Are password managers safe in 2024?
We perform independent tests and thoroughly analyze password management services to find the best options for customers to store online credentials and other sensitive information.
We prioritize full transparency, which is why we provide detailed descriptions of our in-house testing procedures and methodologies.
Learn morePassword managers are classified as online security tools because they are meant to protect your most sensitive digital information, such as login credentials and payment card details. In fact, not using a password manager is much more dangerous as internet users tend to lean towards such dangerous habits as reusing passwords, using weak combinations, or storing logins inappropriately.
A trusted password manager enables you to apply password best practices, such as using long, unique, and unguessable combinations. This is crucial considering one survey found that nearly 50% of respondents had their passwords compromised last year.
Of course, password managers are only as safe as the users utilizing them. Also, not all password managers are the same, and while some are prone to breaches, others are strong enough to withstand cybercriminals. Fortunately, there are plenty of strong and reliable providers out there, and you can test them risk-free yourself.
In this article, I answer all the important questions regarding password manager security: How do password managers secure your passwords? What are the risks of using a password manager? Should you use a password manager at all? Let's jump right to it.
How do password managers secure your passwords?
There are multiple ways that password managers secure your passwords – starting with a secure encryption process that uses a specific cipher to protect the transfer of data online. AES-256 encryption is considered the gold standard, while XChaCha20 is widely used by well-known companies, like Google. Both of them ensure that cracking passwords would take more than a lifetime.
The zero-knowledge architecture used by the top password managers ensures that passwords are encrypted before they leave your device. When they’re on a server, even the provider has no way to decipher them. Some password managers will remind you to change passwords regularly and evaluate their strength. Others will additionally scan the dark web to check if any of your logins got leaked online.
The only password you’ll need to remember on your password manager is the master password – as long as it’s secure, there’s no way for anyone to access it. If you choose a memorable, yet completely unique password and combine it with two-factor authentication (2FA), you should be safe. It’s even better if you choose a more complex option that uses multiple ways to authenticate a login, known as a multi-factor authentication (MFA). Using biometric authentication, such as fingerprint or face scan, is also a good idea.
Types of password managers
Those familiar with password managers probably know about the three main types: browser-based, cloud-based, and desktop-based. Each comes with its own set of pros and cons, including those related to security. Let's discuss all types one by one and figure out which one is the most secure.
Browser-based password managers
Browser-based password managers are popular because they’re free and very convenient to use – you don’t need to use a separate app to save and autofill your passwords. However, they’re not considered the safest.
Security level | Medium |
Examples | Built-in browser password managers (Chrome, Firefox, Safari) |
While encryption and two-factor authentication make browser-based password managers pretty safe, there are quite a few security-related concerns.
For starters, browser-based password managers work on one particular browser. If, for example, you decide to move from Safari to Chrome or Firefox, you might have trouble exporting and importing data. Furthermore, there's no way you could synchronize your vault on different browsers. All this often leads to storing your passwords in a location that’s not secure.
Second, not all browser-based password managers have a password generator. Without one, you will have to create them manually, and most users opt for more simple and, thus, more vulnerable passwords when they’re presented with the option.
Lastly, browser password managers can't detect weak or reused passwords. Want to know if your logins aren't available on the dark web? You will have to check that manually using a separate tool.
Cloud-based password managers
When compared to browser-based password managers, cloud-based password managers are safer, as they have more features that enhance security.
Security level | High |
Examples | NordPass, 1Password, RoboForm |
To begin with, most cloud-based password managers provide a backup for your vault. This means that if something happens to the server, you can recover a recent version of your database.
Furthermore, cloud-based password managers, like NordPass, allow you to store not only passwords but also secure notes and credit card details. This allows you to protect all sensitive information, not just logins.
Additionally, cloud-based password managers can detect reused and weak passwords, generate strong ones, and check if your logins have been leaked. They also let you share your vault entries easily, even with those who don't use the same service.
Finally, cloud-based password managers work on multiple browsers and operating systems. It means that you don't have to think about how to copy and paste something from your database securely.
On the downside, cloud-based password managers are potentially vulnerable to cyberattacks – no one can give you a 100% guarantee that your vault will be secure. Of course, the risk decreases significantly when you employ reliable managers.
Furthermore, keep in mind that not all password managers work offline, so if you don’t want to be locked out when the internet connection is unstable or unavailable, pick a solution that supports you both online and offline.
Desktop-based password managers
When it comes to desktop-based browsers, they can be the safest; however, that completely depends on the user.
Security level | Highest |
Examples | 1Password, Bitwarden, KeePass, Dashlane |
All information you store on a desktop-based password manager is, essentially, stored on your device. That means that no third-party has any link to that information. This eliminates the risk of exposing your data during a data breach that could potentially affect the password manager provider. However, there are a few downsides that you must consider.
For starters, you are responsible for regular backups. If your device breaks down irreparably, your vault containing all your passwords may be gone. Since all data is stored on one device, you cannot sync it with other devices and, thus, recover it easily.
Furthermore, you have to consider the possibility that someone could access your physical device without your permission and gain access to the password manager vault as well. To combat this, you want to make sure that you have a strong lock on your computer as well as a strong master password for your password manager.
What if your password manager gets hacked?
In most cases, getting hacked won't result in all your passwords falling into the wrong hands. However, even the most secure password manager may have a serious vulnerability that everyone overlooked.
Let's start with the fact that your passwords are encrypted locally. Password managers have no way to decipher your data because they implement a zero-knowledge policy. So if a hacker breaks into your vault, they will see only encrypted information.
There's a slim chance that the attacker could break into your physical device by stealing it, using malware, or logging keystrokes. Even then, they will need your master password. If you use biometric data, such as fingerprint or face ID, the chance of a successful attack becomes infinitesimally low.
