How Secure is Your Password Manager?
In the course of a day, how many times do you enter passwords? As the password requirements get incredibly complicated these days, it is recommended to use a secure password manager. But how safe and reliable are those services? In this edition, we explore the ups and downs of password managers and find out the best way to secure your passwords.
Online password managers
When it comes to online password managers, it is a common thought that they are riskier than an offline one. Password managers never store any passwords directly on their servers. In general, all password managers encrypt your passwords with a master password on your computer locally and then upload that encrypted file back to their servers. So even if their servers get hacked or breached, the only data that would be gained is the encrypted password data. Without your master password, it is impossible to decrypt it. In the event of breaches, all you need to do is purge the master password.
Offline password managers
As mentioned above, the offline password managers are the ones that pose a slightly higher risk. The single point of failure, being your computer, is that flaw in the whole thing. First of all, if your computer has malware in it, the password managers are rendered obsolete, as one way or the other the malware would eventually mine all your passwords. It is not the security of the password managers that is weak, but it is that of the computer operating system and other software in play, which creates a point of vulnerability. But then again, there could be a possibility that a password manager itself is compromised with backdoor access to all of your passwords. The scary thing would be that we would never know if it even exists.
Should you be using a password manager?
I get it! I have confused you even more. Sorry for this, but the answer is yes and no. It really breaks down to the level of security you need for the account.
You should use a password manager where the rewards outweigh the risks involved. Accepting such risks in online and offline password managers is far better than using the same damn password for every site you have an account with. Also with password manager extensions in your browsers, there are some additional benefits like passive protection from phishing attacks, auto fill for other details like credit card information and other private data.
But it is also a wise move to not use a password manager for critical and vital accounts you have. For example, your primary email might become the biggest point of failure when it is compromised. If an attacker gains access to your primary email service, everything else would tumble down and go into that whirlpool. It’s just a ‘forgot password’ away for the rest of the services that rely on your email for identity and verification. It also applies to banking accounts. In all these cases, it is recommended that you memorize your password rather than trusting a password manager for it.
Advantages and disadvantages of password managers
From what we have analysed so far, it is evident that use of password managers has mixed opinions. Even if you are hell bent on memorizing passwords, at some point, you will end up using at least the default password managers in your browsers. So it is worth analysing the password managers a bit further with pros and cons to fully understand the risks and rewards of it.
- Strong password generation that satisfies any password criteria — No more dictionary passwords, as most of the leading password managers generate technically random passwords that are a jumble of alphanumeric characters with special characters and capitalizations. Also, you get to have unique and strong passwords for every website.
- Autofill convenience — Users don’t have to remember any passwords except the master password.
- Secure online storage — Password managers store information in an encrypted format, and it is highly unlikely that it will be affected in case of online breaches.
- Extra mile storage — Some password managers offer to store not just passwords but also some other sensitive information like credit card data and other private information.
- Offline breaches may be catastrophic — Offline password managers provide a single point of failure for all your passwords. If an attacker predicts your master password, then it is too easy to retrieve the rest of all your passwords effortlessly — more like a jackpot.
- Software flaws, vulnerabilities, and trust — Password managers, especially the closed source software can only be trusted to a degree. Be it a vulnerability or intentional backdoor — you won’t really have any clue about it unless something terrible happens. In that case, you will also be blind to how your data is handled on the other side of the shore.
- Accessibility — With password managers, you have to keep your devices in sync with each other. It might be a hassle to wait around.
As you see, the pros are stronger than the cons here. Every software has a flaw. In practical cases, data breaches are very rare and don’t pose a risk as data is encrypted. It is also uncommon for an app to create issues with sync. These all seem like a necessary risk altogether.
The best way to manage passwords
So for critical and sensitive accounts, go the good old way of memorizing the passwords. It is the most secure way to manage passwords. And for sites and accounts that are not that relatively important, use a password manager.
This post was first published on January 24, 2014.