Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Are Password Managers Safe?

//
Recently I tried to use RoboForm for an account at a large financial institution, but I couldn’t get it to work. In response to my inquiry, this institution said they do not permit log in using credentials that are stored on software because the security of the password could become jeopardized if my computer were hacked, invaded, etc. Is this true? Am I safer not to use tools like RoboForm?

Some believe using password managers represents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.

Not-so-technically, I strongly believe they are seriously misguided.

Using a password manager is significantly safer than the alternatives.

Become a Patron of Ask Leo! and go ad-free!

Security best practices

Without using a password manager, the idea is that you:

  • Have good, strong passwords (long and complex).
  • Keep them nowhere but in your head (memorable).
  • Use a different password on every site or service (unique).

Yes, that would be ideal.

It’s also impractical for most.

Those requirements cannot all be met at the same time. At least one of them will be compromised.

Without a password manager

Without a password manager, most people compromise their security somehow.

  • They’ll choose a less secure, easy to remember password (short and/or not complex).
  • They’ll use the same password at multiple sites (not unique).
  • They’ll save the password using unsecure technology (not memorable).

Any one of those decreases your security significantly.

Avoiding technology specifically designed to keep passwords secure doesn’t make you safer. Factor in human nature and it decreases security significantly.

Vault

With a password manager

Password managers make best practices trivial. Using a password manager allows you to:

  • Generate and use secure, complex, and appropriately long passwords.
  • Never need to remember passwords yourself.
  • Use different passwords on different sites.

These are things people don’t do unless they have a tool in place to help them.

Most password managers add several features that make improved security even more convenient. They can:

  • Synchronize your information across multiple computers.
  • Be used on mobile devices.
  • Automatically fill in not just passwords, but common web forms.
  • Store arbitrary notes.

All with more security than almost all alternatives.

If you’re compromised, you’re compromised

It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever it is you have stored on the computer.

For example, while I’m logged into LastPass, all the information is technically available to software running on my machine – good software or bad.

That’s a serious concern, and not to be taken lightly.

But it’s a concern that exists regardless of whether you use a password manager or not. All bets are off if a keylogger captures what you enter when you log in to your bank account.

Avoiding a password manager doesn’t increase your security one whit. In fact, I’d wager there’s more malicious software out there waiting to see what you type in than there is targeted at stealing the contents of your password manager.

There’s just no substitute for keeping your machine secure to begin with.

But are password managers safe?

Yes. Password managers are safer than any practical alternative.

There are no absolutes – that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware, all bets are off, no matter what technique you use.

Password managers are the safest way to keep a record of your online account information, but they are no safer than:

  • The master password you use to access the password manager.
  • Your own ability to use your computer safely.

The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.

What I do

I keep my machine(s) secure by doing the traditional things that you hear over and over: keeping software up-to-date, running up-to-date scans, avoiding malicious websites and downloads, not falling for phishing, and so on and so on.

I use LastPass as my password manager to manage all my passwords and additional security information.

I use Google Authenticator, a form of two-factor authentication, to access my LastPass vault. You can’t get in to my LastPass account even if you know my master password. To get access you need both my master password and my mobile phone.

I have LastPass automatically log out after some amount of time on any device which I’m not 100% certain won’t get stolen or accessed without my permission.

I keep my master password secure and complex.

I’m not going to claim it’s impossible for anything to happen – that’d be a foolish claim. I am, however, very satisfied with the risks and trade-offs.

Let’s face it, even doing business off-line has risks and trade-offs.

Podcast audio

Play

108 comments on “Are Password Managers Safe?”

  1. I totally agree! I used Roboform but I find LastPass to be superiour in many ways. Not least of which is that is easily available to me on any platform.
    I am so reliant on it that it now contains all the info required In Case of Emergency (ICE). My dependants have half the password each so that should anything happen to me they can gain access to my LastPass account in which they will see not only my passwords but instructions on how to deal with other matters.
    I highly recommend this. The free version of LastPass is all you really need but please consider supporting them by upgrading to the Pro version for $1 a month. I do.

    • Computers are supposed to be fast but when it comes to security, well, it comes first.
      I use an old program from PC Mag called Password Prompter. It stores your data encoded.
      I never let my browser “Remember Me”
      I can copy my User name and password from Prompter and paste them into the site page to log in.
      No passwords data is stored where it can be hacked easily. Takes a little more time but it’s worth it.
      You must log into Prompter to open it. It stores any special instructions or notes you care to remember for each site along with the site url.

