Are password managers safe to use in 2022?
Even though it’s not surprising to hear the question “are password managers safe to use?”, the vast majority of cyber-security specialists agree that password managers are indeed the most secure way to protect your passwords.
However, despite the reliability of the PMs, the industry as a whole always takes a hit after media covers the latest vulnerability or security breach. Therefore, this article will look at password managers without fear-mongering but also without idolizing them.
All the important questions will be addressed below. How do password managers secure your passwords? What are the risks of using a password manager? And finally, should you use a password manager at all? Read on to learn more.
- Keeper – Security tool with the best features
- NordPass – Super secure and easy to use
- RoboForm – Time-tested security features
How do password managers secure your passwords?
There are multiple ways that password managers secure your passwords - that’s why they are so safe to use. Even though they can be hacked, much like anything else, such a scenario is highly unlikely, provided you take the necessary precautions. It’s way easier for the attacker to use social engineering or phishing than to actually crack a strong password.
So, what makes password managers so secure?
First and foremost, password managers use encryption to protect your passwords. AES 256-bit is the industry standard that’s also used by the military because of its exceptional strength. It would take more than a lifetime to crack this cipher, so a brute-force attack has a near-zero chance of success.
Furthermore, password managers protect your data from themselves by using zero-knowledge architecture. It means that your passwords are encrypted before they leave your device. So when they end up on the company’s server, the provider has no tools to decipher them.
Most password managers will ask you to use a master password for accessing your vault. If it’s secure, you can be sure that the rest of your passwords are safe enough. Having said that, it’s recommended to also use two-factor authentication (2FA) to enhance your database safety. Using biometric authentication, such as fingerprint or face scan, is also a good idea.
Finally, password managers have multiple features aimed at securing your passwords. Some will remind you to change the passwords regularly and evaluate their strength. Others will scan the dark web to check if any of your logins appeared online. And some will do both, and then some.
If you want to learn more, check out our article on how do password managers work?
What are the risks of using a password manager?
There's no way to stay 100% safe online. Even if you use a reliable password manager, there are certain risks that you should know about:
- All sensitive data in one place. You've probably heard about keeping your eggs in one basket. That's exactly what you'll be doing with a password manager. That basket will likely include credit card details and secure notes too. In case of a breach, blocking all payment options and changing passwords for all accounts might take enough time for the attacker to do damage.
- Backup is not always possible. If the server breaks down, your only hope is that your provider has made a backup copy. This risk increases multi-fold if you decide to keep your vault offline on one of your devices. Naturally, keeping your own backup on an unprotected disk drive or poorly protected cloud service won't help either.
- Not all devices are secure enough. Hackers exploit the same vulnerability to get all of your logins in one attack. Password managers can be hacked if your device is infected with malware. In this case, typing the master password will get it recorded, and cybercriminals will gain full access to the data stored. That’s why password manager users should invest in securing all of their devices first to reduce the risks.
- Not using biometric authentication. Biometric authentication is a great way to add another level of security. If you configure your password manager to request either a fingerprint or face scan, the chances of someone hacking into your vault become as slim as Shady. It's also much easier for you to touch the fingerprint scanner than to enter a master password.
- Bad password manager. If it has weaker encryption, offers few features, and has poor reviews, you shouldn’t use it. When it comes to securing your vault, saving a few bucks a month shouldn’t be your main priority.
- Forgetting your master password. Are you the only person who knew it, and your password manager doesn’t have a reset feature? In this case, you may already start recovering each login one-by-one. Alternatively, you may want to store your master password (or a hint) in some physically secure place, such as a safe.
As you can see, some of the risks stem from the password managers themselves, but others exist solely because of users' behavior. If we don't count the latter, we can see that there aren't that many risks of using a password manager.
Can password managers be trusted?
Despite all the concerns listed above, good password managers are extremely difficult to compromise. The usage of AES-256 encryption, the “zero-knowledge” technique, and the possibility to use two-factor authentication make password managers a much safer and easier option than basically anything else available at the moment.
When it comes to safety, the most important thing from your side is the master password, as you have to create one in order to access all the other passwords.
So, make sure it is a strong one. It has to be at least 12 characters long, contain various symbols, and be impossible to guess. For more tips, check out our guide on how to create a strong password.
Which password manager type is the most secure?
Those familiar with password managers probably know about the three types. Each comes with its set of pros and cons, including nuances in security. Let's discuss all types one by one and find which is the most secure.
