We’ve recommended using password managers many times in past posts. (See here and here). But the usual worry still comes up: How safe and secure are they…really? I mean, if I’m putting all my proverbial eggs in one basket, what happens if that basket gets stolen? Well, you’ll be happy to hear that the vast majority of cybersecurity specialists believe password managers are still the most secure way to protect your passwords. Let me explain why the risk of any serious compromise is so low.
It’s all about encryption
While there are multiple ways that password managers keep your passwords secure, it all begins with encryption. All password managers utilize American Encryption Standard (AES) 256-bit which is military-standard and virtually unbreakable. It would take someone more than a lifetime to crack your encrypted passwords. Using zero-knowledge architecture, the top password managers encrypt passwords before they even leave your device. This means that once they leave your device (to be stored on the password manager’s servers) there is no way to decode them. Even by the people who maintain the servers.
What happens if a password manager gets hacked?
Back in 2015 the password manager LastPass detected that someone had hacked into their system. However, the hacker was only able to steal email addresses and password reminders. This is because the actual passwords were encrypted and therefore useless to them. The only way the hacker could get to the deciphered passwords would have been by using further phishing techniques to try and trick the end user into giving up their master password. Fortunately, LastPass informed their subscribers of the compromise immediately, thwarting any further damage. And while throughout the years other vulnerabilities have been detected across various password managers (usually by IT security specialists or “white hat” hackers), the companies fixed the flaws immediately and no actually harm was done.
What to look for in a password manager
Before selecting one, do your research. Know that there are three types: browser-based (like the ones you get with Chrome and Safari), cloud-based (LastPass is one example) and desktop-based (like 1Password and Dashlane). They all have their pros and cons. But since we’re talking about security, the desktop-based options are considered the safest because the passwords are stored on your own device, and you don’t need an internet connection to get at them. On the other hand, keeping them secure (and accessible) now falls entirely on your shoulders. If your device breaks down irreparably and you haven’t backed it up, all of your passwords are gone for good. The other negative is that because they are not in the cloud, your passwords are only accessible on that device.
Are free password managers safe to use?
It depends. First, there are some free options that have bugs and vulnerabilities, and potentially even contain malware. Additionally, even the reputable ones often lack the additional security features of their premium counterparts (like support for biometrics). This means that you will have to enter your master password every time. Premium managers also offer the option of scanning the dark web routinely to see if any of your accounts have been compromised. And they can audit your older passwords to see if they are too weak and should be recreated. That being said, with some research you can find free password managers that are both reputable and secure. According to a recent review from PCMag.com, the free LogMeOnce, Bitwarden and PassHub ranked at the top in their categories (abundance of features, open-source, and security-first, respectively).
Password managers are safe. And there are far more pros than cons to using them. They keep track of your passwords so you don’t have to memorize them all or write them down. They encrypt them so they are useless to a hacker. Premium versions proactively look out for you: They scan the dark web for compromised personal information, and by point out older, weaker passwords that need changing. Still, keep in mind that a password manager alone cannot completely protect your most valuable information. You should also use a reliable antivirus to prevent malware from infecting your device. You should keep all software up-to-date. And finally, remember that humans are the weakest link when it comes to security. Always be on the lookout for signs of phishing so that you don’t end up being the reason your passwords are compromised.