Some believe using password managers represents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.
Not-so-technically, I strongly believe they are seriously misguided.
Using a password manager is significantly safer than the alternatives.
Become a Patron of Ask Leo! and go ad-free!
Security best practices
Without using a password manager, the idea is that you:
Yes, that would be ideal.
It’s also impractical for most.
Those requirements cannot all be met at the same time. At least one of them will be compromised.
Without a password manager
Without a password manager, most people compromise their security somehow.
- They’ll choose a less secure, easy to remember password (short and/or not complex).
- They’ll use the same password at multiple sites (not unique).
- They’ll save the password using unsecure technology (not memorable).
Any one of those decreases your security significantly.
Avoiding technology specifically designed to keep passwords secure doesn’t make you safer. Factor in human nature and it decreases security significantly.
With a password manager
Password managers make best practices trivial. Using a password manager allows you to:
- Generate and use secure, complex, and appropriately long passwords.
- Never need to remember passwords yourself.
- Use different passwords on different sites.
These are things people don’t do unless they have a tool in place to help them.
Most password managers add several features that make improved security even more convenient. They can:
- Synchronize your information across multiple computers.
- Be used on mobile devices.
- Automatically fill in not just passwords, but common web forms.
- Store arbitrary notes.
All with more security than almost all alternatives.
If you’re compromised, you’re compromised
It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever it is you have stored on the computer.
For example, while I’m logged into LastPass, all the information is technically available to software running on my machine – good software or bad.
That’s a serious concern, and not to be taken lightly.
But it’s a concern that exists regardless of whether you use a password manager or not. All bets are off if a keylogger captures what you enter when you log in to your bank account.
Avoiding a password manager doesn’t increase your security one whit. In fact, I’d wager there’s more malicious software out there waiting to see what you type in than there is targeted at stealing the contents of your password manager.
There’s just no substitute for keeping your machine secure to begin with.
But are password managers safe?
Yes. Password managers are safer than any practical alternative.
There are no absolutes – that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware, all bets are off, no matter what technique you use.
Password managers are the safest way to keep a record of your online account information, but they are no safer than:
- The master password you use to access the password manager.
- Your own ability to use your computer safely.
The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
What I do
I keep my machine(s) secure by doing the traditional things that you hear over and over: keeping software up-to-date, running up-to-date scans, avoiding malicious websites and downloads, not falling for phishing, and so on and so on.
I use LastPass as my password manager to manage all my passwords and additional security information.
I use Google Authenticator, a form of two-factor authentication, to access my LastPass vault. You can’t get in to my LastPass account even if you know my master password. To get access you need both my master password and my mobile phone.
I have LastPass automatically log out after some amount of time on any device which I’m not 100% certain won’t get stolen or accessed without my permission.
I keep my master password secure and complex.
I’m not going to claim it’s impossible for anything to happen – that’d be a foolish claim. I am, however, very satisfied with the risks and trade-offs.
Let’s face it, even doing business off-line has risks and trade-offs.