Are password managers safe to use in 2023?
Even though it’s not surprising to hear the question “are password managers safe to use?”, the vast majority of cyber-security specialists agree that password managers are indeed the most secure way to protect your passwords.
However, despite the reliability of the PMs, the industry as a whole always takes a hit after media the covers the latest vulnerability or security breach. Therefore, we will look at password managers without fear-mongering and also without idolizing them.
We will address all the important questions. How do password managers secure your passwords? What are the risks of using a password manager? And finally, should you use a password manager at all? Read on to learn more.
Safest password managers in 2023:
- Keeper – Most feature-rich security tool
- NordPass – Super secure and easy to use
- RoboForm – Time-tested security features
📢 LIMITED OFFER: Get 40% OFF Keeper Unlimited and Family plans!
How do password managers secure your passwords?
There are multiple ways that password managers secure your passwords – starting all the way with a secure encryption process that uses a specific cipher to protect the transfer of data online. AES 256-bit is the military-standard, while XChaCha20 is widely used by well-known companies, like Google. Both of them ensure that cracking passwords would take more than a lifetime.
The zero-knowledge architecture used by the top password managers encrypts passwords before they leave your device. When they’re on a server, even the provider has no way to decipher them. Some password managers will remind you to change passwords regularly and evaluate their strength. Others will scan the dark web to check if any of your logins appeared online.
The only password you’ll need to remember on your password manager is the master password – as long as it’s secure, there’s no way for anyone to access it. If you choose a memorable, yet completely unique password and combine it with two-factor authentication (2FA), you should be safe. It’s even better if you choose a more complex option that uses multiple ways to authenticate a login, known as a multi-factor authentication (MFA). Using biometric authentication, such as fingerprint or face scan, is also a good idea.
In our tests, one provider stood above the rest, offering all of these features in one simple package.
What are the risks of using a password manager?
There's no way to stay 100% safe online. Even if you use a reliable password manager, there are certain risks that you should know about:
- All sensitive data in one place. You've probably heard about keeping your eggs in one basket. That's exactly what you'll be doing with a password manager. That basket will likely include credit card details and secure notes too. In case of a breach, blocking all payment options and changing passwords for all accounts might take enough time for the attacker to do damage.
- Backup is not always possible. If the server breaks down, your only hope is that your provider has made a backup copy. This risk increases multi-fold if you decide to keep your vault offline on one of your devices. Naturally, keeping your own backup on an unprotected disk drive or poorly protected cloud service won't help either. Luckily, both NordPass and Keeper have your back – they keep backup copies for you in case of a server breakdown.
- Not all devices are secure enough. Hackers exploit the same vulnerability to get all of your logins in one attack. Password managers can be hacked if your device is infected with malware. In this case, typing the master password will get it recorded, and cybercriminals will gain full access to the data stored. That’s why password manager users should invest in a trustworthy antivirus that will secure all of their devices first and reduce the risks.
- Not using biometric authentication. Biometric authentication is a great way to add another level of security. If you configure your password manager to request either a fingerprint or face scan, the chances of someone hacking into your vault become as slim as Shady. It's also much easier for you to touch the fingerprint scanner than to enter a master password. NordPass, RoboForm, and Keeper – all three offer such methods on devices that support biometric authentication.
- Bad password manager. If it has weaker encryption, offers few features, and has poor reviews, you shouldn’t use it. When it comes to securing your vault, saving a few bucks a month shouldn’t be your main priority. That’s especially true for free password managers which often lack the necessary security features to effectively protect your credentials at all times.
- Forgetting your master password. Are you the only person who knew it, and your password manager doesn’t have a reset feature? In this case, you may already start recovering each login one-by-one. Alternatively, you may want to store your master password (or a hint) in some physically secure place, such as a safe.
As you can see, some of the risks stem from the password managers themselves, but others exist solely because of users' behavior. If we don't count the latter, we can see that there aren't that many risks of using a password manager, especially a reputable one.
Can password managers be trusted?
Despite all the concerns listed above, good password managers are extremely difficult to compromise. For example, Keeper and RoboForm use the AES-256 encryption to ensure your data is inaccessible for the outsiders. Alternatively, NordPass uses the modern XChaCha20 encryption for the same purpose.
In addition, all of our three recommended password managers operate under the “zero-knowledge” technique and give the possibility to use multi-factor authentication making them a much safer and easier option than basically anything else available at the moment.
