Are Password Managers Safe to Use?
Note from hackerunder.dev:
This post was copied from https://www.passwordmanager.com/are-password-managers-safe-to-use/ with permission to display on this site.
Managing all of your passwords for different accounts can be surprisingly complicated. You need to be able to create, store, and access strong passwords for all of your accounts on every device you use.
Furthermore, each password needs to be unique, making it nearly impossible to remember every one of them on your own. More and more people are now using password managers to make it easier to keep track of passwords without putting their personal accounts at risk.
How Do Password Managers Work?
Every application is different, but password managers generally work in similar ways. They make it easy for users to save their passwords in a private vault. While some password managers support offline storage, most platforms keep information saved in the cloud so that users can access it seamlessly on different devices.
Password managers usually rely on a master password that secures all of the passwords for different accounts. As long as you remember your master password, you’ll be able to log in on any device and use passwords as needed.
Some password managers also offer additional features, such as cloud storage and the ability to save text and other kinds of files. You may also be able to securely share passwords with other users without having to send the password through an unsecured channel like email or SMS.
What Are the Features of Password Managers that Keep You Safe?
If you aren’t using a dedicated password manager, you might have your passwords saved somewhere else. For example, many people keep their passwords stored on a local device, in a cloud-based account (such as iCloud), or in their web browser.
With that in mind, you may be hesitant to store your information somewhere else. After all, putting them in a new location could give hackers even more opportunities to crack your passwords and gain unauthorized access to your accounts.
However, the truth is that a reliable password manager is one of the best places to store passwords, credit card numbers, and other personal information. Let’s take a look at some of the key security features of the top password managers available.
Encryption for Important Data
Keeping your passwords safe starts with encryption. Encryption is the process of encoding sensitive data so that it can’t be accessed by anyone other than the rightful owner. Today, most password managers rely on industry-standard AES 256-bit encryption.
In fact, secure password managers generally can’t access your passwords at all. Zero-knowledge security policies are used to reduce the risk that someone will gain unauthorized access to your account.
If your password manager could see your passwords, that would result in another point that hackers could use to pull your information. Combined with zero-knowledge policies, AES 256-bit encryption makes your passwords extremely secure — even against sophisticated techniques.
Offline Storage for Added Security
Encryption is the best way to keep sensitive information secured when it’s being transmitted over the internet. Still, it’s even more effective to simply avoid putting that data online in the first place.
Some password managers are limited to cloud storage. While that kind of storage offers a decent level of security, offline storage is a solid alternative for those who want to minimize their potential weaknesses.
NordPass, for example, provides an offline mode that gives users access to all the contents of their vault. The main drawback of offline storage is that it prevents you from keeping data consistent. You will need to use cloud storage if you want to sync passwords across different devices.
Two-factor authentication (2FA) is another critical security feature that’s available with most modern password managers. After enabling 2FA, you’ll have to authorize logins in order to allow access. This typically goes through an authenticator app, which uses push notifications to authenticate new access attempts.
The name “two-factor authentication” is based on the fact that authentication acts as a second “factor” for login. The first factor is generally the password itself. Instead of being secured by just one thing, 2FA ensures that accounts are secured by a second element or factor.
Without 2FA, someone could access one of your accounts as long as they have the username/email address and password. Since most platforms don’t offer any kind of login monitoring, there won’t even be a way to tell that a hacker is using the account.
On the other hand, 2FA allows you to block unauthorized access, even when the person has already compromised your login credentials. If you ever get an unexpected authentication request, make sure to change the password for the corresponding account as soon as possible.
Secure Password Sharing
Sharing passwords with other users gives hackers another way to get into your accounts. When you send a password or other sensitive data through a channel like SMS or email, you’re making it easier for people to access that information.
Password managers mitigate this risk by giving users a safer way to share their passwords. Instead of sending the password through plain text, you’ll be able to share it in a secure form. Password managers generally encrypt shared passwords so that they aren’t vulnerable in transit.
Additionally, password managers come with extra sharing features and settings that aren’t available with most other sharing methods. For example, you might be able to set a sharing expiration date, limit the number of access attempts, or even require a passcode before the recipient can use the password. Keep in mind that these features will depend on the specific password manager you use.
Password Generators and Analyzers
Along with storing your existing passwords, most password managers offer a tool to produce new passwords. You may be able to set specific parameters so that the generated passwords work with the requirements of each website. Some generators are also capable of generating unique passphrases along with conventional passwords.
Your password manager should also come with a password analyzer that can tell you if your passwords are too weak. After signing up for a new password manager, one of your first steps should be to evaluate your existing passwords and identify the ones you need to update.
What Are the Features of Each Type of Password Manager?
