Password vaults are the most secure solution.
Some people believe using password managers presents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.
Not so technically, I believe they are misguided.
Using a good password manager is significantly safer than any alternative.
Password managers
Good security demands a strong, unique password for every site or service, ideally kept only in your head. Without a password manager to aid you, you are likely to compromise your security by using tradeoffs. There’s no such thing as perfect security, but using a password manager ensures you’re as secure as possible without needing to make those tradeoffs.
Security best practices
Password security demands that you:
- Have good, strong passwords (long and complex).
- Keep them nowhere but in your head (memorable).
- Use a different password on every site or service (unique).
Yes, indeed, that would be ideal.
Without using a password manager, it’s also completely impractical.
A human brain cannot meet all those requirements for the many, many passwords most of us have. At least one, if not two, will be compromised without the aid of a password vault.
Help keep it going by becoming a Patron.
Without a password manager
Without a password manager, you’ll compromise your security in some way.
- You’ll choose a less secure, easy-to-remember password (short and/or not complex).
- You’ll use the same password at multiple sites (not unique).
- You’ll save the password using technology that is not secure (not memorable).
Any one of those can significantly compromise your security.
With a password manager
Password managers make best practices trivially easy. Using a password manager allows you to:
- Generate and use secure, complex, and appropriately long passwords.
- Avoid the need to remember passwords yourself.
- Use different passwords on different sites.
These are things people don’t do unless they have a tool in place to help them. Password managers are specifically designed to securely do exactly that.
Most password managers add several features that make improved security even more convenient. They can:
- Synchronize your information across multiple devices.
- Be used on mobile devices.
- Automatically fill in not just passwords, but common web forms.
- Securely store other types of information.
And they do all of it with more security than almost all alternatives.
If you’re compromised, you’re compromised
It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever you have stored on the computer. For example, while I’m logged into my password manager, all the information could technically be available to software running on my machine — good software or bad.
That’s a serious concern, and not to be taken lightly.
But it’s a concern that exists regardless of whether you use a password manager or not. All bets are off if a keylogger captures what you enter when you log in to your bank account.
Avoiding a password manager doesn’t increase your security one bit.
But are password managers safe?
Yes. Password managers are safer than any practical alternative.
There are no absolutes — that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware, all bets are off, no matter what technique(s) you use.
Password managers are the safest way to keep a record of your online account information, but they are no safer than:
- The master password you use to access the password manager.
- Your own ability to use your computer safely.
The last one scares people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
What I do
I keep my machines secure by doing the basic security measures you hear over and over: keeping software up to date, running scans regularly, avoiding malicious websites and downloads, not falling for phishing, and so on.
I use 1Password to manage all my passwords and additional security information.
I use two-factor authentication to access my 1Password vault. You can’t get into my 1Password account even if you know my master password. To get access, you need both my master password and my mobile phone.
On any device I’m not 100% certain won’t get stolen or accessed without my permission, I have 1Password automatically log out after some amount of time.
I keep my master password secure and complex.
I back up my 1Password vault regularly.
I’m not going to claim something bad can’t happen — that would be foolish. I am, however, very satisfied with the risks and trade-offs, and absolutely convinced that using 1Password (or any reputable password manager) keeps me as safe as possible and much safer than not using one at all.
Let’s face it: even doing business offline has risks and trade-offs.
Do this
Use a password manager. Please.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