When it comes to safety, the most important thing from your side is the master password, as you have to create one in order to access all the other passwords.
So, make sure it is a strong one. It has to be at least 12 characters long, contain various symbols, and be impossible to guess. For more tips, check out our guide on how to create a strong password.
| NordPass | Keeper | RoboForm | |
| Encryption | XChaCha20 | AES-256 | AES-256 |
| Zero-knowledge architecture | ✅ | ✅ | ✅ |
| MFA support | ✅ | ✅ | ✅ |
📢 LIMITED OFFER: Get NordPass - only now 52% OFF!
Which password manager type is the most secure?
Those familiar with password managers probably know about the three types. Each comes with its set of pros and cons, including nuances in security. Let's discuss all types one by one and find which is the most secure.
View the best password managers
Browser-based password managers
| Security | Safe |
| Examples | Built-in browser password managers (Chrome, Firefox, Safari) |
- Very easy to use
- Free
- No cross-browser sync
- Not all generate passwords
- Few measure password length
If we boil down safety to encryption and two-factor authentication, browser-based password managers are pretty safe. However, the more closely you look, the less secure browser password managers appear.
For starters, browser-based password managers work on one particular browser. If you decide to move from Safari to Chrome or Firefox, you might have trouble with export and import. Furthermore, there's no way you could synchronize your vault on different browsers. All this often leads to storing your passwords in an insecure location.
Secondly, not all browser-based password managers have a password generator. Without one, you will have to create them manually.
Lastly, browser password managers can't detect weak or reused passwords. Want to know if your logins aren't available on the dark web? You will have to check that manually on a separate tool.
Browser password managers can't detect weak or reused passwords. Want to know if your logins aren't available on the dark web? You will have to check that manually on a separate tool.
Try KeeperCloud-based password managers
- Very convenient
- Easy access from anywhere
- Cloud backup
- Internet-dependent
- No control over your vault security
- Third-party servers store your data
When compared to the browser-based ones, cloud-based password managers are safer, as they have more features that enhance security.
To begin with, most cloud-based password managers provide a backup for your vault. In case something happens to the server, you can recover a recent version of your database.
Furthermore, cloud-based password managers, like NordPass, allow you to store not only passwords but also secure notes and credit card details. This way you can protect all sensitive information.
Additionally, cloud-based password managers detect reused and weak passwords, generate strong ones, and check if your accounts haven't leaked. They also let you share your vault entries easily, even with those who don't use the same service.
Finally, cloud-based password managers will work on multiple browsers and operating systems. It means that you won't have to think about how to copy and paste something from your database securely.
Desktop-based password managers
- Safest option
- Doesn't require an internet connection
- No access from other devices
- Complicated password sharing
- Manual backups
You may have noticed an asterisk beside the security score. That's because desktop-based password managers can be the safest, but that depends solely on the user.
These password managers store your data locally, on one of your devices. That device doesn't have to be connected to the internet, so there might be nearly zero chances of hacking into it. The most likely (and still highly unlikely) scenario is you inadvertently installing a keylogger and typing in your master password. However, this can be avoided by using biometric authentication.
Obviously, such a setup has its cons, which stem from the desktop-based password manager's very nature. For starters, you'll have to take care of regular backups. If your device breaks down irreparably, you can kiss your vault goodbye. What's more, you won't be able to access your passwords from other devices, and sharing them won't be easy either.
What if your password manager gets hacked?
In most cases, getting hacked won't result in all your passwords falling into the wrong hands. However, even the most secure password manager may have a serious vulnerability that everyone overlooked.
Let's start with the fact that your passwords are encrypted locally. Password managers have no way to decipher your data because they implement a zero-knowledge policy. So if a hacker breaks into your vault, he will see only encrypted information.
There's a slim chance that the attacker could break into your physical device by stealing it, using malware, or logging keystrokes. Even then, he or she will need your master password. If you use biometric data, such as fingerprint or face ID, the chance of a successful attack becomes infinitesimally low.
If the attacker installs malware on your device, your best move is to reinstall the OS and change all passwords in your vault. Make sure to also turn on 2FA or MFA that require additional factors to authenticate a login. This way, you will notice when an unusual request comes to the authenticator app.
| Keeper | NordPass | Enpass | |
| 2FA authentication | ✅ | ✅ | ❌ |
| MFA authentication | ✅ | ✅ | ❌ |
| Pricing | From $1.75/month | From $1.43/month | From $1.99/month |
Password manager hacks
The list of notable password manager hacks is quite short. Otherwise, they wouldn't have the reputation they have today. That's why I'll be also adding reported vulnerabilities that might not have resulted in any damage.
