but is practically guaranteed to keep your accounts safe. Password managers provide a middle ground of sorts, putting less demand on your memory without sacrificing strong, original passwords. It's especially useful for protecting sensitive accounts that don't offer two-step authentication on their own. Check out Wirecutter's recommendations and PCMag's feature chart to get started.

Tip of the moment

This week, I broke with years of tradition and installed iTunes on my Windows PC. That's because Apple now offers iTunes through the Microsoft Store on Windows 10, and as How To Geek points out, it's far less bloated than the freestanding version. There's no Apple Software Update utility to nag you, and no Bonjour or other background services to slow down boot times, but the program is otherwise the same.

Although most iTunes functions are now available directly on iPhones and iPads, it's nice to have a local device backup that doesn't depend on pricey iCloud storage. That's about all I intend to use iTunes for now that it's installed on my PC in an unintrusive way.

All caught up

Alexa listening in? Last week, a local news station in Portland, Ore., reported that a family's Amazon Echo had recorded their private conversation and sent the audio to someone on their contact list. Apparently, the Echo had misheard the "Alexa" wake word, then interpreted the subsequent conversation as a request to send a message to a co-worker. The family members didn't realize what had happened until their contact implored them to unplug all their Alexa devices.

The tech press quickly cast the incident as an "eavesdropping" scandal--a cautionary tale about the nature of smart speakers, and perhaps even vindication for people who've been too spooked to use them. But rather than exposing some inherent flaw with smart speakers in general, this incident just highlights some of the poor choices Amazon made in bringing messaging features to Alexa. At every step in the process, Amazon failed to implement safeguards that would prevent against recording and sending private conversations.

False wake word detection, for instance, continues to be a major problem for Alexa. It may be that the word "Alexa" sounds too similar to other phrases, or that Amazon's recognition algorithms are too forgiving, but I know from experience that my Echoes are often lighting up when they shouldn't.

Amazon also doesn't take enough precautions to avoid sending unwanted messages. While Alexa will confirm the contact name when you ask to send a message, it does not read back the text before sending, and it inexplicably sends an audio recording along with the text whether you want it to or not. To make matters worse, the only way to disable messaging after activating the feature is to call a customer service number.

Over at Wired, Lily Hay Newman (no relation) called the ordeal the equivalent of a butt-dial. Those incidents, however embarrassing, did not result in people declaring that their phones were dangerous mass surveillance devices. Instead, butt-dials have become far less common as smartphones have ditched physical call buttons and added more security to the unlocking process. Now it's on Amazon to figure out the equivalent for smart speakers.

Google's grand storage plans: If you pay for cloud storage from Google, those plans will soon get more appealing. For $10 per month, you'll get 2 TB of storage instead of the current 1 TB, and a new $3 per month plan will offer 200 GB. (A 100 GB plan will remain available for $2 per month.) Users will also be able to share their storage with up to five other family members. The new plans put Google on even footing with Apple, which offers 200 GB and 2 TB iCloud storage plans for the same prices.

The plans are also part of something bigger, though the details are a bit hazy. Anyone who pays for storage will become part of "Google One," which will offer round-the-clock tech support on Google products and possibly other perks, such as discounts on other Google services, TechCrunch reports. Google says it's rolling out these plans "over the coming months," starting with users in the United States.

In the meantime, I'm still using Microsoft's OneDrive for cloud storage, mainly because it's cheap as part of an Office 365 subscription. The $70 per year individual plan includes 1 TB of storage and access to Office on a single computer, and you can regularly find one-year subscription cards on eBay for much less. (Here's one for $37.)

Around the web

• Relevant to this week's top story: A plug-in to see if your passwords have been stolen.
• PCMag wants to help cure your smartphone and social media addiction.
• Lifehacker has some tips for getting better Spotify and Apple Music recommendations.
• Comcast's routers leaked customers' Wi-Fi passwords. Another reason to buy your own.
• Neat tip for the new Gmail: Type @ in the body to add a contact.
• Over at Fast Company, I wrote about using Alexa as an office assistant.

Spend wisely

If you'd like to join me in falling down the rabbit hole of mechanical keyboards, Amazon has a 20% discount Qisan's MagicForce keyboards with Gateron Brown switches, which offer strong tactile feedback without much noise. I'm typing on a MagicForce keyboard now (albeit with much noisier Cherry MX Blue switches), and it's a well-built keyboard with backlighting, an aluminum frame, and "floating" key caps that make cleaning easier.

Let's make it official

I hope you're enjoying Advisorator as much as I enjoy putting it together. The next issue will arrive on June 11. To keep receiving these newsletters after that, you'll need to become a paid subscriber. Sign up anytime during the trial run--or, preferably right now--and lock in a permanent 20 percent discount for as long as your subscription stays active. Thanks for your support!

Catch you in a couple weeks,

Jared