We’ve talked about people reusing the same passwords or just using hilariously unsafe ones so much that one is tempted to just shrug and let digital nature take its course. But this is one area where there is a technological solution to a human problem: password managers. Of course, before you entrust some app with all your login data, you might ask yourself: are password managers safe?
In short: Are password managers safe?
A good online password manager is safe to use due to the variety of security measures in use: encryption, zero-knowledge storage, two-factor authentication, biometric locks, and the fact that the user only needs to memorize a single password.
What is a password manager?
A password manager is an app or a browser plug-in that records usernames and passwords for the websites you visit on your device. It does so with your permission. It may also offer to generate a secure password for you.
By using a password manager, you only need to remember a single secure password – for the manager – instead of coming up with and memorizing safe and unique passwords for every website you visit.
How do password managers work?
A password manager works in a reasonably straightforward manner. It’s an app or a browser add-on that detects you’re entering login data into a website or an app. It will prompt you to save it, and if you choose to do so, the data is then encrypted and stored in a password vault. The user can then effortlessly use that data to log in to their online accounts without memorizing a unique password for each one – as long as they remember how to log into the password manager.
Types of password managers (and their pros & cons)
Generally, there are two types of password managers: those that store your passwords locally and those that store them online. And as with most things, both approaches have their pros and cons.
Local password managers
Local password managers keep your passwords on your devices or browsers. This eliminates the chances of losing your credentials in a company-wide data breach. They’re also usually free.
However, a local-based solution is vulnerable to local device problems. For example, your password security might get compromised if your device gets infected with malware. And if a cat fries your laptop by spilling coffee over it, all your passwords will be gone.
Local storage password managers are also less convenient, as you’ll need to install them on every device you use. So if you try to log into Facebook on your friend’s phone, you’ll need to remember the password.
Local storage password managers
Pros | Cons |
|---|---|
Won’t lose your password to a data breach. | Is vulnerable to malware and viruses. |
Usually free. | Only work after manual set up on each device. |
If you lose your device, you’ll lose your passwords. |
Cloud password managers
Cloud-based password managers store your passwords in cloud databases. They are more convenient because you can access them from anywhere. However, they can potentially be subjected to data breaches. That’s why it’s very important to find a trustworthy and secure password manager provider!
Unlike local password managers, their cloud-based counterparts are not tied to a single device. Essentially, you can use one from anywhere in the world as long as you have internet access.
Cloud password managers are also safer because they are not vulnerable to malware that might infect your devices. Their only security threats to your sensitive data are breaches that might happen in cloud security operations.
Online password managers
Pros | Cons |
|---|---|
Can access from anywhere. | Data breaches can compromise your passwords. |
Works across multiple devices and platforms. | Requires an internet connection. |
Will tell you if your passwords were leaked. | Is a paid service. |
What are the risks of using a password manager?
Only scammers talk about products that don’t have any drawbacks. So here are the main risks you run into as a password manager user:
- All the data in one place: hackers only need to breach the access to your password manager to instantly gain access to all your accounts (except for the ones that required two-step verification). Moreover, some password managers also store your credit/debit card details, so that’s an additional risk.
- The manager may be unsecured: if you look for the cheapest password manager, you might get one with weak encryption, lacking security practices, and so on. They may even forgo backing up your password vault, which would mean that their servers failing would make all your stored logins vanish.
- Compromising your device can compromise the manager: if you’re using a password manager on, say, your PC and it gets infected by malware, all your data, including the password manager, may be at risk. While it won’t be as easy as just stealing your password vault (it’s encrypted), it can still provide access to the manager itself.
- Forgetting your master password: you still need a secure password for your password manager. This means you can’t use your birth date, your pet’s name or make any other password creation mistakes. But a secure password may be harder to remember, and if you forget that…
Password security mistakes to avoid
To use a password manager safely and securely, you still need to follow the secure password rules:
- No repeating the same password: if you have used that password before, don’t use it as your password manager’s master password.
- Use a secure password: the trick is to avoid dates and dictionary words. Adding at least one non-alphanumeric character also helps. Consider creating a mnemonic to remember this excellent password.
- Don’t store the password nearby: I can’t tell you what a good physical place for storing your master password may be, but it certainly isn’t your wallet, a sticky note on your monitor, a note on your smartphone, or a .txt file on your desktop. The most secure spot is inside your head.
- Don’t use browser password storage: this is more of a meta advice, but use a password manager instead of your browser’s password storage function. Also, don’t store your master password on your browser.
- Enable 2FA: two-factor authentication may be annoying to you, but it’s even more annoying to hackers. So use that! Also, if it’s possible to use biometric scans – like your fingerprint or face photo – enable that as well.
