Are password managers safe to use in 2022?
Even though it’s not surprising to hear the question “are password managers safe to use?”, the vast majority of cyber-security specialists agree that password managers are indeed the most secure way to protect your passwords.
However, despite the reliability of the PMs, the industry as a whole always takes a hit after media covers the latest vulnerability or security breach. Therefore, we will look at password managers without fear-mongering and also without idolizing them.
We will address all the important questions. How do password managers secure your passwords? What are the risks of using a password manager? And finally, should you use a password manager at all? Read on to learn more.
- Keeper – Most feature-rich security tool
- NordPass – Super secure and easy to use
- RoboForm – Time-tested security features
📢 LIMITED OFFER: Get 40% OFF Keeper Unlimited and Family plans!
How do password managers secure your passwords?
There are multiple ways that password managers secure your passwords – starting all the way with secure encryption. AES 256-bit is the military-standard, and cracking passwords would take more than a lifetime.
The zero-knowledge architecture used by the top password managers encrypts passwords before they leave your device. When they’re on a server, even the provider has no way to decipher them. Some password managers will remind you to change passwords regularly and evaluate their strength. Others will scan the dark web to check if any of your logins appeared online.
The only password you’ll need to remember on your password manager is the master password – as long as it’s secure, there’s no way for anyone to access it. If you choose a memorable, yet completely unique password and combine it with two-factor authentication (2FA), you should be safe. Using biometric authentication, such as fingerprint or face scan, is also a good idea.
In our tests, one provider stood above the rest, offering all of these features in one simple package.
What are the risks of using a password manager?
There's no way to stay 100% safe online. Even if you use a reliable password manager, there are certain risks that you should know about:
- All sensitive data in one place. You've probably heard about keeping your eggs in one basket. That's exactly what you'll be doing with a password manager. That basket will likely include credit card details and secure notes too. In case of a breach, blocking all payment options and changing passwords for all accounts might take enough time for the attacker to do damage.
- Backup is not always possible. If the server breaks down, your only hope is that your provider has made a backup copy. This risk increases multi-fold if you decide to keep your vault offline on one of your devices. Naturally, keeping your own backup on an unprotected disk drive or poorly protected cloud service won't help either.
- Not all devices are secure enough. Hackers exploit the same vulnerability to get all of your logins in one attack. Password managers can be hacked if your device is infected with malware. In this case, typing the master password will get it recorded, and cybercriminals will gain full access to the data stored. That’s why password manager users should invest in securing all of their devices first to reduce the risks.
- Not using biometric authentication. Biometric authentication is a great way to add another level of security. If you configure your password manager to request either a fingerprint or face scan, the chances of someone hacking into your vault become as slim as Shady. It's also much easier for you to touch the fingerprint scanner than to enter a master password.
- Bad password manager. If it has weaker encryption, offers few features, and has poor reviews, you shouldn’t use it. When it comes to securing your vault, saving a few bucks a month shouldn’t be your main priority.
- Forgetting your master password. Are you the only person who knew it, and your password manager doesn’t have a reset feature? In this case, you may already start recovering each login one-by-one. Alternatively, you may want to store your master password (or a hint) in some physically secure place, such as a safe.
As you can see, some of the risks stem from the password managers themselves, but others exist solely because of users' behavior. If we don't count the latter, we can see that there aren't that many risks of using a password manager.
Can password managers be trusted?
Despite all the concerns listed above, good password managers are extremely difficult to compromise. The usage of AES-256 encryption, the “zero-knowledge” technique, and the possibility to use two-factor authentication make password managers a much safer and easier option than basically anything else available at the moment.
When it comes to safety, the most important thing from your side is the master password, as you have to create one in order to access all the other passwords.
So, make sure it is a strong one. It has to be at least 12 characters long, contain various symbols, and be impossible to guess. For more tips, check out our guide on how to create a strong password.
Which password manager type is the most secure?
Those familiar with password managers probably know about the three types. Each comes with its set of pros and cons, including nuances in security. Let's discuss all types one by one and find which is the most secure.
Browser-based password managers
|Examples||Built-in browser password managers (Chrome, Firefox, Safari)|
- Very easy to use
- No cross-browser sync
- Not all generate passwords
- Few measure password length
If we boil down safety to encryption and two-factor authentication, browser-based password managers are pretty safe. However, the more closely you look, the less secure browser password managers appear.
For starters, browser-based password managers work on one particular browser. If you decide to move from Safari to Chrome or Firefox, you might have trouble with export and import. Furthermore, there's no way you could synchronize your vault on different browsers. All this often leads to storing your passwords in an insecure location.
Secondly, not all browser-based password managers have a password generator. Without one, you will have to create them manually.
Lastly, browser password managers can't detect weak or reused passwords. Want to know if your logins aren't available on the dark web? You will have to check that manually on a separate tool.
Browser password managers can't detect weak or reused passwords. Want to know if your logins aren't available on the dark web? You will have to check that manually on a separate tool.Try Keeper
Cloud-based password managers
- Very convenient
- Easy access from anywhere
- Cloud backup
- No control over your vault security
- Third-party servers store your data
When compared to the browser-based ones, cloud-based password managers are safer, as they have more features that enhance security.