- In 2015, LastPass detected an intrusion to its servers. Hackers took users' email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email.
- In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
- In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn't result in casualties.
- In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn't suffer any reported casualties.
- In August 2022, LastPass was hacked once again. No user data was harmed, since the hacker only exfiltrated a portion of internal information.
- In December 2022, another breach at LastPass occurred. Despite initial claims that no user data was compromised, weeks later LastPass announced that the hackers took a backup of vaults containing encrypted user data such as passwords, as well as email addresses, billing information, and IP addresses.
Are premium password managers safe?
Most premium password managers are way safer than the majority of the free ones. The latter ones are often buggy, developed by shady companies, and sometimes even include malware. Despite that, there are quality free password managers that are as safe as the paid services. In fact, the former often include a free version. Therefore, it's a good idea to compare them and see what's lacking.
Usually, both free and premium password managers use military-grade encryption and zero-knowledge architecture. This means that there's no way to decipher your database even if someone breaks into it. The provider also doesn't have a key to unlock your data. That's why it all comes down to using a proper master password, 2FA, and keeping your devices malware-free.
Are password managers safe to use for business?
Yes, password managers are definitely safe to use for business. In fact, they aren’t only safe to use, but rather essential. The majority of data breaches inside of companies happen due to weak and re-used passwords.
The best password manager for business not only generates strong passwords but also detects data breaches, and allows sharing of encrypted passwords between employees. Moreover, our top business password manager NordPass offers company-wide settings. These allow the admin to set the boundaries on whether encrypted passwords can be shared outside of the company or not.
Having all that in mind, password managers help organisations to avoid huge leaks of data and loss of finances.
Are free password managers safe?
The added security of a premium password manager comes in the form of additional features. Free versions are usually stripped-down and lack options, some of which might be safety-related.
For example, some free password managers don't support biometric data, such as fingerprint or face ID. This means that you will have to enter your master password all the time.
Additionally, other free services don't have the option to audit your passwords. In case your vault dates back more than a few years, chances are those passwords aren't strong enough.
What's more, one would be hard-pressed to find a free password manager that integrates a dark web scanner. On the contrary, a premium password manager constantly checks the dark web to see if any of your accounts have leaked.
Should you use a password manager?
Yes, you should use a password manager. It will allow you to keep track of your passwords without having to memorize them. Some password vaults can also generate and change passwords for you in one click, as well as securely store other types of data like credit card information. A password manager also makes sharing your data with family and friends safer. It's a much better way than writing down your login details in an email or some unencrypted messenger.
No need to memorize a ton of information and forget important logins when you need them most. You can store not only passwords in a password manager, but also credit card information and other essential data.
Secure data with KeeperOf course, you have to put trust in the company behind your password manager. However, most of them have a flawless reputation. Also, they are way less risky than some dubious app or browser add-on that people install without much thinking.
Yes, they have their flaws and vulnerabilities. But in the end, it's not only the password manager that protects your most valuable information. You should also use a reliable antivirus to prevent malware from infecting your device. Keeping your software updated is no less important, just like double-checking the apps and extensions you're about to install.
Best password manager deals this week:
Comments
1. You decrypt your vault using a master password to share an item (which is essentially plain text, as all passwords are in the end)
2. The person you share the password with uses their private key to verify that the message is meant for them.
3. You then verify the specific item you want to share, not just the person.
4. A public key is used to encrypt the item.
5. An encrypted item is sent out to the recipient.
6. Additional proprietary syncing allows for up-to-date information (like changes)
False. That's what the companys that build the software say you can never know whether the company has access to your password. But that's not the case for open source PMs like keypass.
The right thing to say is that "The free software is harder to use than than the premium counter part" but saying they are buggy and less secure is wrong and misleading.
This is a pretty curious way to say that you prefer sponsored content, but as a statement is is highly misleading, borderline of false.
First, quality often does not correlate price as there were numerous highly dubious quality expensive code around while the most prominent free code is often more secure due to public scrutiny of their open source than the closed-source paid ones.
