Even though it’s not surprising to hear the question “are password managers safe to use?”, the vast majority of cyber-security specialists agree that password managers are indeed the most secure way to protect your passwords.
However, despite the reliability of the PMs, the industry as a whole always takes a hit after media covers the latest vulnerability or security breach. Therefore, this article will look at password managers without fear-mongering but also without idolizing them.
All the important questions will be addressed below. How do password managers secure your passwords? What are the risks of using a password manager? And finally, should you use a password manager at all? Read on to learn more.
Using a password manager is completely safe. With them, you're getting a much better security level than reusing the same passwords for your accounts. We recommend NordPass – it has a free version and locks your credentials in an impenetrable vault.
Protect yourself with NordPass
How do password managers secure your passwords?
There are multiple ways that password managers secure your passwords – that’s why they are so safe to use. Even though they can be hacked, much like anything else, such a scenario is highly unlikely, provided you take the necessary precautions. It’s way easier for the attacker to use social engineering or phishing than to actually crack a strong password.
So, what makes password managers so secure?
First and foremost, password managers use encryption to protect your passwords. AES 256-bit is the industry standard that’s also used by the military because of its exceptional strength. It would take more than a lifetime to crack this cipher, so a brute-force attack has a near-zero chance of success.
Furthermore, password managers protect your data from themselves by using zero-knowledge architecture. It means that your passwords are encrypted before they leave your device. So when they end up on the company’s server, the provider has no tools to decipher them.
Most password managers will ask you to use a master password for accessing your vault. If it’s secure, you can be sure that the rest of your passwords are safe enough. Having said that, it’s recommended to also use two-factor authentication (2FA) to enhance your database safety. Using biometric authentication, such as fingerprint or face scan, is also a good idea.
Finally, password managers have multiple features aimed at securing your passwords. Some will remind you to change the passwords regularly and evaluate their strength. Others will scan the dark web to check if any of your logins appeared online. And some will do both, and then some.
If you want to learn more, check out our article on how do password managers work?
What are the risks of using a password manager?
There’s no way to stay 100% safe online. Even if you use a reliable password manager, there are certain risks that you should know about:
- All sensitive data in one place. You’ve probably heard about keeping your eggs in one basket. That’s exactly what you’ll be doing with a password manager. That basket will likely include credit card details and secure notes too. In case of a breach, blocking all payment options and changing passwords for all accounts might take enough time for the attacker to do damage.
- Backup is not always possible. If the server breaks down, your only hope is that your provider has made a backup copy. This risk increases multi-fold if you decide to keep your vault offline on one of your devices. Naturally, keeping your own backup on an unprotected disk drive or poorly protected cloud service won’t help either.
- Not all devices are secure enough. Hackers exploit the same vulnerability to get all of your logins in one attack. Password managers can be hacked if your device is infected with malware. In this case, typing the master password will get it recorded, and cybercriminals will gain full access to the data stored. That’s why password manager users should invest in securing all of their devices first to reduce the risks.
- Not using biometric authentication. Biometric authentication is a great way to add another level of security. If you configure your password manager to request either a fingerprint or face scan, the chances of someone hacking into your vault become as slim as Shady. It’s also much easier for you to touch the fingerprint scanner than to enter a master password.
- Bad password manager. If it has weaker encryption, offers few features, and has poor reviews, you shouldn’t use it. When it comes to securing your vault, saving a few bucks a month shouldn’t be your main priority.
- Forgetting your master password. Are you the only person who knew it, and your password manager doesn’t have a reset feature? In this case, you may already start recovering each login one-by-one. Alternatively, you may want to store your master password (or a hint) in some physically secure place, such as a safe.
As you can see, some of the risks stem from the password managers themselves, but others exist solely because of users’ behavior. If we don’t count the latter, we can see that there aren’t that many risks of using a password manager.
Can password managers be trusted?
Despite all the concerns listed above, good password managers are extremely difficult to compromise. The usage of AES-256 encryption, the “zero-knowledge” technique, and the possibility to use two-factor authentication make password managers a much safer and easier option than basically anything else available at the moment.
When it comes to safety, the most important thing from your side is the master password, as you have to create one in order to access all the other passwords.
So, make sure it is a strong one. It has to be at least 12 characters long, contain various symbols, and be impossible to guess. For more tips, check out our guide on how to create a strong password.
Which password manager type is the most secure?
Those familiar with password managers probably know about the three types. Each comes with its set of pros and cons, including nuances in security. Let’s discuss all types one by one and find which is the most secure.
