Have you ever used ABCDE or 12345 as a website password? If so, you’re not alone. Too many people use weak or common passwords for their online accounts and often the same password for multiple sites.
That approach leaves your passwords wide open to hackers who can quickly figure them out. Password managers are one solution as they can create, store, and apply strong and complex passwords for all the websites you use.
Are password managers safe? Can a hacker gain access to the passwords stored in your password manager? The trick lies in not just protecting your passwords but in protecting your password manager. You’ll find a potpourri of password managers on the market, and some are free but, most have a monthly or annual subscription.
Some popular products include LastPass, 1Password, Dashlane, RoboForm, Keeper Security, KeePass, and Sticky Password. Most of these work similarly. You use the software to generate a secure password for specific websites. That password and your username are stored in the program’s vault or database on your computer and potentially in the cloud.
When you need to open a site, your username and password are automatically applied to sign you in. Most password managers offer versions for Windows, macOS, iOS, and Android so that you can use them across all your devices and all your browsers.
What if someone gains access to your computer or mobile device? Can they open the password manager to see all your passwords? Of course, your first step should always be to protect your computer or device itself with strong security – password, PIN, fingerprint, and facial recognition.
To protect your password manager, you’ll also want to create a strong master password. The master password locks the door to the password manager so that only someone who knows it (or guesses it) can obtain your passwords.
Making your passwords more secure
Here’s where you need to follow those simple guidelines about creating a complex password.
Your master password needs to be much more secure than your average password. That might mean a lengthy password, at least 12 characters. That may mean a password with lower case and upper case letters, numbers, and special symbols.
Alternatively, it could mean a passphrase, a series of random words that can be even more secure than a single complex password. You also want to make sure the password manager does not allow the recovery or reset of a forgotten master password.
Of course, don’t ever forget your master password.
On your mobile device, the password manager secures the master password. Most password managers now support whatever built-in security you use to protect your phone or tablet – PIN, fingerprint recognition, and facial recognition. If so, you should avail yourself of that option.
Okay, but is a master password, even a complex one, vulnerable to hacking? In February, a study by researchers at Independent Security Evaluators (ISE) discovered that several password managers were storing the master password in computer memory in plain text even after the password manager was locked.
What this means if someone with the necessary skills, tools, and administrative privileges gained access to your computer, either physically or remotely, that person could potentially obtain the master password.
In response, LastPass has since resolved the issue as has RoboForm, according to Adrian Bednarek, lead researcher of the study. Other password managers don’t suffer from this issue, are working on a fix, or don’t have a solution to the overall problem. Bednarek said that ISE is planning a follow-up study in the fall to see how password managers have addressed this shortcoming.
Whichever password manager you use, always guard against this type of unauthorized access to your computer in the first place with a strong password and good security software.
For additional protection, more password managers now offer two-factor authentication. With the authentication enabled, you receive a code via your phone any time you try to access your password manager on a new or different device. Even if someone, somehow obtained your master password, that person would not be able to view your account or data without the code. If your password manager offers this option, be sure to turn it on.
Fighting off hackers
Okay, you’ve protected your password manager as much as possible on your end. What about your password data in the cloud? Password managers store your password information locally while others store your data online.
Despite the findings of the ISE study, storing the data locally in a user’s browser seem a safer bet as your passwords never venture beyond your computer or mobile device. However, this means you can’t easily share or sync your passwords across different devices. If you use multiple computers and mobile devices, storing your data in the cloud is a plus as it syncs your passwords across the board.
What if someone hacks into the database of your password manager?
First, the advice about protecting your passwords with a complex master password applies both for your own devices and for your cloud-based account. Make sure that the master password is as secure as possible.
Second, your password data is secured and encrypted in the cloud and when synced across your devices. Sure, there’s always a chance the database could be compromised. Some security flaws and vulnerabilities have hit LastPass. Another password manager called OneLogin has also been affected by breaches. However, no password manager provider has yet had a data breach that led to secure passwords exposed.
Yes, there are pros and cons to using a password manager. Keep in mind there is no such thing as 100% security, only higher and lesser degrees of protection. Also, the risks involved in using weak passwords and the same weak passwords on all your accounts far outweigh any potential risks of password managers.
Until every website supports a better means of authentication, we’re stuck with passwords. For now, using a good password manager and securing it as tightly as possible is your best bet.