View the best password managers
Browser-based password managers
Security: safe
Pros: very easy to use, free
Cons: no cross-browser sync, not all generate passwords, few measure password strength
Examples: built-in browser password managers (Chrome, Firefox, Safari)
If we boil down safety to encryption and two-factor authentication, browser-based password managers are pretty safe. However, the more closely you look, the less secure browser password managers appear.
For starters, browser-based password managers work on one particular browser. If you decide to move from Safari to Chrome or Firefox, you might have trouble with export and import. Furthermore, there's no way you could synchronize your vault on different browsers. All this often leads to storing your passwords in an insecure location.
Secondly, not all browser-based password managers have a password generator. Without one, you will have to create them manually.
Lastly, browser password managers can't detect weak or reused passwords. Want to know if your logins aren't available on the dark web? You will have to check that manually on a separate tool.
Cloud-based password managers
Security: high
Pros: very convenient, easy access from anywhere, cloud backup, internet-dependent
Cons: no control over your vault security, third-party servers store your data
Examples: Zoho Vault, LastPass
When compared to the browser-based ones, cloud-based password managers are safer, as they have more features that enhance security.
To begin with, most cloud-based password managers provide a backup for your vault. In case something happens to the server, you can recover a recent version of your database.
Furthermore, cloud-based password managers allow you to store not only passwords but also secure notes and credit card details. This way you can protect all sensitive information.
Additionally, cloud-based password managers detect reused and weak passwords, generate strong ones, and check if your accounts haven't leaked. They also let you share your vault entries easily, even with those who don't use the same service.
Finally, cloud-based password managers will work on multiple browsers and operating systems. It means that you won't have to think about how to copy and paste something from your database securely.
Desktop-based password managers
Security: highest*
Pros: safest option, doesn't require an internet connection
Cons: no access from other devices, complicated password sharing, manual backups
Examples: Bitwarden, KeePass, 1Password, Dashlane
You may have noticed an asterisk beside the security score. That's because desktop-based password managers can be the safest, but that depends solely on the user.
These password managers store your data locally, on one of your devices. That device doesn't have to be connected to the internet, so there might be nearly zero chances of hacking into it. The most likely (and still highly unlikely) scenario is you inadvertently installing a keylogger and typing in your master password. However, this can be avoided by using biometric authentication.
Obviously, such a setup has its cons, which stem from the desktop-based password manager's very nature. For starters, you'll have to take care of regular backups. If your device breaks down irreparably, you can kiss your vault goodbye. What's more, you won't be able to access your passwords from other devices, and sharing them won't be easy either.
What if your password manager gets hacked?
In most cases, getting hacked won't result in all your passwords falling into the wrong hands. However, even the most secure password manager may have a serious vulnerability that everyone overlooked.
Let's start with the fact that your passwords are encrypted locally. Password managers have no way to decipher your data because they implement a zero-knowledge policy. So if a hacker breaks into your vault, he will see only encrypted information.
There's a slim chance that the attacker could break into your physical device by stealing it, using malware, or logging keystrokes. Even then, he or she will need your master password. If you use biometric data, such as fingerprint or face ID, the chance of a successful attack becomes infinitesimally low.
If the attacker installs malware on your device, your best move is to reinstall the OS and change all passwords in your vault. Make sure to also turn on 2FA wherever you can. This way, you will notice when an unusual request comes to the authenticator app.
Password manager hacks
The list of notable password manager hacks is quite short. Otherwise, they wouldn't have the reputation they have today. That's why I'll be also adding reported vulnerabilities that might not have resulted in any damage.
- In 2015, LastPass detected an intrusion to its servers. Hackers took users' email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email.
- In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
- In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn't result in casualties.
- In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn't suffer any reported casualties.
As you can see, none of these password manager hacks were that serious. Sure, vulnerabilities were exposed, but they were also fixed in a timely manner. And in most cases, the attacker would have to either get some more data from the user or overtake their device completely before accessing the vault. As a result, none of the issues mentioned above hurt the reputation of password managers.
Are premium password managers safe?
Most premium password managers are way safer than the majority of the free ones. The latter are often buggy, developed by shady companies, and sometimes even include malware. Despite that, there are quality free password managers that are as safe as the paid services. In fact, the former often include a free version. Therefore, it's a good idea to compare them and see what's lacking.
Usually, both free and premium password managers use military-grade encryption and zero-knowledge architecture. This means that there's no way to decipher your database even if someone breaks into it. The provider also doesn't have a key to unlock your data. That's why it all comes down to using a proper master password, 2FA, and keeping your devices malware-free.
Security flaws of free password managers
The added security of a premium password manager comes in the form of additional features. Free versions are usually stripped-down and lack options, some of which might be safety-related.