Browser-based password managers
Security: safe
Pros: very easy to use, free
Cons: no cross-browser sync, not all generate passwords, few measure password strength
Examples: built-in browser password managers (Chrome, Firefox, Safari)
If we boil down safety to encryption and two-factor authentication, browser-based password managers are pretty safe. However, the more closely you look, the less secure browser password managers appear.
For starters, browser-based passwords work on one particular browser. If you decide to move from Safari to Chrome or Firefox, you might have trouble with export and import. Furthermore, there’s no way you could synchronize your vault on different browsers. All this often leads to storing your passwords in an insecure location.
Secondly, not all browser-based password managers have a password generator. Without one, you will have to create them manually.
Lastly, browser password managers can’t detect weak or reused passwords. Want to know if your logins aren’t available on the dark web? You will have to check that manually on a separate tool.
Cloud-based password managers
Security: high
Pros: very convenient, easy access from anywhere, cloud backup, internet-dependent
Cons: no control over your vault security, third-party servers store your data
Examples: Zoho Vault, LastPass
When compared to the browser-based ones, cloud-based password managers are safer, as they have more features that enhance security.
To begin with, most cloud-based password managers provide a backup for your vault. In case something happens to the server, you can recover a recent version of your database.
Furthermore, cloud-based password managers allow you to store not only passwords but also secure notes and credit card details. This way you can protect all sensitive information.
Additionally, cloud-based password managers detect reused and weak passwords, generate strong ones, and check if your accounts haven’t leaked. They also let you share your vault entries easily, even with those who don’t use the same service.
Finally, cloud-based password managers will work on multiple browsers and operating systems. It means that you won’t have to think about how to copy and paste something from your database securely.
Desktop-based password managers
Security: highest*
Pros: safest option, doesn’t require an internet connection
Cons: no access from other devices, complicated password sharing, manual backups
Examples: Bitwarden, KeePass, 1Password, Dashlane
You may have noticed an asterisk beside the security score. That’s because desktop-based password managers can be the safest, but that depends solely on the user.
These password managers store your data locally, on one of your devices. That device doesn’t have to be connected to the internet, so there might be nearly zero chances of hacking into it. The most likely (and still highly unlikely) scenario is you inadvertently installing a keylogger and typing in your master password. However, this can be avoided by using biometric authentication.
Obviously, such a setup has its cons, which stem from the desktop-based password manager’s very nature. For starters, you’ll have to take care of regular backups. If your device breaks down irreparably, you can kiss your vault goodbye. What’s more, you won’t be able to access your passwords from other devices, and sharing them won’t be easy either.
What if your password manager gets hacked?
In most cases, getting hacked won’t result in all your passwords falling into the wrong hands. However, even the most secure password manager may have a serious vulnerability that everyone overlooked.
Let’s start with the fact that your passwords are encrypted locally. Password managers have no way to decipher your data because they implement a zero-knowledge policy. So if a hacker breaks into your vault, he will see only encrypted information.
There’s a slim chance that the attacker could break into your physical device by stealing it, using malware, or logging keystrokes. Even then, he or she will need your master password. If you use biometric data, such as fingerprint or face ID, the chance of a successful attack becomes infinitesimally low.
If the attacker installs malware on your device, your best move is to reinstall the OS and change all passwords in your vault. Make sure to also turn on 2FA wherever you can. This way, you will notice when an unusual request comes to the authenticator app.
Password manager hacks
The list of notable password manager hacks is quite short. Otherwise, they wouldn’t have the reputation they have today. That’s why I’ll be also adding reported vulnerabilities that might not have resulted in any damage.
- In 2015, LastPass detected an intrusion to its servers. Hackers took users’ email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email.
- In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
- In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn’t result in casualties.
- In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn’t suffer any reported casualties.
As you can see, none of these password manager hacks were that serious. Sure, vulnerabilities were exposed, but they were also fixed in a timely manner. And in most cases, the attacker would have to either get some more data from the user or overtake her device completely before accessing the vault. As a result, none of the issues mentioned above hurt the reputation of password managers.
Are premium password managers safe?
Most premium password managers are way safer than the majority of the free ones. The latter are often buggy, developed by shady companies, and sometimes even include malware. Despite that, there are quality free password managers that are as safe as the paid services. In fact, the former often include a free version. Therefore, it’s a good idea to compare them and see what’s lacking.
Usually, both free and premium password managers use military-grade encryption and zero-knowledge architecture. This means that there’s no way to decipher your database even if someone breaks into it. The provider also doesn’t have a key to unlock your data. That’s why it all comes down to using a proper master password, 2FA, and keeping your devices malware-free.
Security flaws of free password managers
The added security of a premium password manager comes in the form of additional features. Free versions are usually stripped-down and lack options, some of which might be safety-related.
