After a few security scandals in the past, it’s not surprising to hear the question “are password managers safe to use?” Even though most of the best password managers have kept their name untarnished, the industry as a whole always takes a hit after media covers the latest vulnerability or security breach. Therefore, this article will look at password managers without fear-mongering but also without idolizing them.
There are more questions that need an answer and will be addressed below. How do password managers secure your passwords? What are the risks of using a password manager? And finally, should you use a password manager at all? Read on to learn more.
How do password managers secure your passwords?
Generally speaking, password managers are safe to use and the best way to protect your passwords. Even though they can be hacked, much like anything else, such a scenario is highly unlikely, provided you take necessary precautions. It’s way easier for the attacker to use social engineering or phishing than to actually crack a strong password.
So, what makes password managers so secure?
First and foremost, password managers use encryption to protect your passwords. AES 256-bit is the industry standard that’s also used by the military because of its exceptional strength. It would take more than a lifetime to crack this cipher, so a brute-force attack has near-zero chance of success.
Furthermore, password managers protect your data from themselves by using zero-knowledge architecture. It means that your passwords are encrypted before they leave your device. So when they end up on the company’s server, the provider has no tools to decipher them.
Most password managers will ask you to use a master password for accessing your vault. If it’s secure, you can be sure that the rest of your passwords are safe enough. Having said that, it’s recommended also to use two-factor authentication (2FA) to enhance your database safety further. Using biometric authentication, such as fingerprint or face scan, is also a good idea.
Finally, password managers have multiple features aimed at securing your passwords. Some will remind you to change the passwords regularly and evaluate their strength. Others will scan the dark web to check if any of your logins appeared online. And some will do both, and then some.
As you can see, there are multiple ways that password managers secure your passwords. If you want to learn more, check out our article on how do password managers work?
However, you should also know about the risks that come with using a password manager. We’ll explain that in detail in the next chapter below.
What are the risks of using a password manager?
There’s no way to stay 100% safe online. Even if you use a reliable password manager, there are certain risks that you should know about:
- All sensitive data in one place. You’ve probably heard about keeping your eggs in one basket. That’s exactly what you’ll be doing with a password manager. That basket will likely include credit card details and secure notes too. In case of a breach, blocking all payment options and changing passwords for all accounts might take enough time for the attacker to do damage.
- Backup is not always possible. If the server breaks down, your only hope is that your provider has made a backup copy. This risk increases multi-fold if you decide to keep your vault offline on one of your devices. Naturally, keeping your own backup on an unprotected disk drive or poorly protected cloud service won’t help either.
- Not all devices are secure enough. Hackers exploit the same vulnerability to get all of your logins in one attack. If your device is infected with malware, typing the master password will give full access to the cybercriminals. That’s why password manager users should invest in securing all of their devices first to reduce the risks.
- Not using biometric authentication. Biometric authentication is a great way to add another level of security. If you configure your password manager to request either a fingerprint or face scan, the chances of someone hacking into your vault become as slim as Shady. It’s also much easier for you to touch the fingerprint scanner than to enter a master password.
- Bad password manager. If it has weaker encryption, offers few features, and has poor reviews, you shouldn’t use it. When it comes to securing your vault, saving a few bucks a month shouldn’t be your main priority. We recommend checking out some of the best password managers in 2020.
- Forgetting your master password. Are you the only person who knew it, and your password manager doesn’t have a reset feature? In this case, you may already start recovering each login one-by-one. Alternatively, you may want to store your master password (or a hint) in some physically secure place, such as a safe.
As you can see, some of the risks stem from the password managers themselves, but others exist solely because of users’ behavior. If we don’t count the latter, we can see that there aren’t that many risks of using a password manager.
Which password manager type is the most secure?
Those familiar with password managers probably know about the three types. Each comes with its set of pros and cons, including nuances in security. Let’s discuss all types one by one and find which is the most secure.
Browser-based password managers
Pros: very easy to use, free
Cons: no cross-browser sync, not all generate passwords, few measure password strength
Examples: built-in browser password managers (Chrome, Firefox, Safari)
If we boil down safety to encryption and two-factor authentication, browser-based password managers are pretty safe. However, the devil is in the detail. The more closely you look, the less secure browser password managers look.