Browser Password Managers
Browser-based password managers may seem the most convenient option since they’re free to use and don’t require any additional software. However, they also come with a few key drawbacks with respect to both security and overall functionality.
The most obvious disadvantage of browser password managers is that they’re locked to that particular browser. You will be able to migrate passwords as needed, but there’s no way to keep them automatically synced from one browser to another. Browser password managers may also have trouble capturing or filling passwords in some apps.
Finally, browser-based platforms are usually missing features like password generation, password health analysis, dark web monitoring, and two-factor authentication. These are critical cybersecurity tools in 2023, so it’s a good idea to consider upgrading if you’re still using a browser password manager.
Cloud Password Managers
Most people need to use their passwords on more than just one device, so cloud-based services are the default when it comes to dedicated password managers. With these applications, you’ll be able to store your passwords in the cloud and sync them across each of your devices.
Cloud password managers typically come with the features that are missing in browser-based services, including easier access when using new devices, apps, or browsers. The main issue for security-conscious users is that information is stored online, leaving you with no control over its security. Password managers are trustworthy in general, but that doesn’t mean that they’re invulnerable to hacking.
Offline Password Managers
Finally, some password managers give you the option to store your passwords entirely offline instead of syncing them in the cloud. With offline storage, you won’t be able to keep track of passwords between devices — information will only be available on that specific device.
This approach completely removes the risk of data being stolen in transit. At the same time, it puts you in charge of the way your information is stored. You will need to create your own backups to avoid the risk of losing your password in the event of unexpected damage, theft, or loss of your hard drive.
Is a Password Manager Enough to Keep Me Safe?
Password managers can be an effective way to store and share passwords and other information. At the same time, simply using a password manager isn’t enough to keep your accounts secure.
It’s important that you’re aware of a few major risks and what you can do to ensure your accounts are not targeted.
Password Managers Should Include Dark Web Monitoring
Creating strong, unique passwords through a password manager will protect against some cybersecurity threats. For example, it will be much more difficult to compromise these strong passwords through a brute force attack.
Unfortunately, this isn’t the only strategy that hackers use. In fact, bad actors take advantage of a long list of tactics to crack passwords. Take a look at some of the most popular password cracking techniques for most information.
Data breaches are a critical security risk that many users aren’t aware of. Providers need to store certain information in order to tell when you enter the right password. If that information is exposed in a data breach, hackers could use it to access your password.
The problem with data breaches is that a strong password won’t do much to prevent them. Data breaches can be especially problematic for people who use one password for multiple accounts. Once a hacker gets that password once, they’ll be able to log into any website as long as the account is secured by the same password.
Fortunately, dark web monitoring is now available from many different password managers and other cybersecurity providers. This service will keep an eye on the dark web and let you know if any of your passwords are exposed. Quickly identifying the breach and changing your password is the best way to minimize the risk of hackers accessing your account.
Password Managers Should Protect You From Phishing Attempts
Instead of trying to guess, steal, or expose your password, phishers simply try to get you to send them the password yourself. Since your password manager can’t stop you from giving out your passwords, phishing is a unique tactic that sidesteps the protection you get from a secure password manager.
Most people assume that they’ll be able to spot phishing attempts when they pop up. Unfortunately, hackers have responded to growing technical literacy by developing sophisticated techniques that are increasingly difficult to identify. Even if you consider yourself technically savvy, you still need to be extremely careful to avoid falling victim to a phishing scam.
Phishing attempts commonly involve spoofed emails, SMS messages, or other communications that imitate the appearance of a legitimate website. For example, you might get a fake email from your “bank” asking you to log in and check your inbox. Instead of sending you to the bank’s website, the hacker could set up a fake button that leads to their own site.
To avoid falling victim to a phishing attempt, remember to enter URLs manually instead of clicking on links from emails or text messages. Hackers can create surprisingly realistic versions of popular sites, and you may not notice the difference between a legitimate and fake URL. If you need to log into one of your accounts, exit the email, type in the URL yourself, and check for the lock icon to make sure that your connection is secure.
Here’s another example from our security expert, Owen Dubiel:
“If a phishing attempt tries to get you to login to CitisensBank.com, but your password manager has CitizensBank.com saved as the correct URL, then your credentials won’t autofill into the malicious URL. Keep in mind, users can still manually type in their creds to the phishing site, but at face value, password managers, if configured and used correctly, should limit users from logging into suspicious URLs).”
Hackers may also target two-factor authentication codes in addition to login credentials. If two-factor authentication is enabled on your accounts, they will need you to authenticate their access attempt even after compromising your password. Remember that a reputable website or app will never ask you to send two-factor authentication codes through email or text.