  2. I have used KeePass for the last few years – free, easy, convenient and safe. I can strongly recommend it.

  3. The reason banks don’t allow password managers is not technical – they can and do hire top tech brains – but legal – they can and do hire top legal brains too. If they take certain preventive measures they shift the responsibilities to the customer. The customer is supposed to keep the password safe, isn’t it?

    Basically they want only customer entered inputs at the website (or the app); not any software accessed. Having deep pockets, they can be deemed responsible if they don’t have such usage restrictions.

    Technology may solve our problems but legal system can and will prevent it from being used. You will be surprised how much of our life is governed by legal system lurking hidden behind us.

  4. Leo, you sound like a candidate to join my one-man crusade against expiring passwords. No computer security measure could be more irritating. Password expiration policies only reduce security for many of the same reasons as not allowing password managers.

    • I agree 100%! Nothing annoys me more in the whole “password realm” than a website’s demand that I change my password every “x” number of days.

      • I’ll add my vote. I have one on-line acct that requires periodic password changes, and it’s annoying as all get out. I wonder if this doesn’t have some relation to Rachael’s post (above) about legal vs. technical. We’re told that changing passwords regularly is more secure, so perhaps sites cover their -um- behinds by requiring it.

      • Demands for frequent password changes are a real pain but they are also a defense against your credentials being used against you. There are several scenarios.
        1) You have no control (& generally no knowledge) of how a site saves your credentials. There are numerous cases where sites have been hacked and large volumes of credentials accessed. Overtime these become more widely available (the hackers use them, then they sell them). Even where there is good encryption on the site secure passwords can be recreated from their hashed & salted forms. A strong password in 2012 no longer looks quite as strong 4 years later.
        3) Increasing prevalence of surveillance cameras at work & in public locations make it easier for someone to shoulder surf & capture your password.
        4) Similarly the odds of someone who spends a lot of time in your company working out what password you are using increase over time with repeated use.
        All of these can be mitigated (but not eliminated) by not using the same password over multiple sites.

        • 1. That is more an argument for having a different password for each login. A careless website where you need to change your password frequently would be almost as dangerous if you regularly change passwords.
          3. That’s an argument never to type a non-work related password at work as they might use a key logger. If they don’t use your password before you change it, it might give some protection.
          4. I don’t understand what you mean by “working out what password you use.”

    • Can I join too? Social Security demands changing your account password every six months. So irritating. I only go to the site once a year to check my balance. I couldn’t even get in this year so just said to heck with it.

      Thanks, Leo, for mentioning that Google Authenticator works on Last Pass. Off to add two-factor to my Last Pass account.

      • Me too. (Not the # version) Soc Sec Admin requiring password chg every 6 months when *lots* of folks log on once per year is just silly. Not too long ago, SSA required users have a cell phone to receive a text in order to log on . That didn’t last long.

  5. I have been watching the debate concerning password managers. I know the idea is nice because it make it easier to manage 30 different passwords. I also agree somewhat with the bank.
    But ultimately the fact is strong passwords do not replace the need for other effective security control. These banks need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account. This one of the biggest problems with internet security, people are still encouraged to rely on their password as if they were all that is needed.

  6. In many, if not all European countries, Banks use a 2 factor authentication system called the PIN and TAN system. A TAN is a Transaction Authorization Number, a one time password to complete a transaction. Under the older PIN/TAN system, the bank would send you a list of 100 TANs and upon entering the information, the website asks for a specific random TAN from the list. In order to do away with a printed list which could be a weak link in the operation, many banks are switching to sending a text to your phone or using a TAN calculator. This calculates your TAN when you insert your bank card and enter a challenge code and your card PIN.

  7. So if our wonderful “copy-me” litigation avoidance system is behind this “conspiracy” how long will it be before all major web destinations adopt the “no robo login manager” policy? (I wonder if somebody has a patent on the technology to make robo-managers not work…)

    But the thing that absolutely infuriates me is when I forget a password and the site (some, not all) helpfully sends it back to me – in plaintext email! Have they not heard of (decades old) one way encryption? This is even worse than robo-managers because the user has no control over security management on the other end of the wire to these sites. How many times have major breaches happened to large companies/website? I would love to publish a list of these sites and embarrass the heck out of them but then that would be compromising security too. This factor alone makes using the same password at more than one site an absolute no-no. So, Leo, I am all for best security practices by everyone but there are some outfits are a few brains short of a full kindergarten, tech, legal or otherwise, and there is not much we can do about that.

