Self-Sovereign Identity for more Freedom and Privacy - SelfKey

In our digital world, passwords are a part of everyday life. However, most of us are not using strong and unique passwords for every website we use. As hacking technology has advanced, so has password technology. In a perfect scenario, you should have a unique password for every single website and application that you use. Experts say that your password should not be a word in the dictionary, and should contain symbols, numbers, and uppercase and lowercase letters. Sounds complicated, right?

Obviously the prospect of remembering dozens of completely unique, nonsensical passwords is daunting. However, there are now dozens of password managers available that are designed to remember your passwords so you do not have to. Some will even generate unique passwords for you so that you can be sure your accounts are extra safe.

But how secure are password managers? Can they be hacked? In this article, we’ll dive into how password managers work, just how safe password managers are, and the extra steps that you can take to protect yourself.

Password Managers 101

A password manager stores all of your passwords in one place. In some cases, the password manager may have a browser extension and automatically enters your password for you. In others, you have to open the app or website each time to copy and paste your password. 

Only 1 in 10 Americans use a password manager, and even less use them on a daily basis. Most people memorize their passwords (usually because they only have one or two passwords), write them down on a piece of paper, or keep them on a spreadsheet. A study done in 2017 and published in “Human-centric Computing and Information Services” found that most people use password managers for convenience and that security is less of a concern. 

There are three different types of password managers:

  1. Offline Password Managers - This type of password manager is completely disconnected from the Internet. It is usually an app that runs on your computer and saves your passwords to a heavily encrypted file. While that file could still be hacked by a persistent hacker, the chances of that happening are pretty slim. To access an offline password manager, you need to provide a master password, which is not stored on the password manager. 
  2. Online Password Managers - This is the more popular type of password manager because of its convenience. Online password managers store your passwords online, which means you can access them across different devices. This is particularly handy for people who spend a lot of time on their phone. The downside is that your passwords are more vulnerable when they are stored online. While there are a number of protective measures that password management services take to prevent attacks, you are more at risk.
  3. Stateless Password Managers - This type of password manager is one of the safest because it does not store encrypted copies of your passwords anywhere. Instead, a password is generated from variables. A common approach is to create a password using a combination of your master password and a website’s address. If a malicious actor tries to access your passwords, they need to know your master password, the website’s name, and the length of your password in order to replicate it, which is quite difficult. On the other hand, if the hacker can figure out your master password, they can piece together your other passwords pretty easily.

The type of password manager you use really depends on how much security you want and what you are willing to do for it. While all password managers are safer than not using anything at all, using one does put you at a different type of risk. It is important to do your due diligence about how to further protect yourself against data breaches and hacks. 

How secure are password managers?

Although password managers have a relatively small user base, they are targeted by hackers because they contain a lot of valuable information. Many people worry that if they use a password manager, then that is a surefire way to have all of their accounts compromised, but that is not necessarily true. If someone manages to hack into a password manager’s server, the data they can access is generally useless. The data does not make any sense unless the malicious actors also have the master password, and obtaining a master password is even more difficult.

However, that does not mean that hacks to password managers do not happen. LastPass was hacked in 2015, but no passwords were stolen. In 2017, OneLogin was hacked but once again, hackers did not actually gain access to any passwords. Malicious actors seem to have realized it is easier to target major websites that have more data stored and far less protective measures in place.

A number of vulnerabilities on password managers have been exposed over the years, but hackers have yet to take advantage of them. The security community seems to be very committed to regularly auditing password managers for any potential weak points.

Earlier this year, an audit of five online password managers conducted by Independent Security Evaluators discovered some security flaws. The audit found that the Windows 10 apps for 1Password, LastPass, Dashlane, KeePass, and RoboForm left some passwords exposed in a computer’s memory even when the app was in “lock mode”, making them easily accessible to malicious actors. Critically, three of the apps left the master password used to unlock the app exposed.

Luckily, this security flaw is not that big of a problem. For now, we are ahead of hackers when it comes to password manager security. It is very unlikely that a malicious actor would target a single computer. Additionally, in order to access the exposed passwords, they would either have to have physical access to the computer or install some type of malware that gives them full control over the computer. That is a lot of work for only one set of passwords, which is why most hackers target large sites like Facebook or even your iPhone.

All in all, password managers are quite secure. Our digital identity can never truly be safe, but we can take actions to protect ourselves, and using a password manager makes you far less vulnerable to having your information compromised. Using a password manager is certainly more secure than not using one.

Best practices for using password managers

There are a number of extra steps you can take to make your password manager even more secure, and most of them are quite simple.


Using a password manager is certainly safer than the alternative, especially because it allows you to generate unique and strong passwords for all of your accounts. Although password managers can be vulnerable to attacks, they are the best option that is currently available. 

By doing your due diligence and following the extra steps we outlined above, your data will be more secure than ever. Although hackers will probably catch up to the technological advances of password managers eventually, for the time being they haven’t been able to steal any important information.

SelfKey is a fast-growing DAO developing digital identity solutions. The DAO seeks to empower individuals and corporations to take back ownership of their identity data

Newsletter list

Terms and Conditions隱私政策
© 2017- 2023 by SelfKey