For example, some free password managers don’t support biometric data, such as fingerprint or face ID. This means that you will have to enter your master password all the time.
Additionally, other free services don’t have the option to audit your passwords. In case your vault dates back more than a few years, chances are those passwords aren’t strong enough.
What’s more, one would be hard-pressed to find a free password manager that integrates a dark web scanner. On the contrary, a premium password manager constantly checks the dark web to see if any of your accounts have leaked.
What are the safest password managers?
The safest password managers are mostly the ones that are ranked at the top. After all, how can it be otherwise when the product gets the highest scores from multiple review sites? That’s why we invite you to check our guide to the best password managers in 2021.
Dashlane
| Cloud storage: | No |
| 2FA: | Yes |
| Platforms: | Windows, macOS, Android, iOS |
| Browser plugins: | Chrome, Firefox, Safari, Internet Explorer, Edge |
As our #1 password manager, Dashlane is very safe. It uses military-grade encryption and zero-knowledge architecture. What’s more, there are plenty of multi-factor authentication options. In addition to the 2FA, you can use universal two-factor authentication (U2FA). It comes in the form of an NFC or USB device that acts as a key.
When it comes to biometric data, both Face ID and Touch ID are available, depending on your device. Then there’s a dark web scanner that reports if your data is available online. Last but not least comes a built-in Virtual Private Network (VPN). It will encrypt your traffic and let you connect to servers in more than 20 countries. Please have a look at our Dashlane review to find out more about the service.
NordPass
| Cloud storage: | 3 GB (with NordLocker app) |
| 2FA: | Yes |
| Platforms: | Windows, macOS, Linux, Android, iOS |
| Browser plugins: | Chrome, Firefox, Safari, Opera, Brave, Vivaldi, and Edge |
As one of the credential managers on the market, NordPass is an invaluable tool for those who want an easy way to keep track of all their passwords. Aside from using the next-gen XChaCha20 encryption, NordPass also takes advantage of cloud storage, storing all of your passwords in the cloud so that you don’t lose them.
It also offers two-factor authentication, biometric authentication (that lets you use your face or fingerprints instead of your master password), a password generator, a data breach scanner, and lots of other features that will help you with your online security. Check out our in-depth NordPass review for more info on this password manager.
LastPass
| Cloud storage: | No |
| 2FA: | Yes |
| Platforms: | Windows, MacOS, Linux, Android, iOS |
| Browser plugins: | Chrome, Firefox, Safari, Opera, Edge, Edge Legacy |
Not only is LastPass safe, but it’s also arguably the safest password manager in 2021. We’re talking about AES 256-bit encryption and zero-knowledge architecture here. There are plenty of multi-factor authentication options available. You can also use third-party authenticators, such as Google, Microsoft, or YubiKey.
Unfortunately, we must point also point out that LastPass suffered a breach in 2019. As a result, an embedded malicious code exposed more than 16 million users’ data. The company fixed the issue in no time, but the reputation remains in question. For more information, please have a look at our LastPass review.
1Password
| Cloud storage: | 1 GB |
| 2FA: | Yes |
| Platforms: | Windows, macOS, Linux, Android, iOS |
| Browser plugins: | Chrome, Brave, Firefox, Edge |
As we mentioned previously, your password manager of choice should be the safe one. And 1Password definitely belongs on our toplist. It uses bank-grade encryption and offers “something that you are” (biometric) and “something that you have” (smartphone code) as 2FA options. There’s also a dark web scanner at your service.
1Password also checks whether a website that you want to log in to allows 2FA and uses HTTPS. This feature is unique among all premium password managers. Finally, a so-called Travel Mode hides important data on your phone while you’re abroad. In case you lose it, the information won’t fall into the wrong hands. For more features, please have a look at our 1Password review.
Should you use a password manager?
Yes, you should use a password manager. It will allow you to keep track of your passwords without having to memorize them. Some password vaults can also generate and change passwords for you in one click, as well as securely store other types of data like credit card information. A password manager also makes sharing your data with family and friends safer. It’s a much better way than writing down your login details in an email or some unencrypted messenger.
Of course, you have to put trust in the company behind your password manager. However, most of them have a flawless reputation. Also, they are way less risky than some dubious app or browser add-on that people install without much thinking.
Yes, they have their flaws and vulnerabilities. But in the end, it’s not only the password manager that protects your most valuable information. You should also use a reliable anti-virus to prevent malware from infecting your device. Keeping your software updated is no less important, just like double-checking the apps and extensions you’re about to install.