Your Passwords Should Be Changed Regularly
The longer you continue to use the same password, the more likely it becomes that someone will compromise them and find a way into your accounts. You should always change passwords immediately if they’re too weak or if they’re exposed in a data breach, but it’s also a good idea to consistently refresh your passwords even when nothing is wrong.
While there’s no hard and fast rule when it comes to changing passwords, we recommend doing so at least once every three months. You may want to change passwords even more often for bank accounts and other accounts that protect particularly sensitive information. Some password managers even offer built-in password changer tools that allow you to change your account passwords without going through the provider’s website.
This is actually a complicated question to answer and has differing view points. Once again, we’ve asked Owen Dubiel, our security expert, to weigh in:
“Another tricky one. It all depends on what stance you want to take. From a compliance and industry best practice perspective, what NIST publishes is the truth, ‘You don’t need to change your password unless it is compromised.’ But if you take this stance, I would emphasize that your passwords need to be long and strong.
The second stance would be that of any precarious security professional who goes with the mindset of “Assume that you are breached,” and that your passwords are sitting out there somewhere, waiting to be used. This is where security professionals will recommend rotating passwords every 3-6 months as a precaution.
I honestly, push people to use a password manager, make their stored passwords super long, and then rotate the password manager password every 3 months; so a hybrid approach.”
Common Password Mistakes to Avoid
Unfortunately, not everyone takes password and online security seriously, making them easy targets for identity theft and other hazards. Here are some common password mistakes that you should avoid:
- Using repetitive or obvious sequences like 123 or qwerty
- Using personal information such as the names of pets or children
- Using the same password on multiple websites or apps
- Only putting numbers and special characters at the end of passwords
- Thinking a password is secure simply because it meets the website requirements
- Writing passwords down in an unsafe location (physical or digital)
Final Thoughts: How Safe Are Password Managers?
A password manager won’t necessarily address all of your cybersecurity concerns. You need to do more than simply install a password manager to keep your information secure. Still, password managers are a key part of cybersecurity for most people who can’t remember their passwords on their own.
You should look for a password manager that meets your needs in terms of functionality, ease of use, and overall value. Our list of the best password managers in 2023 is a great place to start your search
Password Manager FAQs
Does Cost Affect a Password Manager’s Performance?
While you can get a solid password manager for free, premium subscriptions naturally tend to come with more features and capabilities. Whether or not it’s worth paying a little extra for a more powerful application comes down to what you’re looking for in a password manager.
Bitwarden, for example, offers a surprisingly robust free option that comes with core password manager features and access on unlimited devices. Premium plans come with emergency access, priority support, file storage, and other extra features for just $10 per year, or less than $1 per month.
You might find that a more expensive service has more of the features you need. For example, Bitwarden comes with just 1 GB of storage. However, you shouldn’t spend more than a couple of dollars per month unless you need specific functions that aren’t available with cheaper password managers.
What if Your Password Manager Gets Hacked?
Password managers are generally secure, but you’ll obviously be in trouble if someone is able to gain access to your account. Since password managers put all of your login credentials in one place, your password manager account is more valuable to hackers than any of your other individual accounts.
Unfortunately, there isn’t much you can do as a user to stop your password manager from being breached by threat actors. If that ends up happening, your best course of action is to find a new password manager and change all of your existing passwords as soon as possible.
Notable Password Manager Hacks
The Zoho password manager was hacked in late 2021, leading to roughly 11,000 different servers being infected with malware. A contemporary report from Palo Alto Networks indicated that the hackers scanned over 300 organizations and hacked into at least nine different companies.
In 2019, an analyst from Google Project Zero announced a LastPass vulnerability that could give hackers access to recently used passwords through the Chrome or Opera browser extension. While no accounts were confirmed to have been compromised, LastPass members had been using the platform without being aware of the issue.
In 2017, another Google Project Zero analyst found that Keeper Password Manager was “allowing any website to steal any password.” Keeper responded by fixing the problem within 48 hours, but the analyst also mentioned that the issue had popped up in earlier versions of Keeper.
What Happens if You Forget a Master Password?
The master password is the most important element of your password manager account security, so it’s critical to come up with a strong, unique password that would be extremely difficult to guess. Of course, this also makes it easy to forget, especially since your master password won’t be stored as an entry within the password manager.
Different providers approach account recovery differently. If you have already set up emergency access in your account, you may be able to recover the account through emergency access. Organizational plans may also give the administrator the option to reset passwords without requiring the master password.
Certain providers also support email and other basic account recovery methods. However, many password managers rely on zero-knowledge security policies, which tends to make account recovery more difficult than it would be with other digital accounts. You should read about each provider’s recovery policies before making a final decision.