How Secure Are Password Managers?

The idea of a password manager can seem insecure initially, because it means that a single password will reveal the gleaming treasure of all your passwords. But using a password manager is the recommendation of experts.

And if you use the same password everywhere, like many folks do, all of your passwords would be exposed if even the weakest link was broken. (Note: The weakest links are broken with morbid regularity)

I had some concerns when I first heard about using a password manager, but I have been using KeePass for years and rest easy at night. Let’s dig a little deeper so you can too.

Alternatives

  • Same password for everything – one site’s password is exposed and the gig is up
  • Try to memorize dozens of long, hard to remember passwords – nearly impossible
  • Writing passwords down – not bad, but tedious and less accessible
  • Saving passwords in your browser – not as secure and doesn’t work for non-web passwords

None of these alternatives work as well as a password manager, or scale to hundreds of passwords. It’s not to say you should never use them, just that for the balance of convenience and security, a password manager wins out.

Attack vectors

  • A web site you use is hacked, revealing your password
  • Keylogger
  • Physical access to your machine

The first attack vector is depressingly common. LinkedIn, eHarmony, Gawker media, Sony Playstation Network and plenty more have all had their passwords exposed. When this happens I can change my password to another random password quickly and easily. The longest part of the process is finding the option in the account settings.

A keylogger is pretty much game over if you’re typing your passwords in. But password managers make an effort to be resistant to key logging. And if someone has physical access to your machine, a password manager has your passwords encrypted. If you use a relatively short inactivity timeout, your passwords would still be safe from prying eyes.

While no solution is perfect, a password manager gives you strong, random passwords for every login. I use KeePass, but there are plenty of options.

  • KeePass – Standalone application, free and open source
  • LastPass – Web site with browser extensions, free and paid plans
  • BitWarden – Apps save encrypted passwords to the cloud, free and open source (can be self-hosted)
  • 1Password – Paid plans only

Comments are closed