I have a Password Manager that came with TrendMicro security software and which I do not use. I felt that I would be giving away my passwords to another source. How would I know that they are encripted on leaving my device and that TrendMicro does not store them in the original form? Or if they are stored by TrendMicro in my device?
Hi, Lion Valley. I believe this is still a matter of trust. That’s why we recommend only well-known and reputable password managers. Of course, some of them have undergone security audits by third parties, but once again, that doesn’t give you a 100% guarantee they haven’t changed their ways after the audit.
How safe is it to have company log-on (e.g. log on to O365, which has multi-factor authentication), so that the password manager is immediately enabled (logged onto) by virtue of having logged into O365?
Hello, Zamboanga. What kind of password manager are you talking about? Is it a built-in O365 manager or a separate product? The former option is good if O365 is safe enough. However, for the best result, I recommend using a third-party password manager that requires a separate master password.
I think this article leaves out the best password manager out there, PasswordSafe (pwdsafe.org)
What happened if I what to change password manager company? will my access to my account will be lock?
Hello, Ty Burn. I shouldn’t worry too much. Most password managers have an export/import function that lets you quickly move to another provider. However, not all formats are supported by every password manager, so you should look at what options are available in your ex and your future provider.
“Most premium password managers are way safer than the majority of the free ones. The latter are often buggy, developed by shady companies, and sometimes even include malware.”
This is a pretty curious way to say that you prefer sponsored content, but as a statement is is highly misleading, borderline of false.
First, quality often does not correlate price as there were numerous highly dubious quality expensive code around while the most prominent free code is often more secure due to public scrutiny of their open source than the closed-source paid ones.
Then it’s misleading to suggest that “free” means “buggy” in contrast to the implied “paid” means “bug-free”: this is clearly false. In fact some free code is praised for security of their disk format (like passwordsafe), or their architecture (like bitwarden or keepass-xc).
For security reviewing it is not great to skip tech details; only nordpass has encryption method mentioned (xchacha20), nowhere are KDF, transport methods, client and server security or assurance mentioned. It is true that your article is not alone: I found almost no review which seemed to be knowledgeable enough to be trusted.
Sad.
Excellent article Mindaugas! There is one scenario that I am confused/concerned about, however…
Say, I install a desk top based password manager on my Macbook along with a Yubikey for 2FA and my computer either crashes beyond repair or is held hostage by a ransomware attack, what are the consequences with respect to my passwords? What remedy would I have? Thank you.
-Steve
A quick comment about using biometric security.
Biometric passwords come with two risks that others don’t: You can’t change them and you have a finite supply – for example, we only have so many fingers. Once breached or hacked, you cannot easily change your fingerprints or any other biometric element one might use. There is no mitigation for a breach.
Biometrics are harder to break but, like everything else, that will get easier over time. That’s not to say they shouldn’t be used, but the risks should be understood.
Thanks,
It is interesting to look at the technical details. Windows Hello does NOT use the raw biometric data, but an encrypted form and only stores it locally on the respective device.
##################
“The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.”
##################
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise
I use a password manager with U2F authentication and if it’s hacked on Oct 1, will I be safe if I change my master password on Oct 2?
It seems the hacker has a copy of my vault prior to Oct 2 since it’s encrypted with the old password. In that case, I must change my master password and the passwords to all my sensitive sites.
Hello Jonathan. That’s a good question. Technically, using U2F should prevent you from losing your data to the hacker. The only thing would be to change the master password. Of course, changing all the passwords would be a good idea, too, especially when there would be not much info about the hack itself.
Hello there. Are all password managers that sync to cloud safe? Because I somehow doubt that alll of them have a clear record. I’m not very good at investigating these things, but maybe you’ve found some services that have been faulty and not worth using? I like all the reviews that you write, but I would especially appreciate some insights into some apps that should be avoided at all costs.
Good day, Ace! In general, no password manager is 100% safe, including the cloud-based ones. I would recommend avoiding free password managers unless that’s a free version of a reputable premium service.
I’m not really a pc user so I’m wondering are phone password managers safe? I’m using Android OS most of the time. Perhaps there are other apps that could improve my security in conjunction with a password manager?
Hello! If you choose a good password manager, it should be enough to secure your Android device. Of course, you can always start using file encryption, a VPN, or an antivirus. Such internet security suites will only get more popular in the future.
I never thought about using one but are browser password managers safe? So far I can’t really think of some possible vulnerabilities or faults, but that could depend. For example if it’s some free extension then it could be riddled with some malicious code, but if it’s integrated into the browser out of the box then it could be more reliable.
Hi, ChicBriefing. While browser password managers are safe, they aren’t convenient. To start with, they don’t work on other browsers. Also, it might be difficult to share such passwords securely. Finally, you would probably need another tool to check whether your logins aren’t for sale on the dark web.
