Are Password Managers Safe?

Password management utilities are great tools to not only manage your passwords, but be more secure about how you use them.

//
Recently I tried to use RoboForm for an account at a large financial institution, but I couldn’t get it to work. In response to my inquiry, this institution said they do not permit log in using credentials that are stored on software because the security of the password could become jeopardized if my computer were hacked, invaded, etc. Is this true? Am I safer not to use RoboForm?

There are people who believe that using password managers represents a single point of failure. Technically, they are mostly correct: if someone gains access to your password manager they have access to everything within it.

But not-so-technically I believe – strongly – that they are seriously misguided.

Using a password manager is, in my opinion, significantly safer than the alternatives most people choose.

Ideal security

Without using a password manager the idea is that you:

  • Have good, strong passwords (complex)
  • Keep them nowhere but in your head (memorable)
  • Use a different password on every site or service that requires one (unique)

Yes, that would be ideal.

It’s also totally impractical for most people.

As far as I’m concerned, those requirements cannot all be met at the same time. In practice, at least, one of them will be compromised.

Without a password manager

When not using a password manager, most people will compromise their security in some other way.

  • They’ll choose a less secure password that’s easy for them to remember (not complex)
  • They’ll use the same password at multiple sites (not unique)
  • They’ll save the password on their computer using some other, less secure technology, or even write the password on a sticky note kept close to the computer (not memorable)

Any one of those decreases your security significantly.

I believe avoiding technology specifically designed to keep passwords secure doesn’t increase your security. When you factor in human nature, it actually significantly decreases overall security.

Vault

With a password manager

Password managers make best practices easier; trivial even. Using a password manager allows you to:

  • generate and use secure, completely random, and appropriately long passwords (they’re complex)
  • never need to type or remember passwords (they’re memorable  in that the password manager remembers them)
  • use different passwords on different sites (they’re unique)

These are things that people typically don’t do unless they have a tool in place to help them.

On top of that, most password managers add several features that make improved security even more convenient. They

  • synchronize your information across multiple computers
  • use them on mobile devices
  • automatically fill in not just passwords but common web forms
  • store arbitrary notes

All with more security than almost all alternatives.

If you’re compromised, you’re compromised

It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever it is you have stored on the computer.

For example, while I’m logged into LastPass, or while a TrueCrypt volume is mounted, all the information in each is technically available to software running on my machine – good software or bad.

That’s a serious concern and not to be taken lightly.

But it’s a concern that exists regardless of whether you use a password manager or not. If you somehow manage to meet the three criteria (complex, memorable and unique) with your passwords, then all bets are still off if a keylogger captures what you enter when you log in to your bank account.

Avoiding a password manager didn’t increase your security one whit. In fact, I’d wager that there’s more malicious software out there waiting to see what you type in than there is targeted at stealing the contents of your password manager.

There’s just no substitute for keeping your machine secure to begin with.

But are password managers safe?

Used properly, yes. In fact, I’ll go so far as to say that they are safer than any practical alternative that you might think of.

Of course, there are no absolutes – that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware then all bets are off, no matter what technique you use to keep your password information.

In fact, I’ll put it this way: password managers are the safest way to keep a record of your online account information, but they are no safer than:

  • the master password you use to access the password manager
  • your own ability to use your computer safely

The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.

What I do

I keep my machine(s) secure by doing the traditional things that you hear over and over: keeping software up-to-date, running up-to-date scans, avoiding malicious websites and downloads, not falling for phishing, and so on and so on.

I use LastPass as my password manager to manage my passwords and additional security information.

I use the Google Authenticator, a form of two-factor authentication to access my LastPass vault. (There are several forms of two-factor authentication available in LastPass.) What two-factor authentication boils down to is that if I’m not logged into my LastPass account, then you can’t get in even if you know my master password. To get access to my LastPass vault, you would need both my master password and my cellphone.

I have LastPass automatically log out after some amount of time on any device which I’m not 100% certain won’t get stolen or accessed without my permission.

Even with two-factor authentication, I keep my master password secure and complex.

I’m not going to claim it’s impossible for anything to happen – that’d be a foolish claim. I am, however, very satisfied with the risks and trade-offs.

Let’s face it, even doing business off-line has risks and trade-offs.