Then it’s misleading to suggest that “free” means “buggy” in contrast to the implied “paid” means “bug-free”: this is clearly false. In fact some free code is praised for security of their disk format (like passwordsafe), or their architecture (like bitwarden or keepass-xc).
For security reviewing it is not great to skip tech details; only nordpass has encryption method mentioned (xchacha20), nowhere are KDF, transport methods, client and server security or assurance mentioned. It is true that your article is not alone: I found almost no review which seemed to be knowledgeable enough to be trusted.
Sad.
Say, I install a desk top based password manager on my Macbook along with a Yubikey for 2FA and my computer either crashes beyond repair or is held hostage by a ransomware attack, what are the consequences with respect to my passwords? What remedy would I have? Thank you.
-Steve
Biometric passwords come with two risks that others don’t: You can’t change them and you have a finite supply – for example, we only have so many fingers. Once breached or hacked, you cannot easily change your fingerprints or any other biometric element one might use. There is no mitigation for a breach.
Biometrics are harder to break but, like everything else, that will get easier over time. That’s not to say they shouldn’t be used, but the risks should be understood.
Thanks,
##################
“The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.”
##################
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise
It seems the hacker has a copy of my vault prior to Oct 2 since it’s encrypted with the old password. In that case, I must change my master password and the passwords to all my sensitive sites.
I can agree with you to some extent. No password manager is 100% safe, but the same can be said about cars or other things that we use. Going open-source would also solve the problem only partially. In your case, I think that a self-hosted password manager should do the trick. Stay safe!
Yes, I do believe that. Using the same password for all accounts is extremely not safe. I don’t know about your encryption strength, but if it’s lower than the military-grade AES 256-bit, I’d suggest using a password manager instead.
While this is admittedly very convenient, it is a serious security risk. For example, if your computer is stolen, the thief will have access to all of those saved log-ins. You are the most vulnerable if you have auto-log-in for your user account enabled i.e. you don't need to log-in to your computer every time you boot your computer. Or if your computer is stolen when you are already logged-in to your user account and you don't have some form of auto log-out enabled. And even if you are logged-out, gaining access to user accounts can be relatively easy or basically impossible but the level of security depends on the strength of your user account password and how you have your access preferences configured.
At the very least, you should not have persistent log-ins for your financial accounts and other sensitive high-value accounts. Since we humans are creatures of habit, it's a better idea to have things set up so you must log-in whenever you visit a website where you have an account. Especially if you have personal and financial information saved on retail websites and others for the convenience it offers.
Personally, I only save credit card info at Amazon and only for credit cards. I do not save such information at any other website. I never use debit cards for any financial transactions online or in-person because the user protections are nothing like what credit cards provide and it is possible to be liable for a large amount of money should your financial account be compromised.
Ideally, such financial accounts should not allow long-in credentials to be saved via cookies or will have some type of 2 factor-authentication required. Unfortunately, in the U.S the vast majority of financial websites use SMS texts to send a simple numerical code to users. If the device you use to receive SMS texts is your computer, the thief may be able to respond to the texts and gain access. Or if your smartphone is also stolen or compromised by a SIM swap, the person who has possession will have access to your accounts.
It's important to remember that your email accounts are another potential gateway to your accounts. If someone can access your email because they have your computer or they know your email account username/password, they will also have the ability to gain control over your accounts. The password for your email accounts should be very strong and guarded as closely as financial accounts and 2FA authentication should be used when available.
Many of us use password managers because they make it very convenient to create extremely strong passwords and avoid the trap of reusing passwords for multiple accounts, which is a common practice and a very dangerous one at that. The best password managers have very strong encryption and various options for locking the password manager when it is not in use.
I had been keeping all my passwords in a file for probably 15 years. It’s amazing how many logins you accumulate with random purchases, etc. and how easy it use to use the same password/login combo. It was getting lengthy (close to 300, but many were old) and I was using one main (very difficult) password for a lot of sites, then started adding characters when I was forced to reset a password, so even remembering some was becoming a chore.
I started with a password manager about a year ago, but got lazy and didn’t take it too far. It’s surprising how many strange problems arose when simply changing a password! Then, a few weeks ago, that one password I used most of the time was breached, so I took the time and updated all sites with 16 to 24 character passwords. It took several hours a day for a few days, but it’s worth the peace of mind I have now and it’s a lot easier to log in! Also, I’m glad the one I chose was recommended as a good one.
-pm
Your email address will not be published. Required fields are marked