For starters, browser-based passwords work on one particular browser. If you decide to move from Safari to Chrome or Firefox, you might have trouble with export and import. Furthermore, there’s no way you could synchronize your vault on different browsers. All this often leads to storing your passwords in an insecure location.
Secondly, not all browser-based password managers have a password generator. Without one, you will have to create them manually. And this means there’s a chance that one of those passwords will be less safe than it should.
More often than not, users share passwords insecurely, copying plain text on messaging services and emails. This concerns the users of browser-based password managers. If your friend uses Opera and you have Edge, there’s no easy way to share passwords securely.
Lastly, browser password managers can’t detect weak or reused passwords. Want to know if your logins aren’t available on the dark web? You will have to check that manually on a separate tool. Dedicated password managers have all these and other features integrated, making them safer than their browser-based counterparts.
Cloud-based password managers
Pros: very convenient, easy access from anywhere, cloud backup, internet-dependent
Cons: no control over your vault security, third-party servers store your data
Examples: Zoho Vault, LastPass, Dashlane
When compared to the browser-based ones, cloud-based password managers are safer. While both types use military-grade encryption and allow 2FA, cloud-based password managers have more features that enhance security. Even though browser password managers are catching up, they are still way behind the best overall services.
To begin with, most cloud-based password managers provide a backup for your vault. In case something happens to the server, you can recover a recent version of your database. That’s usually not the case with browser password managers.
Furthermore, cloud-based password managers allow you to store not only passwords but also secure notes and credit card details. This way you can protect all sensitive information. If you use a cloud-based password manager, you probably wouldn’t want to have your payment details available in autofill.
And then, there are arguments from the section above. Cloud-based password managers detect reused and weak passwords, generate strong ones, and check if your accounts haven’t leaked. They also let you share your vault entries easily, even with those who don’t use the same service.
Finally, cloud-based password managers will work on multiple browsers and operating systems. It means that you won’t have to think about how to copy and paste something from your database securely.
Desktop-based password managers
Pros: safest option, doesn’t require an internet connection
Cons: no access from other devices, complicated password sharing, manual backups
Examples: Bitwarden, KeePass, 1Password
You may have noticed an asterisk beside the security score. That’s because desktop-based password managers can be the safest, but that depends solely on the user.
As the name implies, these password managers store your data locally, on one of your devices. That device doesn’t have to be connected to the internet, so there might be nearly zero chances of hacking into it. The most likely (and still highly unlikely) scenario is you inadvertently installing a keylogger and typing in your master password. However, this can be avoided by using biometric authentication.
Obviously, such a setup has its cons, which stem from the desktop-based password manager’s very nature. For starters, you’ll have to take care of regular backups. If your device breaks down irreparably, you can kiss your vault goodbye. What’s more, you won’t be able to access your passwords from other devices, and sharing them won’t be easy either.
What if your password manager gets hacked?
In most cases, getting hacked won’t result in all your passwords falling into the wrong hands. Besides, there are many attack types that your password manager might endure. At the same time, not all services spend enough resources to prevent hacking. But even the most secure password manager may have a serious vulnerability that everyone overlooked.
Let’s start with the fact that your passwords are encrypted locally. Password managers have no way to decipher your data because they implement a zero-knowledge policy. So if a hacker breaks into your vault, he will see only encrypted information.
There’s a slim chance that the attacker could break into your physical device by stealing it, using malware, or logging keystrokes. Even then, he or she will need your master password. If you use biometric data, such as fingerprint or face ID, the chance of a successful attack becomes infinitesimally low.
If the attacker installs malware on your device, your best move is to reinstall the OS and change all passwords in your vault. Make sure to also turn on 2FA wherever you can. This way, you will notice when an unusual request comes to the authenticator app.
Password manager hacks
The list of notable password manager hacks is quite short. Otherwise, they wouldn’t have the reputation they have today. That’s why I’ll be also adding reported vulnerabilities that might not have resulted in any damage.
- In 2015, LastPass detected an intrusion to its servers. Hackers took users’ email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email.
- In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
- In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn’t result in casualties.
- In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn’t suffer any reported casualties.