This is an update to an article originally posted : June 6, 2012
  • LastPass – Securely keep track of multiple passwords on multiple devices One of the problems with current online safety advice is keeping track of multiple different secure passwords. LastPass not only does that, but does it across multiple devices and very securely.
  • RoboForm Password Manager and more With lots of accounts on the web, good security says their passwords should all be unique. Your computer can remember them for you with RoboForm.
  • Managing Lots of Passwords Managing multiple strong passwords can be a pain. I’ll discuss a couple of alternatives, including Roboform and LastPass.
  • Has LastPass had a security breach? I recommend LastPass because of their transparency and security model: even LastPass cannot recover your login!
  • How do I choose a good password? Password security has never been more important. With occasional security breaches at service providers and rampant email account theft you need to do everything you can to make sure you’re choosing and using secure passwords.
  • What’s a good password? Good passwords are hard to crack and hard to remember. As a result, many people don’t use really good passwords, even though they should. We’ll look at what makes a good password, and some ways to make them easier to remember.

There are 55 comments:

  1. PC Resolver Reply

    I totally agree! I used Roboform but I find LastPass to be superiour in many ways. Not least of which is that is easily available to me on any platform.
    I am so reliant on it that it now contains all the info required In Case of Emergency (ICE). My dependants have half the password each so that should anything happen to me they can gain access to my LastPass account in which they will see not only my passwords but instructions on how to deal with other matters.
    I highly recommend this. The free version of LastPass is all you really need but please consider supporting them by upgrading to the Pro version for $1 a month. I do.

    • Howard Miller Reply

      Computers are supposed to be fast but when it comes to security, well, it comes first.
      I use an old program from PC Mag called Password Prompter. It stores your data encoded.
      I never let my browser “Remember Me”
      I can copy my User name and password from Prompter and paste them into the site page to log in.
      No passwords data is stored where it can be hacked easily. Takes a little more time but it’s worth it.
      You must log into Prompter to open it. It stores any special instructions or notes you care to remember for each site along with the site url.

  2. Dave Smithson Reply

    I have used KeePass for the last few years – free, easy, convenient and safe. I can strongly recommend it.

  3. Rachael Morris Reply

    The reason banks don’t allow password managers is not technical – they can and do hire top tech brains – but legal – they can and do hire top legal brains too. If they take certain preventive measures they shift the responsibilities to the customer. The customer is supposed to keep the password safe, isn’t it?

    Basically they want only customer entered inputs at the website (or the app); not any software accessed. Having deep pockets, they can be deemed responsible if they don’t have such usage restrictions.

    Technology may solve our problems but legal system can and will prevent it from being used. You will be surprised how much of our life is governed by legal system lurking hidden behind us.

  4. Billy Bob Reply

    Leo, you sound like a candidate to join my one-man crusade against expiring passwords. No computer security measure could be more irritating. Password expiration policies only reduce security for many of the same reasons as not allowing password managers.

  5. Salvador Reply

    I have been watching the debate concerning password managers. I know the idea is nice because it make it easier to manage 30 different passwords. I also agree somewhat with the bank.
    But ultimately the fact is strong passwords do not replace the need for other effective security control. These banks need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account. This one of the biggest problems with internet security, people are still encouraged to rely on their password as if they were all that is needed.

  6. Mark Jacobs Reply

    In many, if not all European countries, Banks use a 2 factor authentication system called the PIN and TAN system. A TAN is a Transaction Authorization Number, a one time password to complete a transaction. Under the older PIN/TAN system, the bank would send you a list of 100 TANs and upon entering the information, the website asks for a specific random TAN from the list. In order to do away with a printed list which could be a weak link in the operation, many banks are switching to sending a text to your phone or using a TAN calculator. This calculates your TAN when you insert your bank card and enter a challenge code and your card PIN.

  7. Jeff Niemuth Reply

    So if our wonderful “copy-me” litigation avoidance system is behind this “conspiracy” how long will it be before all major web destinations adopt the “no robo login manager” policy? (I wonder if somebody has a patent on the technology to make robo-managers not work…)

    But the thing that absolutely infuriates me is when I forget a password and the site (some, not all) helpfully sends it back to me – in plaintext email! Have they not heard of (decades old) one way encryption? This is even worse than robo-managers because the user has no control over security management on the other end of the wire to these sites. How many times have major breaches happened to large companies/website? I would love to publish a list of these sites and embarrass the heck out of them but then that would be compromising security too. This factor alone makes using the same password at more than one site an absolute no-no. So, Leo, I am all for best security practices by everyone but there are some outfits are a few brains short of a full kindergarten, tech, legal or otherwise, and there is not much we can do about that.

  8. Tom R. Reply

    I happen to use KeePassX as my password manager. I simply copy-and-paste my passphrase into the login form field. My bank is none-the-wiser.

  9. bob price Reply

    I have set my bank [B of A] online banking features to NEVER allow a withdraw, transfer, or check unless I have previously approved it. So, a hacker could send a check to my previously approved list, like the phone company or PG&E. I doubt they would do that.