To begin with, most cloud-based password managers provide a backup for your vault. In case something happens to the server, you can recover a recent version of your database.
Furthermore, cloud-based password managers allow you to store not only passwords but also secure notes and credit card details. This way you can protect all sensitive information.
Additionally, cloud-based password managers detect reused and weak passwords, generate strong ones, and check if your accounts haven't leaked. They also let you share your vault entries easily, even with those who don't use the same service.
Finally, cloud-based password managers will work on multiple browsers and operating systems. It means that you won't have to think about how to copy and paste something from your database securely.
Desktop-based password managers
- Safest option
- Doesn't require an internet connection
- No access from other devices
- Complicated password sharing
- Manual backups
You may have noticed an asterisk beside the security score. That's because desktop-based password managers can be the safest, but that depends solely on the user.
These password managers store your data locally, on one of your devices. That device doesn't have to be connected to the internet, so there might be nearly zero chances of hacking into it. The most likely (and still highly unlikely) scenario is you inadvertently installing a keylogger and typing in your master password. However, this can be avoided by using biometric authentication.
Obviously, such a setup has its cons, which stem from the desktop-based password manager's very nature. For starters, you'll have to take care of regular backups. If your device breaks down irreparably, you can kiss your vault goodbye. What's more, you won't be able to access your passwords from other devices, and sharing them won't be easy either.
What if your password manager gets hacked?
In most cases, getting hacked won't result in all your passwords falling into the wrong hands. However, even the most secure password manager may have a serious vulnerability that everyone overlooked.
Let's start with the fact that your passwords are encrypted locally. Password managers have no way to decipher your data because they implement a zero-knowledge policy. So if a hacker breaks into your vault, he will see only encrypted information.
There's a slim chance that the attacker could break into your physical device by stealing it, using malware, or logging keystrokes. Even then, he or she will need your master password. If you use biometric data, such as fingerprint or face ID, the chance of a successful attack becomes infinitesimally low.
If the attacker installs malware on your device, your best move is to reinstall the OS and change all passwords in your vault. Make sure to also turn on 2FA wherever you can. This way, you will notice when an unusual request comes to the authenticator app.
Password manager hacks
The list of notable password manager hacks is quite short. Otherwise, they wouldn't have the reputation they have today. That's why I'll be also adding reported vulnerabilities that might not have resulted in any damage.
- In 2015, LastPass detected an intrusion to its servers. Hackers took users' email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email.
- In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
- In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn't result in casualties.
- In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn't suffer any reported casualties.
As you can see, none of these password manager hacks were that serious. Sure, vulnerabilities were exposed, but they were also fixed in a timely manner. And in most cases, the attacker would have to either get some more data from the user or overtake their device completely before accessing the vault. As a result, none of the issues mentioned above hurt the reputation of password managers.
Are premium password managers safe?
Most premium password managers are way safer than the majority of the free ones. The latter ones are often buggy, developed by shady companies, and sometimes even include malware. Despite that, there are quality free password managers that are as safe as the paid services. In fact, the former often include a free version. Therefore, it's a good idea to compare them and see what's lacking.
Usually, both free and premium password managers use military-grade encryption and zero-knowledge architecture. This means that there's no way to decipher your database even if someone breaks into it. The provider also doesn't have a key to unlock your data. That's why it all comes down to using a proper master password, 2FA, and keeping your devices malware-free.
Are password managers safe to use for business?
Yes, password managers are definitely safe to use for business. In fact, they aren’t only safe to use, but rather essential. The majority of data breaches inside of companies happen due to weak and re-used passwords.
The best password manager for business not only generates strong passwords but also detects data breaches, and allows sharing of encrypted passwords between employees. Moreover, our top business password manager NordPass offers company-wide settings. These allow the admin to set the boundaries on whether encrypted passwords can be shared outside of the company or not.
Having all that in mind, password managers help organisations to avoid huge leaks of data and loss of finances.
Are free password managers safe?
The added security of a premium password manager comes in the form of additional features. Free versions are usually stripped-down and lack options, some of which might be safety-related.
For example, some free password managers don't support biometric data, such as fingerprint or face ID. This means that you will have to enter your master password all the time.
Additionally, other free services don't have the option to audit your passwords. In case your vault dates back more than a few years, chances are those passwords aren't strong enough.
What's more, one would be hard-pressed to find a free password manager that integrates a dark web scanner. On the contrary, a premium password manager constantly checks the dark web to see if any of your accounts have leaked.
Should you use a password manager?
Yes, you should use a password manager. It will allow you to keep track of your passwords without having to memorize them. Some password vaults can also generate and change passwords for you in one click, as well as securely store other types of data like credit card information. A password manager also makes sharing your data with family and friends safer. It's a much better way than writing down your login details in an email or some unencrypted messenger.
Of course, you have to put trust in the company behind your password manager. However, most of them have a flawless reputation. Also, they are way less risky than some dubious app or browser add-on that people install without much thinking.
Yes, they have their flaws and vulnerabilities. But in the end, it's not only the password manager that protects your most valuable information. You should also use a reliable antivirus to prevent malware from infecting your device. Keeping your software updated is no less important, just like double-checking the apps and extensions you're about to install.