Why not keep all your passwords organized in a password-protected file on an encrypted thumb drive using AES-256 or higher?
Hey, Pat B. It’s one of the options, but the password manager is usually safer and more convenient. Imagine yourself scrolling a document with your passwords in a public place and opening it every time you have to log in somewhere. You should also have a backup in case you lose the USB drive. And if you have that password-protected file on your desktop, imagine a scenario where your computer is locked in by ransomware. Finally, this method fails to implement 2FA, which is a huge part of any type of security.
Since offline or local password managers exist I was wondering are cloud based password managers safe. I mean they are saved somewhere on a remote data center so potentially someone could gain access to them. Of course it all depends on the provider. But then how am I, as a regular customer, supposed to verify their security? Seems like I have to place a lot of trust into these tech companies.
Hi Alwin. Yes, trust is the key word here. I would probably even call it a “keyword.” When choosing between local and cloud storage, you have to decide who you trust more – the password manager company or yourself?
Why should I trust some companies with my personal passwords? How safe are online password managers anyway? They can brainwash us all they want with their fake policies and marketing jargon, but at the end of the day no company can be trusted without being verified by a third party. Or even better – they should go open source. With more eyes on the code it will be safer.
Dear Bigginno,
I can agree with you to some extent. No password manager is 100% safe, but the same can be said about cars or other things that we use. Going open-source would also solve the problem only partially. In your case, I think that a self-hosted password manager should do the trick. Stay safe!
Do you think password managers are really necessary? Cuz I don’t think that every user needs one. In your opinion what is the best app to save passwords? I’ve been using some encrypted text files to keep my most important notes and it’s good enough for me. I log in once to a service and it doesn’t ask for my passwords anymore. And I don’t need to share my passwords with anyone so the file is safely tucked away in a secret place.
Dear McKenna,
Yes, I do believe that. Using the same password for all accounts is extremely not safe. I don’t know about your encryption strength, but if it’s lower than the military-grade AES 256-bit, I’d suggest using a password manager instead.
are password managers safe from hacking if my device gets attacked? for example if I get hit with a ransomware attack can I be sure that my passwords will stay secure. I don’t really understand how these things work but it seems like a bad idea to keep everything in one place. Do I need more than one password manager then? Seems awfully expensive.
Hey, ComicExpert19! Thanks for the comment. If you use a cloud-based password manager, you’ll be able to access your passwords even if one of your devices gets locked during a ransomware attack. And without your master password, it’s contents won’t fall into the wrong hands.
I want to use my mobile phone as a notebook for all of my passwords but I’m not sure is it safe to keep passwords on your phone. Because at least I can be sure they won’t be leaked because of cloud storage failures or something like that. But on the other hand if my lose my phone I’m fucked. Can I save my passwords somewhere else in a non-readable format?
Hello, Johnny. Losing your phone with all your passwords is a big issue, but storing them in one place unencrypted is even bigger. The non-readable format you’re talking about is what all modern password managers offer. Without your master password, there’s virtually no way even for the password manager company to see them because of the zero-knowledge architecture.
Hey, great article, but there’s still one thing I don’t quite understand. Are open source password managers safe? I mean if anyone can take a look at the source code of the app doesn’t it make it less secure? Hackers could have a look at the vulnerabilities that the community is trying to fix and they could exploit it or even inject their own code into the program. Why would anyone trust their data to an open source app?
Hi, thanks! I can understand that trusting an open-source password manager might be difficult. To start with, hackers also check the closed-source apps and are pretty good at finding vulnerabilities without the source code – just take a look and Windows. Also, more people are working on open-source projects, so they can often fix the issues faster. But in the end, I can’t say that any open-source app is automatically more secure than a closed-one and vice versa.
Thanks for this summary!
I had been keeping all my passwords in a file for probably 15 years. It’s amazing how many logins you accumulate with random purchases, etc. and how easy it use to use the same password/login combo. It was getting lengthy (close to 300, but many were old) and I was using one main (very difficult) password for a lot of sites, then started adding characters when I was forced to reset a password, so even remembering some was becoming a chore.
I started with a password manager about a year ago, but got lazy and didn’t take it too far. It’s surprising how many strange problems arose when simply changing a password! Then, a few weeks ago, that one password I used most of the time was breached, so I took the time and updated all sites with 16 to 24 character passwords. It took several hours a day for a few days, but it’s worth the peace of mind I have now and it’s a lot easier to log in! Also, I’m glad the one I chose was recommended as a good one.
-pm
Give it a try to Passcal