    If I want to send money elsewhere, a new place, I have to create a new payee or transfer, and then I must use by SafeKey card that generates a new code number via algorithm. I enter that number into the bank info and the money moves.

    I keep that SafeKey at home.

    I also use a jumbled up set of letters for my user name, a 16 numbersymbolletter password. All my credit cards are set to notify me if used for over $100.

    Am I perfectly safe? Of course not, but no key logger could enter my bank info without the SafeKey card that is kept at home.

    And passwords are encrypted with TrueCrypt.

  10. Neil Copeland Reply

    I am an expert in bank regulations and security. All banks must comply with a significant set of internet banking security regulations. Included in them are mandatory specific multi-factor authentication procedures which are designed to ensure that only a real person sitting at a pre-authorized computer can access customer accounts. These specifications require that the authentication procedure eliminates the possibility of automatic sign-ons to the furthest extent of current technological means. Because of this and other specific Ebanking regulations, the banks have no choice but to inconvenience their customers in order to make the government happy. Can you imagine how much it costs the bank just to have customer service staff available 24/7 to deal with this kind of problems? And if someone does get in and steal your money the bank is usually liable. There is simply no legal way to make it easier for the customers. We bank operations professionals sure wish there was. Investment banks may not be appropriately regulated, but bank operations and security have been and still are. If you don’t like it, remember November 6!

  11. Al Kubeluis Reply

    A big problem with pw managers is that you have all of your eggs in one basket. If your pw manager pw is compromised, then all of your assets are compromised

    • Jim Bedford Reply

      A great idea. But rather than using symbols for the columns, I have found it easier simply to use alpha characters from A to Z, splitting them into groups of three – ABC DEF HIJ … etc. and using a Courier font.

  12. don rees Reply

    re roboform and the safety issues using it, a couple of years ago i was using roboform, i had the passwords for 4 bank accounts and maybe 40 online sportsbooks ( all with money in them) stored there.
    one morning i opened up my inbox and there was a message from a guy named , {removed} ( @yahoo7.com) , he said to me,” i am a security expert, your master password at roboform is , {removed}, “and it was.
    he claimed it and all of the P/W’s at roboform were ” in the background” and anyone could see them.
    i immediately closed my roboform account, this guy, a very honest man, did not touch one cent of my money nor did he ever try and sell me anything.
    roboform told me ” he is a keylogger “, apparently either one who is only practicing or an honest one because he did not touch any of my money so why bother being a keylogger and he had access to everything i had.
    no more roboform for me thank you, regards don rees

  13. Siegfried Reply

    Don Rees, you got somehow infected with a keylogger it is not the fault of roboform. As soon as you typed your password into roboform he could read it. Run several free anti malware software to get rid of it.

  14. Rosie Perera Reply

    I use what I think is an even more secure method. I use strong passwords, different ones for each account, and keep cryptic notes to myself that will help me (and me alone) to reconstruct what my passwords are if I forget them, which I do often. Yes, it’s a bit of a pain having to go look up my hints to remind myself of what my password is every time I want to log onto a bank account or other online account, but I’d rather have to go through that then have it easily hackable. I *never* write my passwords down in plain text anywhere. Also, I always open a brand new browser window (not just a new tab) whenever I want to log onto a financial account, and I log off immediately and close the window afterwards, so that no other websites I happen to be connected to at the time could know what my bank URL is. I also practice all the safe computing practices Leo mentioned, so I’m pretty much not vulnerable to key loggers. I also reconcile all my financial accounts regularly against my own records (I don’t trust downloading the transactions from the bank website) so I’ll catch any fraudulent activity (or bank error) and be able to report it.

  15. John Butler Reply

    Leo is right that it is better to have a password manager like Roboform than rely on common sense!
    Roboform does not in my environment let me into on line banking, it lets me access the entry to the account but I still have to enter the password for my account which changes every day.
    Moreover a big added facility with Roboform is that you can carry access to your passwords with you on a memory stick and you have only to remember the master password which can be sixteen characters long

  16. Don Bell Reply

    I use KeePassX to generate my various passwords.
    How does KeyPassX compare to Roboform and/or
    Last Pass? Should I consider dropping KeyPassX
    and move over to either of the alternatives, or am I
    in good shape with what I have? Up to the present
    I’ve had no problem with KeyPassX. Thanks for your anticipated response.

    I’m not familiar enough with KeyPass to give a compare/contrast evaluation. I’ve heard good things about it, though. If it’s working for you I don’t know of a reason to change.