For example, some free password managers don't support biometric data, such as fingerprint or face ID. This means that you will have to enter your master password all the time.
Additionally, other free services don't have the option to audit your passwords. In case your vault dates back more than a few years, chances are those passwords aren't strong enough.
What's more, one would be hard-pressed to find a free password manager that integrates a dark web scanner. On the contrary, a premium password manager constantly checks the dark web to see if any of your accounts have leaked.
What are the safest password managers?
The safest password managers are mostly the ones that are ranked at the top. After all, how can it be otherwise when the product gets the highest scores from multiple review sites? That's why we invite you to check our guide to the best password managers in 2022.
Keeper
| Cloud storage: | No |
| 2FA: | Yes |
| Platforms: | Windows, macOS, Linux, Android, iOS |
| Browser plugins: | Chrome, Firefox, Safari, Opera, Internet Explorer |
Keeper is perhaps the safest password manager out there. It's all thanks to the zero-knowledge infrastructure, powerful AES 256-bit encryption, and numerous other security features. As for authentication, you’ll have plenty of choice here - be it biometrics, third-party authenticators, or Keepers signature KeeperDNA, you’ll have plenty of options to choose from.
The features of Keeper also leave no room for doubt about its dedication to securing your passwords and other data. There is the self-destructing KeeperChat for file sharing and Breach Watch that scours the dark web for your stolen passwords. And to keep you from compromising your own security, the Security Audit checks all of your passwords strength and suggests appropriate changes.
For more information, read our Keeper review.
NordPass
| Cloud storage: | 3 GB (with NordLocker app) |
| 2FA: | Yes |
| Platforms & Browser plugins: | Windows, macOS, Linux, Android, iOS, Chrome, Firefox, Safari, Opera, Brave, Vivaldi, and Edge |
| Current deal: | Get NordPass, now 52% OFF and 1 month FREE! |
As one of the credential managers on the market, NordPass is an invaluable tool for those who want an easy way to keep track of all their passwords. Aside from using the next-gen XChaCha20 encryption, NordPass also takes advantage of cloud storage, storing all of your passwords in the cloud so that you don’t lose them.
It also offers two-factor authentication, biometric authentication (that lets you use your face or fingerprints instead of your master password), a password generator, a data breach scanner, and lots of other features that will help you with your online security. Check out our in-depth NordPass review for more info on this password manager.
RoboForm
| Cloud storage: | No |
| 2FA: | Yes |
| Platforms: | Windows, macOS, Linux, Android, iOS |
| Browser plugins: | Chrome, Firefox, Edge, Opera |
As one of the oldest password managers, RoboForm primarily focuses on providing the service to businesses, which in turn requires the highest levels of security. The industry standard AES 256-bit encryption and the 2FA is just the surface of it.
RoboForm dedicates resources to keep your passwords healthy and secure at all times - reports on the strength of your credentials and a password generator with changeable variables.
There is the option of self-hosting, too, meaning that data is stored on your device only, and not in outer servers. But if you wish to sync up numerous devices, this is also a possibility.
For more details, take a look at our RoboForm review.
Top 5 password managers video review
Should you use a password manager?
Yes, you should use a password manager. It will allow you to keep track of your passwords without having to memorize them. Some password vaults can also generate and change passwords for you in one click, as well as securely store other types of data like credit card information. A password manager also makes sharing your data with family and friends safer. It's a much better way than writing down your login details in an email or some unencrypted messenger.
Of course, you have to put trust in the company behind your password manager. However, most of them have a flawless reputation. Also, they are way less risky than some dubious app or browser add-on that people install without much thinking.
Yes, they have their flaws and vulnerabilities. But in the end, it's not only the password manager that protects your most valuable information. You should also use a reliable anti-virus to prevent malware from infecting your device. Keeping your software updated is no less important, just like double-checking the apps and extensions you're about to install.
Comments
1. You decrypt your vault using a master password to share an item (which is essentially plain text, as all passwords are in the end)
2. The person you share the password with uses their private key to verify that the message is meant for them.
3. You then verify the specific item you want to share, not just the person.
4. A public key is used to encrypt the item.
5. An encrypted item is sent out to the recipient.
6. Additional proprietary syncing allows for up-to-date information (like changes)
False. That's what the companys that build the software say you can never know whether the company has access to your password. But that's not the case for open source PMs like keypass.
The right thing to say is that "The free software is harder to use than than the premium counter part" but saying they are buggy and less secure is wrong and misleading.
This is a pretty curious way to say that you prefer sponsored content, but as a statement is is highly misleading, borderline of false.
