We’ve talked about people reusing passwords or just using hilariously unsafe ones so much that one is tempted to shrug and let digital nature take its course. But this is one area where there’s a technological solution to a human problem: password managers. Of course, before you entrust some app with all your login data, you might ask yourself: are password managers secure?
What is a password manager?
A password manager is an app or a browser plug-in that records usernames and passwords for the websites you visit on your device. It does so with your permission. It may also offer to generate a secure password for you.
By using a password manager, you only need to remember a single secure password — for the manager — instead of coming up with and memorizing safe and unique passwords for every website you visit.
How do password managers work?
A password manager is relatively straightforward — an app or a browser add-on that detects you’re entering login data into a website or an app. It will prompt you to save it, and if you choose to do so, the data is then encrypted and stored in a password vault.
What is a password vault?
It’s secure digital storage, typically on a remote server protected by encryption, where online login details, documents, images, and other confidential information can be stored.
The user can then effortlessly use that data in the vault to log in to their online accounts without memorizing a unique password for each one — as long as they remember how to log into the password manager.
Password managers are safe
To those wondering, a good online password manager is safe to use due to a variety of security measures:
- Encryption;
- Zero-knowledge storage;
- Two-factor authentication;
- Biometric authentication.
It keeps your secrets locked up tighter than a pickle jar in the hands of a toddler.
Types of password managers (and their pros & cons)
Generally, there are two types of password managers: those that store your passwords locally and those that store them online. And as with most things, both approaches have their pros and cons.
Local password managers
Local password managers keep your passwords on your devices or browsers. This eliminates the chances of losing your credentials in a company-wide data breach. They’re also usually free.
However, a local-based solution is vulnerable to local device problems. For example, your password security might get compromised if your device gets infected with malware. And if a cat fries your laptop by spilling coffee over it, all your passwords will be gone.
Local storage password managers are also less convenient, as you’ll need to install them on every device you use. So if you try to log into Facebook on your friend’s phone, you’ll need to remember the password.
Local storage password managers
Pros | Cons |
---|---|
Won’t lose your password to a data breach | Is vulnerable to malware and viruses |
Usually free | Only work after manual setup on each device |
If you lose your device, you’ll lose your passwords |
Cloud password managers
Cloud-based password managers store your passwords in cloud databases. They are more convenient because you can access them from anywhere. However, they can potentially be subjected to data breaches. That’s why finding a trustworthy and secure password manager provider is very important!
Unlike local password managers, their cloud-based counterparts are not tied to a single device. Essentially, you can use one from anywhere in the world as long as you have internet access.
Cloud password managers are also safer because they are not vulnerable to malware that might infect your devices. Their only security threats to your sensitive data are breaches that might happen in cloud security operations.
Online password managers
Pros | Cons |
---|---|
Can access from anywhere. | Data breaches can compromise your passwords. |
Works across multiple devices and platforms. | Requires an internet connection. |
Will tell you if your passwords were leaked. | Is a paid service. |
What are the risks of using a password manager?
Only scammers talk about products that don’t have any drawbacks. So here are the main risks you run into as a password manager user:
- All the data in one place: hackers only need to breach the access to your password manager to instantly gain access to all your accounts (except for the ones that require two-step verification). Moreover, most password managers also store your credit/debit card details, so that’s an additional risk;
- The manager may be unsecured: if you look for the cheapest password manager, you might get one with weak encryption, lacking security practices, etc. They may even forgo backing up your password vault, which would mean that their servers failing would vanish all your stored logins;
- Compromising your device can compromise the manager: if you’re using a password manager on, say, your PC and it gets infected by malware, all your data, including the password manager, may be at risk. While it won’t be as easy as just stealing your password vault (it’s encrypted), it can still provide access to the manager itself;
- Forgetting your master password: you still need a secure password for your password manager. This means you can’t use your birth date or pet’s name or make other password creation mistakes. But a secure password may be harder to remember, and if you forget that…
Password security mistakes to avoid
To use a password manager safely and securely, you still need to follow the secure password rules:
- Don’t repeat the same password: if you have used that password before, don’t use it as your password manager’s master password;
- Use a secure password: the trick is to avoid dates and dictionary words. Adding at least one non-alphanumeric character also helps. Consider creating a mnemonic to remember this excellent password;
- Don’t store the password nearby: I can’t tell you what a good physical place for storing your master password may be, but it certainly isn’t your wallet, a sticky note on your monitor, a note on your smartphone, or a .txt file on your desktop. The most secure spot is inside your head. Even Big Brother or the Thought Police can’t get in there;
- Don’t use browser password storage: this is more of a meta advice, but use an encrypted password manager instead of your browser’s password storage function. Also, don’t store your master password on your browser;
- Enable 2FA: two-factor authentication may be annoying to you, but it’s even more annoying to hackers. So use that! Also, if it’s possible to use biometric authentication — like your fingerprint or face photo — enable that as well. Not convinced? Here’s what Aleksandr Valentij, the Cyber Security Lead at Surfshark, says about 2FA:
“The password is so vulnerable that it’s very easy to steal it if it’s your only form of protection; therefore, we should use two-factor authentication (2FA). However, even with 2FA, hacking is still possible, but it’s exponentially more difficult — about a hundred times harder — to hack someone who has 2FA.”