    Leo
    10-Jul-2012
  17. Charles Reply

    AOL has just offered it;s “Premium” paying members a bunch of free services. One is a password protecting software like Roboform and Lastpass. It is called “AOL OnePoint”. AOL has been hacked before, so I don’t know if I can be confident about this service. They don;t give info as to who is behind the solftware … and what experience they have. Help on this.?

  18. Lou Maule-Cole Reply

    I have been using RoboForm for many years and have never had a problem. RoboForm generates very secure passwords and also enables one-click logging in to all your secure web sites. It’s invaluable, especially if you have a memory like mine. I recommend it to all my friends.

  19. Pete Miles Reply

    In the UK banks have a variety of methods of logging on. My bank uses a client number as the first part, then a variation on a password, and last, a variation on a really long user invented word.

    So every time a user logs on they are asked for entirely different variations of parts 2 and 3.

    So using LastPass doesn’t work because we have no idea what we will be asked when we log on.

    For everything elese I use LastPass based on Steve Gibson’s reccomendations and Leo’s suggestions.

  20. donotreadonme Reply

    In conjunction with Speed Dial this is a cool way to automate and manage accounts. Speed Dial allows you to set up unlimited webpages listing sites anyway you want to categorize them. You click on the pointer and Last Pass logs you in. Roboform ticked me off after they tried charging me more money to upgrade to their Windows 7 version. I had paid for a lifetime subscription.

  21. bob Reply

    most banks or financial institutions uses a electronic key which without it you can not access your bank account

    I’m afraid it’s not “most” banks. Those that do offer two-factor authentication are few and far between here in the US.

    Leo
    11-Jul-2012
  22. Gord Campbell Reply

    Horse Puckey! I have a file folder which contains my (more than 50) passwords. I keep it physically secure. When I log on to a site, I type my password. Oh, I also use Linux, so I’m safe these days.

    • C. B. Reply

      “Oh, I also use Linux, so I’m safe these days.”
      LOL. Good luck with that. I don’t know why you Linux users think your systems are not subject to malware attacks. It’s an ignorant assumption and it’s a false assumption.

  23. Kenny Driver Reply

    Norton now has a password toolbar that works very good. Identity Safe. It’s less buggy than Lastpass.

  24. James Reply

    Work requires that I have different passwords for the various things that I access (Windows logon, mainframe logon, Compensation website, encryption software, etc.). And work forces you to change your passwords every 90 days and repeating previous passwords does not work, nor does it work if the password is too similar. Passwords must be strong passwords. And writing down your passwords is a no-no.

    A couple years ago, I came up with a “formula” that fit the password requirements. Every 90 days I can use the “formula” again to come up with the new set of passwords for the various systems. All I really have to remember is the “formula.” I can always figure out my password if I forget what it is.

  25. ThomasGC Reply

    I and the rest of my household use LastPass, each with our ownYubiKey second-factor security. Works like a dream. Very impressed with the service and there’s an Android app too, as well as a add-on for the Dolphin browser.

  26. Tregonsee Reply

    Roboform is slowly finding ways around those institutions which try to prevent its use. I only have one problem account, and it works with IE, but not Firefox. No problem, since I only access it once or twice a month.

    I have one user name and password which I have been using since 1978 when I had a Department of Energy network account. It exists on literally hundreds of places, but all are in the “Don’t Care” category. The simplicity of always knowing what it is far out weights the possible problems of compromise. The few accounts which matter, such as banks, email accounts, and a few professional sites, are all long, complicated, and different.

  27. Byron Reply

    I’ve used Roboform for years. Main reason I began using it was to protect against KEYLOGGERS. I use Viper Anti-virus. Great combination!

  28. John Butler Reply

    I strongly support Leo’s recommendation to use Roboform as a password manager. I just add that as it is so secure make sure you backup the Roboform data on an external disk in case you have a crash. If you do not do this a crash may cause loss of all password information which can be a serious problem

  29. Jerome Bush Reply

    I have to agree with Tregonsee . I got the idea from the book, Lord of the Rings. In the fortress, there were “lesser passwords” that were taught to everyone. Then, there were stronger passwords for more important stuff and more important people.

  30. Ed Boyd Reply

    Regarding banks and security… FIRST: When the banks get THEIR act together, then I might head their messages! They are not much better than the Feds when it comes to IT geniuses! I had a young friend who told me that they would practice on government accounts, then see how they could do with banks…he just smiled! Many have little old ladies in combat boots that have been around since WWII. I belong to Boeing Credit Union, I use Last Pass and have since they started. When I go to the BECU site, another pop-up window shows and Last Pass just jumps right in and posts the info…no hassles, no problems! It drives me crazy when service organizations (banks??) always “TELL YOU WHAT YOU CAN’T DO BUT NOT WHAT YOU CAN DO!”