If the attacker installs malware on your device, your best move is to reinstall the OS and change all passwords in your vault. Make sure to also turn on 2FA or MFA that require additional factors to authenticate a login. This way, you will notice when an unusual request comes to the authenticator app.
What are the main risks of using a password manager?
Password managers are meant to help you strengthen your digital security; however, you must keep in mind that certain risks exist. Even though the chances of facing security problems are very low if you apply password management best practices, they shouldn’t be ignored. Here are the main risks I’m always cautious about:
-
Device vulnerabilities. You may be able to sync your password manager account across multiple devices, including your mobile phone, tablet, or stationary computer. If any of them are not protected appropriately, you run the risk of facing malware. Remember that your passwords, credit card information, and other sensitive details are most valuable to cybercriminals, so you must protect your devices accordingly. I always recommend using reliable antivirus protection.
- Data breaches. You should only trust a reliable password manager to store all of your passcodes and other private data in one place. If the provider experiences a data breach, even if your master password is strong, you could end up facing security issues. That’s why you want to choose a password manager that implements strong security practices and, ideally, has not experienced data breaches in the past.
- Faulty vault backups. If a password managers’ server breaks down, your only hope is that your provider has a backup copy. This risk increases multi-fold if you decide to keep your vault offline on one of your devices. Naturally, keeping your own backup on an unprotected disk drive or poorly protected cloud service won't help either. Fortunately, there are providers – like NordPass and 1Password – that keep backup copies for you in case of a server breakdown.
- Unreliable password managers. Keep in mind that not all password managers are equal. Top providers have the necessary security measures and features in place. However, less reliable password managers may be more prone to successful hacking attacks. Unfortunately, you have to be particularly careful about free password managers. While not all of them are unreliable – especially those that offer paid versions alongside – some may simply not have the resources to guarantee optimal security.
What are the main benefits of using a password manager?
While there are some risks to using password managers, the benefits greatly outweigh them. Here are the main advantages I found to using a reliable password manager.
- Enhanced security. If you use a trustworthy password manager that employs reliable encryption, you can enjoy enhanced protection of all your stored items, including passwords, payment card numbers, social security numbers, identification data, birth dates, door codes, etc. As long as you create a strong master password and implement 2FA or MFA, you can be sure that no one will be able to get into your vault and access your confidential information. You certainly cannot achieve that level of security with post-it notes, notes apps, or spreadsheet documents.
- Improved password habits. When you don’t have to think about remembering complex passwords, you can easily apply password best practices. No longer do you need to reuse passwords, use memorable and, thus, easily guessable combinations, or store them in unsafe locations. Keep in mind that strong passwords are considered no less than 12-characters long, and they must include random numbers, letters (upper and lower-case), and, ideally, symbols.
- Convenience. Yes, convenience is a huge benefit when it comes to passwords. If you sync your account across different devices, you can always access them, no matter where you are. Again, the fact you don’t need to remember your passwords and other sensitive data provides you with an opportunity to keep all of that data extra safe. Plus, when it comes to sharing passwords, many managers make the process quick, easy, and safe too.
Password manager hacks
The list of notable password managers that have been hacked is, fortunately, quite short. Otherwise, they wouldn't have the reputation they have today. Note that the list below also includes reported vulnerabilities that might not have resulted in any damage.
- In 2015, LastPass detected an intrusion to its servers. Hackers took users' email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email.
- In 2016, LastPass was involved in a phishing attack, during which cybercriminals attempted to collect login information that could then be used to breach LastPass users’ vaults. The company promptly issued a fix.
- In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
- In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn't result in casualties.
- In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn't suffer any reported casualties.
- In August 2022, LastPass was hacked once again. No user data was harmed, since the hacker only exfiltrated a portion of internal information.
- In December 2022, another breach at LastPass occurred. Despite initial claims that no user data was compromised, weeks later LastPass announced that the hackers took a backup of vaults containing encrypted user data such as passwords, as well as email addresses, billing information, and IP addresses.
- In October 2023, 1Password reported a security incident that was linked to the Okta breach. During the attack, a malicious actor accessed 1Password’s Okta environment using admin rights. No user data was endangered.
Conclusion: Are password managers safe?
Password managers are safe if you choose a reliable provider and implement password management best practices. If you use password123 as your master password to unlock your entire vault, it could easily be guessed and breached even if you use a reliable manager, especially if you don’t add 2FA or MFA for added security.
Of course, even if your master password is strong and you take all the precautions to be safe, no one can guarantee full security. In theory, cloud-based password managers, for example, can suffer breaches, and, thus, it’s crucial to employ providers who have a proven track record of evading security incidents and taking users’ security seriously.
Don’t forget that all types of password managers can also be affected by malware inside your devices. Therefore, if you have a password manager, I advise that you implement strong antivirus protection, too. Also, don’t forget to stay vigilant about phishing attacks that could be used to gain access to your vault.
FAQ
What is the main risk of using a password manager?
Poor encryption could lead to significant vulnerabilities. Remember that not all password managers are equal, and some implement better encryption methods than others. Note that if data is not encrypted appropriately, hackers could gain access without authorization.
Do security experts recommend password managers?
Yes, password managers are highly recommended by security experts because they can help increase the security of your passwords and other sensitive information that you store in a password manager vault. Plus, they encourage better password hygiene, which also increases your digital security.
Are free password managers safe?
Yes, reliable password managers are safe to use. Free versions may be less secure as they may not support 2FA or MFA and may not offer to generate strong passwords or warn you about weaknesses and data breaches. Premium password managers, however, can offer significant security benefits.
Your email address will not be published. Required fields are markedmarked