First, quality often does not correlate price as there were numerous highly dubious quality expensive code around while the most prominent free code is often more secure due to public scrutiny of their open source than the closed-source paid ones.
Then it’s misleading to suggest that “free” means “buggy” in contrast to the implied “paid” means “bug-free”: this is clearly false. In fact some free code is praised for security of their disk format (like passwordsafe), or their architecture (like bitwarden or keepass-xc).
For security reviewing it is not great to skip tech details; only nordpass has encryption method mentioned (xchacha20), nowhere are KDF, transport methods, client and server security or assurance mentioned. It is true that your article is not alone: I found almost no review which seemed to be knowledgeable enough to be trusted.
Sad.
Say, I install a desk top based password manager on my Macbook along with a Yubikey for 2FA and my computer either crashes beyond repair or is held hostage by a ransomware attack, what are the consequences with respect to my passwords? What remedy would I have? Thank you.
-Steve
Biometric passwords come with two risks that others don’t: You can’t change them and you have a finite supply – for example, we only have so many fingers. Once breached or hacked, you cannot easily change your fingerprints or any other biometric element one might use. There is no mitigation for a breach.
Biometrics are harder to break but, like everything else, that will get easier over time. That’s not to say they shouldn’t be used, but the risks should be understood.
Thanks,
##################
“The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.”
##################
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise
It seems the hacker has a copy of my vault prior to Oct 2 since it’s encrypted with the old password. In that case, I must change my master password and the passwords to all my sensitive sites.
I can agree with you to some extent. No password manager is 100% safe, but the same can be said about cars or other things that we use. Going open-source would also solve the problem only partially. In your case, I think that a self-hosted password manager should do the trick. Stay safe!
Yes, I do believe that. Using the same password for all accounts is extremely not safe. I don’t know about your encryption strength, but if it’s lower than the military-grade AES 256-bit, I’d suggest using a password manager instead.
While this is admittedly very convenient, it is a serious security risk. For example, if your computer is stolen, the thief will have access to all of those saved log-ins. You are the most vulnerable if you have auto-log-in for your user account enabled i.e. you don't need to log-in to your computer every time you boot your computer. Or if your computer is stolen when you are already logged-in to your user account and you don't have some form of auto log-out enabled. And even if you are logged-out, gaining access to user accounts can be relatively easy or basically impossible but the level of security depends on the strength of your user account password and how you have your access preferences configured.
At the very least, you should not have persistent log-ins for your financial accounts and other sensitive high-value accounts. Since we humans are creatures of habit, it's a better idea to have things set up so you must log-in whenever you visit a website where you have an account. Especially if you have personal and financial information saved on retail websites and others for the convenience it offers.
Personally, I only save credit card info at Amazon and only for credit cards. I do not save such information at any other website. I never use debit cards for any financial transactions online or in-person because the user protections are nothing like what credit cards provide and it is possible to be liable for a large amount of money should your financial account be compromised.
Ideally, such financial accounts should not allow long-in credentials to be saved via cookies or will have some type of 2 factor-authentication required. Unfortunately, in the U.S the vast majority of financial websites use SMS texts to send a simple numerical code to users. If the device you use to receive SMS texts is your computer, the thief may be able to respond to the texts and gain access. Or if your smartphone is also stolen or compromised by a SIM swap, the person who has possession will have access to your accounts.
It's important to remember that your email accounts are another potential gateway to your accounts. If someone can access your email because they have your computer or they know your email account username/password, they will also have the ability to gain control over your accounts. The password for your email accounts should be very strong and guarded as closely as financial accounts and 2FA authentication should be used when available.
Many of us use password managers because they make it very convenient to create extremely strong passwords and avoid the trap of reusing passwords for multiple accounts, which is a common practice and a very dangerous one at that. The best password managers have very strong encryption and various options for locking the password manager when it is not in use.
I had been keeping all my passwords in a file for probably 15 years. It’s amazing how many logins you accumulate with random purchases, etc. and how easy it use to use the same password/login combo. It was getting lengthy (close to 300, but many were old) and I was using one main (very difficult) password for a lot of sites, then started adding characters when I was forced to reset a password, so even remembering some was becoming a chore.
I started with a password manager about a year ago, but got lazy and didn’t take it too far. It’s surprising how many strange problems arose when simply changing a password! Then, a few weeks ago, that one password I used most of the time was breached, so I took the time and updated all sites with 16 to 24 character passwords. It took several hours a day for a few days, but it’s worth the peace of mind I have now and it’s a lot easier to log in! Also, I’m glad the one I chose was recommended as a good one.
-pm
Your email address will not be published. Required fields are marked