Password managers provide a simple way to store, manage and retrieve passwords for online accounts. While that sounds appealing, there’s one question left to answer before you entrust your online security to an app: Are password managers safe?
Password managers also give users a way to automatically create new, long, complex passwords that follow all the crazy rules sites make for us: things like including upper- and lowercase letters, numbers, symbols, and a given number characters.
One thing you do have to keep in mind, is that with a password manager you’re keeping all of your eggs in one basket. If you store all of your passwords in it, and it is compromised then all of your passwords are compromised as a result.
Personally, I choose to memorize all of my important passwords. I never use the remember password feature on my browser so always having to type it helps me remember it. For sites/accounts that I don’t care about, I just choose simple passwords that are easy to remember. My method of remembering important passwords isn’t full proof though.
I won’t attempt to speak for other password managers, but with 1Password, you control your data. We have no ability to acquire your secrets. That not only protects you from us, but it protects you from anyone who compromises us.
Risks of not using a password manager:
You reuse passwords across many sites and services. (This really is dangerous.)
You use weak passwords for some important sites and services. (This is less of a risk unless it’s combined with password reuse, in which case it is catastrophic.)
You can fall victim to phishing attacks because you can be tricked into entering your username and password into something other than the actual site you think it is for.
You use some “system” for creating or remembering your passwords that allows someone who has discovered one or two of them to have a good guess at what the others are. (This is like the “reuse” case but here the passwords are related to each other instead of directly reused.)
On the other hand, let’s look at the biggest risk of using a password manager:
You forget your Master Password. (This is the single biggest risk and why we encourage people to write down their Master Passwords in their Emergency Kit and store it in a safe location.)
That’s really the only meaningful risk. There are other, much smaller risks, but they’re not nearly as big as that one. Here’s how the smaller risks apply to 1Password:
All your eggs in one basket : This is less of a risk than it might first appear because the alternative — password reuse — also puts multiple eggs in shared baskets (password reuse), and extremely weak baskets (weak passwords). When you reuse passwords, every site and service where you use the same password is vulnerable if that password is discovered.
That 1Password gets hacked : This is less of a risk than it might first appear not because it’s impossible for 1Password to get hacked, but because 1Password is designed with full end-to-end encryption, so the consequences of 1Password getting hacked would not be a threat to our customers.
That the folks at 1Password would turn evil. This isn’t something that we expect to happen, but again, we’ve designed 1Password so that we lack the capability to acquire your secrets. (This is really just a variant of the previous point.)
That there’s something malicious hidden in the code : 1Password has an open security design, and security experts are continually auditing 1Password to confirm it has a solid foundation. We don’t rely on proprietary, untested encryption.
That we’re abducted by aliens and you’re locked out of your data : Again, our overall design protects you from this. It’s always possible to export your data from 1Password, and we’ve documented our data format so that even if we were to disappear, your data is yours.
As you can see, the biggest risk is forgetting your Master Password (or losing your Secret Key), and you can mitigate this yourself by following our advice for the Emergency Kit we provide when you sign up for 1Password:
Print a copy or store it on a USB flash drive. Don’t store it online or email it.
Fill in your Master Password. In an emergency, you or your loved one will be glad to have all your account details in one place.
Keep it somewhere safe, like with your passport or birth certificate.
Give a copy to a trusted loved one, like your spouse or someone in your will.
Tips to using a password manager safely
So far, the picture may be looking pretty grim for password security. However, the benefits of a good password manager - generating and saving complex, unique passwords you can easily update – mean that most experts recommend using one. “While it’s impossible to be completely immune from the most advanced threats, selecting the right third-party password manager can help users to protect their credentials from the majority of attacks that they may face,”.
You can also take the following seven steps to ensure you're protecting your accounts:
1. Choose a password manager without master password recovery
Whatever you do, choose a password manager that does not allow for recovery of the master password. “If a malicious actor is able to get a hold of the master password through account recovery tools, this renders even the most secure password management programs useless,”.
2. Use Two-factor authentication
Any online account has a risk of being hacked. One way to circumvent this risk is to use two-factor authentication to protect your password manager. Chrome supports two-factor authentication with your smartphone, and, along with Firefox and Edge, also works with authentication hardware keys such as Yubico. Third-party password managers including Dashlane, LastPass and Sticky Password supports two-factor authentication with your smartphone. “While two-factor authentication may still have some risks due to threats like SIM hijacking, at a minimum it puts one more layer of defense between the cybercriminal and your full arsenal of login information,” says Baumgartner.
3. Turn off autofill
You may want to consider turning off autofill. This also means logging into your password manager, then copying and pasting your passwords into the login screen.
4. Use strong passwords
When composing your master password, make it strong. “By today’s standards this means 20 characters or more, randomly generated passwords that contain lower and uppercase letters, digits and symbols,” says Palfy. You might be proud of how devilishly uncrackable it is – but don’t reuse your master password.
5. Make sure all of your passwords are unique
Make sure all your other passwords are unique. Dashlane Premium is one of the options that can automatically check for weak or repeated passwords then automatically replace them with a random, complex password.
6. Keep your software up to date
Download security updates for your password manager as soon as available – often, they will be patching newly discovered vulnerabilities.