Watch our video with the Founder & Director of NetBlocks, Alp Toker, for more tips and examples on creating secure passwords.
How safe are password managers?
While nothing is 100% safe online, a good password manager (read: paid subscription, has good reviews) will have a lot of security measures in place to make sure that your data remains safe and secure. Here’s what they have to work with:
Encryption | Password managers encrypt your data with an AES-256 algorithm, which is as good as it gets these days, and no computer in existence could crack it within a lifetime. |
|---|---|
Zero-knowledge | This means that the password is encrypted before it’s transmitted to the vault. Should the server be breached, the hackers would only find an unreadable mess. Meanwhile, some other services just store passwords on your device, making it a bit safer but a lot less convenient. |
Only a single password | If you only ever needed to remember a single password, you’d probably be able to remember any random string of letters, numbers, and punctuation marks. This is the core safety idea of all password managers. |
Good passwords | A computer can generate a stronger password than you could and it can store an indefinite number of those passwords. So when it comes to logins, all accounts of yours will be provided with the same level of security. |
Two-Factor Authentication | 2FA increases the security of your accounts by asking you to confirm your login on another device. This makes it harder for anyone who might get their hands on the password to your password manager to get in. |
Biometrics | Why not make 2FA even harder to crack and manipulate by using your fingerprint as the second lock on your password manager? |
Threat monitoring | Some password managers go as far as to notify users when their passwords have been leaked in a breach, prompting them to change them. |
How to choose a reliable password manager
Ideally, you want to look for a password manager that comes with:
- Strong encryption implementation;
- Two-factor authentication;
- Zero-knowledge storage;
- Threat monitoring.
The company’s reputation is also very important. Did they have any leaks or breaches in the past? Do they test their security often? Do security experts recommend this password manager?
You can find such information with a simple Google search, and I absolutely urge you to do the research yourself.
What are some safe password managers?
Doing my own research? In 2022 (if you’re reading this in 2023, use 2023 for the joke to still work)? I know it sounds tedious, but it’s definitely worth it because you’ll know what you’re getting!
In general, there are a few big players out there. We recommend you check out these services to get started:
- LastPass
- NordPass
- 1Password
- Dashlane
- Bitwarden
Can a password manager be hacked?
Technically, it is possible for a password manager to be hacked in some way. But, as I mentioned, encryption makes doing that essentially pointless.
Let’s look at some password manager hacks that have happened recently:
2015: LastPass lost user emails and password reminders, but little harm was caused because any access to user accounts still had to be confirmed via email.
2016: white-hat hackers and security experts uncovered vulnerabilities in LastPass, Dashlane, 1Password, Keeper, and a few other managers.
2017: LastPass reported a serious browser add-on vulnerability. It was fixed within 24 hours.
2019: researchers uncovered code vulnerabilities that, when combined with Windows 10 and specific malware, could compromise Dashlane, LastPass, 1Password, and KeePass. No damages were reported.
2022: LastPass experienced a breach where some code and proprietary information was stolen. The hackers didn’t access any user data.
So, the answer to the “what if someone hacks a password manager” question is “not much.” Even with all the mentioned hacks, LastPass remains among the top recommended password managers, which shows how resilient quality password managers can be.
It is easier and much more common to compromise a password manager via phishing. For example, you can be tricked into downloading keylogger malware on your device through a malicious site or an email. This keylogger can record the master password for your password manager.
Similarly, a hacker pretending to be a support specialist from your password manager developer might trick you into giving them your login credentials (once more for the people in the back: no real company will ever ask you for your login and password).
Phishing is by far the biggest risk to your password manager. That’s why it’s wise to always use 2FA as a backup plan. And since phishing is something only you can protect yourself from by being diligent, I’d say that password managers are fairly hack-safe.
In conclusion: The password manager is to be trusted
We’re not going to suddenly have fewer websites and apps to log into. That’s why maintaining strong passwords will remain important. So to do that, enlist the aid of a password manager to keep those logins safe and encrypted. In addition, we urge you to check out other security features. Surfshark Alert will notify you if any of your passwords or personal data are leaked. And when it comes to encrypting your online traffic, consider Surfshark VPN as well.
FAQ
Is it a good idea to use a password manager?
Yes, as it allows you to secure every account you have online with a strong, unique password without having to memorize them.
Is it safe to use an online password manager?
Yes, it is safe to use an online password manager. One thing that puts it above local-storage password managers is that you can use it on any device, and you won’t lose your passwords if you ruin the device it’s installed on.
When should you not use a password manager?
You shouldn’t use a password manager on an unsecured device. If there’s a chance that someone has installed malware – like a keylogger – on it, your password manager may be compromised.