Watch our video with the Founder & Director of NetBlocks, Alp Toker, for more tips and examples on creating secure passwords.
How safe are password managers?
While nothing is 100% safe online, a good password manager (read: paid subscription, has good reviews) will have a lot of security measures in place to make sure that your data remains safe and secure. Here’s what they have to work with:
Encryption | Password managers encrypt your data with an AES-256 algorithm, which is as good as it gets these days, and no computer currently in existence could crack it within a lifetime. |
---|---|
Zero-knowledge | This means the password is encrypted before being transmitted to the vault. The hackers would only find an unreadable mess if the server was breached. Meanwhile, some other services just store passwords on your device, making it a bit safer but a lot less convenient. |
Only a single password | If you only ever needed to remember a single password, you’d probably be able to remember any random string of letters, numbers, and punctuation marks. This is the core safety idea of all password managers. |
Good passwords | A computer can generate strong passwords than you could and store an indefinite number of those passwords. So when it comes to logins, all accounts of yours will be provided with the same level of security. |
Two-factor authentication | 2FA increases the security of your accounts by asking you to confirm your login on another device. This makes it harder for anyone who might get their hands on the password to your password manager to get in. |
Biometrics | Why not make 2FA even harder to crack and manipulate by using your fingerprint as the second lock on your password manager? |
Threat monitoring | Some password managers go as far as to notify users when their passwords have been leaked in a breach, prompting them to change them. |
How to choose a reliable password manager
Ideally, you want to look for a password manager that comes with the following:
- Strong encryption implementation;
- Two-factor authentication;
- Zero-knowledge storage;
- Threat monitoring.
The company’s reputation is also very important. Did they have any leaks or breaches in the past? Do they test their security often? Do security experts recommend this password manager?
You can find such information with a simple Google search, and I absolutely urge you to do the research yourself.
What are some safe password managers?
Doing my own research? In 2024? It sounds tedious, but it’s worth it because you’ll know what you’re getting! In general, there are a few big players out there. For starters, we recommend you check out NordPass or Bitwarden. For companies NordPass for business is an ideal solution.
Can a password manager be hacked?
Technically, a password manager can be hacked. But, as I mentioned, encryption makes it pointless. Let’s look at some password manager hacks that have happened recently:
2015: LastPass lost user emails and password reminders, but little harm was caused because any access to user accounts still had to be confirmed via email.
2016: white-hat hackers and security experts uncovered vulnerabilities in LastPass, Dashlane, 1Password, Keeper, and a few other managers.
2017: LastPass reported a serious browser add-on vulnerability. It was fixed within 24 hours.
2019: researchers uncovered code vulnerabilities that, when combined with Windows 10 and specific malware, could compromise Dashlane, LastPass, 1Password, and KeePass. No damages were reported.
2022: in this security incident, LastPass experienced two separate (but linked) attacks where some code and proprietary information were stolen — basic customer account information like end-user names, email addresses, telephone numbers, company names, billing addresses, and customers’ IP addresses.
With all the mentioned hacks, NordPass remains one of the most secure password managers.
Keep in mind, it is easier and much more common to compromise a password manager via phishing. For example, you can be tricked into downloading keylogger malware on your device through a malicious site or an email. This keylogger can record the master password for your password manager.
Similarly, a hacker pretending to be a support specialist from your password manager developer might trick you into giving them your login credentials (once more for the people in the back: no real company will ever ask you for your login and password).
Phishing is by far the biggest risk to your password manager. That’s why it’s wise to always use 2FA as a backup plan. And since phishing is something only you can protect yourself from by being diligent, I’d say that most password managers are fairly hack-safe.
In conclusion: the password manager is to be trusted
We won’t have fewer websites and apps to log into suddenly. That’s why it’s important to know how to protect your privacy online — enlist the aid of a password manager to keep those logins safe and encrypted.
In addition, we urge you to check out other security features. Surfshark Alert will notify you if any of your passwords or personal data are leaked. And when it comes to encrypting your online traffic, consider Surfshark VPN as well.
FAQ
Is it a good idea to use a password manager?
Yes, using a password manager is a good idea. It allows you to secure every online account with a strong, unique password without memorizing it.
Is it safe to use an online password manager?
Yes, it is safe to use an online password manager. One thing that puts it above local-storage password managers is that you can use it on any device, and you won’t lose your passwords if you ruin the device it’s installed on.
When should you not use a password manager?
You shouldn’t use a password manager on an unsecured device. If there’s a chance that someone has installed malware — like a keylogger — on it, your password manager may be compromised.
What if someone hacks a password manager?
Password managers are locally encrypted (on your device) — if a hacker breaches your password vault (the manager’s storage server), they can only see encrypted information, rendering it useless.
Even if unpleasant, getting your password manager hacked doesn’t mean the worst.
What is the main risk of using a password manager?
One potential drawback of using a password manager is that if a hacker gains access to it, they will have access to all your passwords stored in the vault. This is why it’s crucial to go for reputable password managers.
The security of password managers can be compromised if your device becomes infected with malware or the hacker knows your master password.