Clock 5 MINUTES

How Secure are Password Managers? Here’s What to Keep in Mind

Password managers have grown in popularity over the years, but do they really keep your information safe? Let’s find out.

15 Oct
2019
SelfKey
Identity Wallet
key-icon

In our digital world, passwords are a part of everyday life. However, most of us are not using strong and unique passwords for every website we use. As hacking technology has advanced, so has password technology. In a perfect scenario, you should have a unique password for every single website and application that you use. Experts say that your password should not be a word in the dictionary, and should contain symbols, numbers, and uppercase and lowercase letters. Sounds complicated, right?

Obviously the prospect of remembering dozens of completely unique, nonsensical passwords is daunting. However, there are now dozens of password managers available that are designed to remember your passwords so you do not have to. Some will even generate unique passwords for you so that you can be sure your accounts are extra safe.

But how secure are password managers? Can they be hacked? In this article, we’ll dive into how password managers work, just how safe password managers are, and the extra steps that you can take to protect yourself.

The SelfKey Identity Wallet is a free identity solution for Windows, Linux and Mac. Get yours today!

Password Managers 101

A password manager stores all of your passwords in one place. In some cases, the password manager may have a browser extension and automatically enters your password for you. In others, you have to open the app or website each time to copy and paste your password. 

Only 1 in 10 Americans use a password manager, and even less use them on a daily basis. Most people memorize their passwords (usually because they only have one or two passwords), write them down on a piece of paper, or keep them on a spreadsheet. A study done in 2017 and published in “Human-centric Computing and Information Services” found that most people use password managers for convenience and that security is less of a concern. 

There are three different types of password managers:

  1. Offline Password Managers – This type of password manager is completely disconnected from the Internet. It is usually an app that runs on your computer and saves your passwords to a heavily encrypted file. While that file could still be hacked by a persistent hacker, the chances of that happening are pretty slim. To access an offline password manager, you need to provide a master password, which is not stored on the password manager. 
  2. Online Password Managers – This is the more popular type of password manager because of its convenience. Online password managers store your passwords online, which means you can access them across different devices. This is particularly handy for people who spend a lot of time on their phone. The downside is that your passwords are more vulnerable when they are stored online. While there are a number of protective measures that password management services take to prevent attacks, you are more at risk.
  3. Stateless Password Managers – This type of password manager is one of the safest because it does not store encrypted copies of your passwords anywhere. Instead, a password is generated from variables. A common approach is to create a password using a combination of your master password and a website’s address. If a malicious actor tries to access your passwords, they need to know your master password, the website’s name, and the length of your password in order to replicate it, which is quite difficult. On the other hand, if the hacker can figure out your master password, they can piece together your other passwords pretty easily.

The type of password manager you use really depends on how much security you want and what you are willing to do for it. While all password managers are safer than not using anything at all, using one does put you at a different type of risk. It is important to do your due diligence about how to further protect yourself against data breaches and hacks. 

How secure are password managers?

Although password managers have a relatively small user base, they are targeted by hackers because they contain a lot of valuable information. Many people worry that if they use a password manager, then that is a surefire way to have all of their accounts compromised, but that is not necessarily true. If someone manages to hack into a password manager’s server, the data they can access is generally useless. The data does not make any sense unless the malicious actors also have the master password, and obtaining a master password is even more difficult.

However, that does not mean that hacks to password managers do not happen. LastPass was hacked in 2015, but no passwords were stolen. In 2017, OneLogin was hacked but once again, hackers did not actually gain access to any passwords. Malicious actors seem to have realized it is easier to target major websites that have more data stored and far less protective measures in place.

A number of vulnerabilities on password managers have been exposed over the years, but hackers have yet to take advantage of them. The security community seems to be very committed to regularly auditing password managers for any potential weak points.

Earlier this year, an audit of five online password managers conducted by Independent Security Evaluators discovered some security flaws. The audit found that the Windows 10 apps for 1Password, LastPass, Dashlane, KeePass, and RoboForm left some passwords exposed in a computer’s memory even when the app was in “lock mode”, making them easily accessible to malicious actors. Critically, three of the apps left the master password used to unlock the app exposed.

Luckily, this security flaw is not that big of a problem. For now, we are ahead of hackers when it comes to password manager security. It is very unlikely that a malicious actor would target a single computer. Additionally, in order to access the exposed passwords, they would either have to have physical access to the computer or install some type of malware that gives them full control over the computer. That is a lot of work for only one set of passwords, which is why most hackers target large sites like Facebook or even your iPhone.

All in all, password managers are quite secure. Our digital identity can never truly be safe, but we can take actions to protect ourselves, and using a password manager makes you far less vulnerable to having your information compromised. Using a password manager is certainly more secure than not using one.

Best practices for using password managers

There are a number of extra steps you can take to make your password manager even more secure, and most of them are quite simple.

  • Enable two-factor authentication: Using two-factor authentication puts an extra layer of protection between you and hackers, especially if you use your mobile phone a lot.
  • Do not leave your password manager running in the background: By closing your password manager and making sure it is locked immediately after you use it, you leave less of a window open to potentially have your data exposed. 
  • Turn off autofill: Autofill is tempting to use because it makes logging into accounts so much easier and faster. However, some third party advertising scripts are starting to use that information to track you. Turning off autofill means you will have to copy and paste every password manually from your password manager, but it means your data will ultimately be safer.
  • Keep your software up to date: Password managers are regularly updating their apps to fix security issues, so it is important to make sure you are using the latest version. Most operating systems and mobile phones offer automatic updates so you don’t have to constantly check. We recommend turning automatic updates on for peace of mind.
  • Avoid using browser extensions: While browser extensions make logging into your accounts more convenient, they are more vulnerable to attacks. If security is crucial to you, do not use any password manager browser extensions.
  • Check your computer regularly for malware: There are several different types of software that offer malware detection and protection, which is more than your standard anti-virus program can offer. Here is a list of the top malware protection and removal software.
  • Use a password manager that does not allow master key recovery: A good password manager should not allow master password recovery. If a malicious actor is able to get a hold of your master password through account recovery tools then all of your information is exposed. 
  • Do not store sensitive information on your password manager: This one should seem pretty straightforward, but some people have been known to keep things like Bitcoin private keys on their password manager. Use your password manager for passwords only.

Conclusion

Using a password manager is certainly safer than the alternative, especially because it allows you to generate unique and strong passwords for all of your accounts. Although password managers can be vulnerable to attacks, they are the best option that is currently available. 

By doing your due diligence and following the extra steps we outlined above, your data will be more secure than ever. Although hackers will probably catch up to the technological advances of password managers eventually, for the time being they haven’t been able to steal any important information.