7. Be wary of downloads and browser extensions
In general, be wary of your downloads especially browser extensions – unwittingly installed malware could end up logging keystrokes.
Password managers also give users a way to automatically create new, long, complex passwords that follow all the crazy rules sites make for us: things like including upper- and lowercase letters, numbers, symbols, and a given number characters.
One thing you do have to keep in mind, is that with a password manager you’re keeping all of your eggs in one basket. If you store all of your passwords in it, and it is compromised then all of your passwords are compromised as a result.
Personally, I choose to memorize all of my important passwords. I never use the remember password feature on my browser so always having to type it helps me remember it. For sites/accounts that I don’t care about, I just choose simple passwords that are easy to remember. My method of remembering important passwords isn’t full proof though.
I won’t attempt to speak for other password managers, but with 1Password, you control your data. We have no ability to acquire your secrets. That not only protects you from us, but it protects you from anyone who compromises us.
Risks of not using a password manager:
You reuse passwords across many sites and services. (This really is dangerous.)
You use weak passwords for some important sites and services. (This is less of a risk unless it’s combined with password reuse, in which case it is catastrophic.)
You can fall victim to phishing attacks because you can be tricked into entering your username and password into something other than the actual site you think it is for.
You use some “system” for creating or remembering your passwords that allows someone who has discovered one or two of them to have a good guess at what the others are. (This is like the “reuse” case but here the passwords are related to each other instead of directly reused.)
On the other hand, let’s look at the biggest risk of using a password manager:
You forget your Master Password. (This is the single biggest risk and why we encourage people to write down their Master Passwords in their Emergency Kit and store it in a safe location.)
That’s really the only meaningful risk. There are other, much smaller risks, but they’re not nearly as big as that one. Here’s how the smaller risks apply to 1Password:
All your eggs in one basket : This is less of a risk than it might first appear because the alternative — password reuse — also puts multiple eggs in shared baskets (password reuse), and extremely weak baskets (weak passwords). When you reuse passwords, every site and service where you use the same password is vulnerable if that password is discovered.
That 1Password gets hacked : This is less of a risk than it might first appear not because it’s impossible for 1Password to get hacked, but because 1Password is designed with full end-to-end encryption, so the consequences of 1Password getting hacked would not be a threat to our customers.
That the folks at 1Password would turn evil. This isn’t something that we expect to happen, but again, we’ve designed 1Password so that we lack the capability to acquire your secrets. (This is really just a variant of the previous point.)
That there’s something malicious hidden in the code : 1Password has an open security design, and security experts are continually auditing 1Password to confirm it has a solid foundation. We don’t rely on proprietary, untested encryption.
That we’re abducted by aliens and you’re locked out of your data : Again, our overall design protects you from this. It’s always possible to export your data from 1Password, and we’ve documented our data format so that even if we were to disappear, your data is yours.
As you can see, the biggest risk is forgetting your Master Password (or losing your Secret Key), and you can mitigate this yourself by following our advice for the Emergency Kit we provide when you sign up for 1Password:
Print a copy or store it on a USB flash drive. Don’t store it online or email it.
Fill in your Master Password. In an emergency, you or your loved one will be glad to have all your account details in one place.
Keep it somewhere safe, like with your passport or birth certificate.
Give a copy to a trusted loved one, like your spouse or someone in your will.
Tips to using a password manager safely
So far, the picture may be looking pretty grim for password security. However, the benefits of a good password manager - generating and saving complex, unique passwords you can easily update – mean that most experts recommend using one. “While it’s impossible to be completely immune from the most advanced threats, selecting the right third-party password manager can help users to protect their credentials from the majority of attacks that they may face,”.
You can also take the following seven steps to ensure you're protecting your accounts:
1. Choose a password manager without master password recovery
Whatever you do, choose a password manager that does not allow for recovery of the master password. “If a malicious actor is able to get a hold of the master password through account recovery tools, this renders even the most secure password management programs useless,”.
2. Use Two-factor authentication
Any online account has a risk of being hacked. One way to circumvent this risk is to use two-factor authentication to protect your password manager. Chrome supports two-factor authentication with your smartphone, and, along with Firefox and Edge, also works with authentication hardware keys such as Yubico. Third-party password managers including Dashlane, LastPass and Sticky Password supports two-factor authentication with your smartphone. “While two-factor authentication may still have some risks due to threats like SIM hijacking, at a minimum it puts one more layer of defense between the cybercriminal and your full arsenal of login information,” says Baumgartner.
3. Turn off autofill
You may want to consider turning off autofill. This also means logging into your password manager, then copying and pasting your passwords into the login screen.
4. Use strong passwords
When composing your master password, make it strong. “By today’s standards this means 20 characters or more, randomly generated passwords that contain lower and uppercase letters, digits and symbols,” says Palfy. You might be proud of how devilishly uncrackable it is – but don’t reuse your master password.
5. Make sure all of your passwords are unique
Make sure all your other passwords are unique. Dashlane Premium is one of the options that can automatically check for weak or repeated passwords then automatically replace them with a random, complex password.
6. Keep your software up to date
Download security updates for your password manager as soon as available – often, they will be patching newly discovered vulnerabilities.
7. Be wary of downloads and browser extensions
In general, be wary of your downloads especially browser extensions – unwittingly installed malware could end up logging keystrokes.