  31. HARVEY MELTZER Reply

    I Have had RoboForm 6 for several years. it is about 95% efficient. Sometimes it drops the pass word entry box for a site. When using it always use the “Virtual” key pad for the Master password and not your regular key board. This adds another layer of protection.

  32. Joseph Schiavone Reply

    I have used Dashlane as my password manager for the past 2 years and I love the way it works and it’s features. By using a password manager it trained me to use a different password for each site and also being more creative in forming passwords

  33. Gil Reply

    How does one extend the generated passwords to beyond eight characters in LastPass? I would like to have some be 16 characters and my bank accounts be 24 characters. I’ve searched in LastPass and just not finding the answer to my question. Thanks Leo!

    • Mark Jacobs Reply

      Tick the ‘Show advanced options’ check box. An option to set the length will appear.

  34. FBTOOL Reply

    I have been using “Last Pass” for a few months. I haven’t allowed it to re-generate all of my old passwords yet though. I am concerned if in the future, should decide to stop using it or they go out of business how would I gain access to all the sites that it auto generated passwords for????

      • duane Reply

        I didn’t know that the Lastpass passwords were on my hard drive. Where would I find them?

        • Mark Jacobs Reply

          To download them and print them, click on the LastPass icon and select Tools from the pulldown. In the next pulldown choose Advanced Tools. Then in the next pulldown choose Export, where you can choose the format you want to save it to. (The original Ask Leo! article on backing up LastPass skipped the step of choosing Advanced Options. It appears LastPass changed the menu since the article was written.)

          • duane

            I think I found my problem. I only have the free version of Lastpass and haven’t upgraded to the premium. With what I have, when I sign into the Lastpass site I get my vault and there are no tool bars like you are describing to download anything. Thanks for your help.

        • Mark Jacobs Reply

          It’s not found in a tool bar. If you click the LastPass icon in your browser, the Tools option should appear in the pulldown menu. As I understand it, the only difference in the free version is that it doesn’t synchronize your passwords with your phone and tablets. See this article for screenshots showing how to access this feature. http://askleo.com/how-do-i-back-up-lastpass/

  35. Daniel Ullman Reply

    A way to add security to a password manager is to store only partial passwords. For example, say you have a password of 25 random characters and the word rough. Have the password manager save the 25 random characters and add the word rough to the end once the password manager has filled out the password field. The last characters are easy to remember and you will not have recorded your entire password anywhere.

    • SGKris Reply

      This is cute. Simple to execute for an added security. Thanks Daniel.

  36. Reid Reply

    I’d just like to stress Leo’s point “I have LastPass automatically log out after some amount of time…” I highly suggest all LastPass user’s configure that setting (Preferences, General, Security). I use LastPass at work, as well as home. I don’t want some sysadmin remote connecting to my PC when I’m not around and finding LastPass wide open. I have it log off after 30 minutes of non-use.

    Here is a good page listing several LastPass security measures you may want to consider, including those mentioned by Leo above: http://www.howtogeek.com/121267/11-ways-to-make-your-lastpass-account-even-more-secure/

  37. Steven Reply

    Worried about some ‘sysadmin’ finding your LastPass passworsds or some other file while you’re away for a period of time?

    DISCONNECT THE LINE. You won’t forget about it.

  38. Clairvaux Reply

    I’m irritated by the few sites which don’t allow entering passwords by copying and pasting. I suppose this is done to prevent automated hacking attempts, but in my opinion, it has the opposite effect : in practice, forcing users to enter passwords manually limits their length and complexity. Therefore it decreases security.

    Besides, I’m sure most sites are programmed to reject log-in attempts if a single user makes too many of them in a short while. At least, I hope so…

    I use Kee Pass, which is supposed to pretect you even against keyloggers, since it can scramble the password before entering it. It is also very useful to store any amounts of various identification data, such as social security numbers, software licence numbers, etc.

    All you have to do, then, is make sure that you have multiple, up-to-date backups of your password database in various places.

    • Leo Reply

      I would simply caution you that no password manager can protect you against all keyloggers. The simple ones, sure, but a relatively sophisticated one can capture the password as it’s passed to the web site.

  39. L L E Reply

    After reading all of the above I have a question: When a password is generated by a password manager, can I see the what the password is after it has been generated?

    • Leo Reply

      Depends on the password manager. Most have a “reveal” option, or a way to see it. LastPass’s is displayed for you so you can even copy/paste it if you like.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.