Table of Contents
What is a Password Manager
A password manager will record the username and password you use when you first sign in to a website or service. Then the next time you visit the website, it will autofill forms with your stored user login information. For those websites and services that don't allow automatic filling, a password manager lets you copy the password to paste into the password field.
Why use a Password Manager
Remembering dozens of unique passwords can be cumbersome and almost impossible for most of us. Moreover, entering each password manually can start seeming like a chore.
Often, since it’s almost impossible to remember dozens of unique passwords, many of us simply re-use the same password across websites. This is a very dangerous practice. If one of those websites gets hacked, every account where you have used the same password is also compromised.
This is where password managers can be extremely useful. The password managers allow you to save your login details, including the app or the website name, your user ID and your password, so you don’t have to do it yourself.
Additionally, password managers can suggest strong passwords, with a mix of numbers, letters and special characters. All you have to do to access dozens of your saved passwords is remember one password – which is the master password for your password manager.
1Password is perhaps one of the best password managers out there, offering robust password security. It can also check if any of your passwords have been compromised in case a website has been hacked.
It is also easy to use and comes with a polished interface. You can also use it on Windows, Mac, Android, iOS as well as major web browsers, so compatibility is not a concern.
1Password offers only paid options, starting at $2.99 per month
LastPass is another user-friendly option to store and manage your passwords. It comes loaded with features and lets you store unlimited passwords for free, on one device-type (either desktop or mobile). You can also store details like your debit or credit card numbers, account numbers, addresses and more.
If you want to use LastPass on both mobile and desktop, you will have to pay $3 per month.
NordPass comes from the makers of popular virtual private network (VPN) service NordVPN. It allows you to store unlimited passwords for free and also allows you to sync your passwords across multiple devices, however only 1 device can be active at any given point of time.
One drawback of NordPass is that it cannot autofill forms with details like your name, address and email. But apart from that, it is a great option you can explore, especially if you want a free password manager.
Some reasons for/against using one
Many password managers keep the master password you use to unlock the manager locally and not on a remote server. Or if it's on a server, it's encrypted and not readable by the company. This ensures your account stays secure in case of a data breach. It also means that if you forget your master password, there may not be a way to recover your account through the company.
There’s no way to stay 100% safe online. Even if you use a reliable password manager, there are certain risks that you should know about:
- All sensitive data in one place. You’ve probably heard about keeping your eggs in one basket. That’s exactly what you’ll be doing with a password manager. That basket will likely include credit card details not just credentials. In case of a breach, blocking all payment options and changing passwords for all accounts might take enough time for the attacker to do damage
- Not all devices are secure enough. Hackers exploit the same vulnerability to get all of your logins in one attack. Password managers can be hacked if your device is infected with malware. In this case, typing the master password will get it recorded, and cyber criminals will gain full access to the data stored
- Not using biometric authentication. Biometric authentication is a great way to add another level of security. If you configure your password manager to request either a fingerprint or face scan, the chances of someone hacking into your vault become as slim as Shady. It’s also much easier for you to touch the fingerprint scanner than to enter a master password
- Backup is not always possible. If the server breaks down, your only hope is that your provider has made a backup copy. This risk increases multi-fold if you decide to keep your vault offline on one of your devices. Naturally, keeping your own backup on an unprotected disk drive or poorly protected cloud service won’t help either
- Bad password manager. If it has weaker encryption, offers few features, and has poor reviews, you shouldn’t use it. When it comes to securing your vault, saving a few bucks a month shouldn’t be your main priority
- Forgetting your master password. Are you the only person who knew it, and your password manager doesn’t have a reset feature? In this case, you may already start recovering each login one-by-one. Alternatively, you may want to store your master password (or a hint) in some physically secure place, such as a safe
As you can see, some of the risks stem from the password managers themselves, but others exist solely because of users’ behavior. If we don’t count the latter, we can see that there aren’t that many risks of using a password manager
Despite all the concerns listed above, good password managers are extremely difficult to compromise. The usage of AES-256 encryption, the “zero-knowledge” technique, and the possibility to use two-factor authentication make password managers a much safer and easier option than basically anything else available at the moment.
When it comes to safety, the most important thing from your side is the master password, as you have to create one in order to access all the other passwords.
So, make sure it is a strong one. It often has to be at least 12 characters long, contain various symbols, and be impossible to guess.
The list of notable password manager hacks is quite short. Otherwise, they wouldn’t have the reputation they have today.
- In 2015, LastPass detected an intrusion to its servers. Hackers took users’ email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email
- In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data
- In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn’t result in casualties
- In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn’t suffer any reported casualties
As you can see, none of these password manager hacks were that serious. Sure, vulnerabilities were exposed, but they were also fixed in a timely manner. And in most cases, the attacker would have to either get some more data from the user or overtake the device completely before accessing the vault. As a result, none of the issues mentioned above hurt the reputation of password managers
Password managers can even help against phishing, as they fill account information into websites based on their web address (URL). if you think you’re on your bank’s website and your password manager doesn’t automatically fill your login information, it’s possible that you’re on a phishing website with a different URL.
Like all software, vulnerabilities and weaknesses in any password manager can put your data at risk. But so long as you keep your password manager up to date — most browser extensions are automatically updated — your risk is significantly reduced.