As you can see, none of these password manager hacks were that serious. Sure, vulnerabilities were exposed, but they were also fixed in a timely manner. And in most cases, the attacker would have to either get some more data from the user or overtake her device completely before accessing the vault. As a result, none of the issues mentioned above hurt the reputation of password managers.
Are premium password managers safe
Most premium password managers are way safer than the majority of the free ones. The latter are often buggy, developed by shady companies, and sometimes even include malware. Despite that, there are quality free password managers that are as safe as the paid services. In fact, the former often include a free version. Therefore, it’s a good idea to compare them and see what’s lacking.
Usually, both free and premium password managers use military-grade encryption and zero-knowledge architecture. This means that there’s no way to decipher your database even if someone breaks into it. The provider also doesn’t have a key to unlock your data. That’s why it all comes down to using a proper master password, 2FA, and keeping your devices malware-free.
Security flaws of free password managers
The added security of a premium password manager comes in the form of additional features. Free versions are usually stripped-down and lack options, some of which might be safety-related. For example, some free password managers don’t support biometric data, such as fingerprint or face ID. This means that you will have to enter your master password all the time. And one day, this might happen on a device that has a key logger.
Additionally, other free services don’t have the option to audit your passwords. In case your vault dates back more than a few years, chances are those passwords aren’t strong enough. Checking this manually is often a task that many users gladly postpone.
What’s more, one would be hard-pressed to find a free password manager that integrates a dark web scanner. Even though this can be done manually using a third-party tool, it might take quite some time and will have no benefit if done only occasionally. A premium password manager constantly checks the dark web to see if any of your accounts have leaked.
Safest password managers in 2020
Safest password manager services is a synonym to the best password managers. After all, how can one consider a less secure option to be better? That’s why we invite you to check our guide to the best password managers in 2020.
How safe is Dashlane?
As our #1 password manager, Dashlane is very safe. It uses military-grade encryption and zero-knowledge architecture. What’s more, there are plenty of multi-factor authentication options. In addition to the 2FA, you can use universal two-factor authentication (U2FA). It comes in the form of an NFC or USB device that acts as a key.
When it comes to biometric data, both Face ID and Touch ID are available, depending on your device. Then there’s a dark web scanner that reports if your data is available online. Last but not least comes a built-in Virtual Private Network (VPN). It will encrypt your traffic and let you connect to servers in more than 20 countries. Please have a look at our Dashlane review to find out more about the service.
Is LastPass safe?
Not only is LastPass safe, but it’s also arguably the safest password manager in 2020. We’re talking about AES 256-bit encryption and zero-knowledge architecture here. There are plenty of multi-factor authentication options available. You can also use third-party authenticators, such as Google, Microsoft, or YubiKey.
Unfortunately, we must point also point out that LastPass suffered a breach in 2019. As a result, an embedded malicious code exposed more than 16 million users’ data. The company fixed the issue in no time, but the reputation remains in question.
What about the safety of 1Password?
As we mentioned previously, the best password manager equals the safest one. And 1Password is in the Top 3. It uses bank-grade encryption and offers “something that you are” (biometric) and “something that you have” (smartphone code) as 2FA options. There’s also a dark web scanner at your service.
1Password also checks whether a website that you want to log in to allows 2FA and uses HTTPS. This feature is unique among all premium password managers. Finally, a so-called Travel Mode hides important data on your phone while you’re abroad. In case you lose it, the information won’t fall into the wrong hands.
The final verdict: should you use a password manager or not?
You really should use a password manager. Yes, they have their flaws and vulnerabilities. But it’s still better than re-using the same weak passwords and writing them down as a note on your smartphone that becomes a playground for your kids after work. This is especially dangerous if you still don’t use two-factor authentication.
Of course, you have to put trust in the company behind your password manager. However, that shouldn’t be a problem because most of them have a flawless reputation. Also, they are way less risky than some dubious app or browser add-on that people install without much thinking.
What’s more, a password manager makes your data safer by letting you share it with your family and friends. It’s a much better way than writing down your login details in an email or some unencrypted messenger.
In the end, it’s not only the password manager that protects your most valuable information. You should also use a reliable anti-virus to prevent malware from infecting your device. Keeping your software updated is no less important, just like double-checking the apps and extensions you’re about to install.