  8. I happen to use KeePassX as my password manager. I simply copy-and-paste my passphrase into the login form field. My bank is none-the-wiser.

  9. I have set my bank [B of A] online banking features to NEVER allow a withdraw, transfer, or check unless I have previously approved it. So, a hacker could send a check to my previously approved list, like the phone company or PG&E. I doubt they would do that.

    If I want to send money elsewhere, a new place, I have to create a new payee or transfer, and then I must use by SafeKey card that generates a new code number via algorithm. I enter that number into the bank info and the money moves.

    I keep that SafeKey at home.

    I also use a jumbled up set of letters for my user name, a 16 numbersymbolletter password. All my credit cards are set to notify me if used for over $100.

    Am I perfectly safe? Of course not, but no key logger could enter my bank info without the SafeKey card that is kept at home.

    And passwords are encrypted with TrueCrypt.

  10. I am an expert in bank regulations and security. All banks must comply with a significant set of internet banking security regulations. Included in them are mandatory specific multi-factor authentication procedures which are designed to ensure that only a real person sitting at a pre-authorized computer can access customer accounts. These specifications require that the authentication procedure eliminates the possibility of automatic sign-ons to the furthest extent of current technological means. Because of this and other specific Ebanking regulations, the banks have no choice but to inconvenience their customers in order to make the government happy. Can you imagine how much it costs the bank just to have customer service staff available 24/7 to deal with this kind of problems? And if someone does get in and steal your money the bank is usually liable. There is simply no legal way to make it easier for the customers. We bank operations professionals sure wish there was. Investment banks may not be appropriately regulated, but bank operations and security have been and still are. If you don’t like it, remember November 6!

  11. A big problem with pw managers is that you have all of your eggs in one basket. If your pw manager pw is compromised, then all of your assets are compromised

    • A great idea. But rather than using symbols for the columns, I have found it easier simply to use alpha characters from A to Z, splitting them into groups of three – ABC DEF HIJ … etc. and using a Courier font.

  12. re roboform and the safety issues using it, a couple of years ago i was using roboform, i had the passwords for 4 bank accounts and maybe 40 online sportsbooks ( all with money in them) stored there.
    one morning i opened up my inbox and there was a message from a guy named , {removed} ( @yahoo7.com) , he said to me,” i am a security expert, your master password at roboform is , {removed}, “and it was.
    he claimed it and all of the P/W’s at roboform were ” in the background” and anyone could see them.
    i immediately closed my roboform account, this guy, a very honest man, did not touch one cent of my money nor did he ever try and sell me anything.
    roboform told me ” he is a keylogger “, apparently either one who is only practicing or an honest one because he did not touch any of my money so why bother being a keylogger and he had access to everything i had.
    no more roboform for me thank you, regards don rees

  13. Don Rees, you got somehow infected with a keylogger it is not the fault of roboform. As soon as you typed your password into roboform he could read it. Run several free anti malware software to get rid of it.

  14. I use what I think is an even more secure method. I use strong passwords, different ones for each account, and keep cryptic notes to myself that will help me (and me alone) to reconstruct what my passwords are if I forget them, which I do often. Yes, it’s a bit of a pain having to go look up my hints to remind myself of what my password is every time I want to log onto a bank account or other online account, but I’d rather have to go through that then have it easily hackable. I *never* write my passwords down in plain text anywhere. Also, I always open a brand new browser window (not just a new tab) whenever I want to log onto a financial account, and I log off immediately and close the window afterwards, so that no other websites I happen to be connected to at the time could know what my bank URL is. I also practice all the safe computing practices Leo mentioned, so I’m pretty much not vulnerable to key loggers. I also reconcile all my financial accounts regularly against my own records (I don’t trust downloading the transactions from the bank website) so I’ll catch any fraudulent activity (or bank error) and be able to report it.

  15. Leo is right that it is better to have a password manager like Roboform than rely on common sense!
    Roboform does not in my environment let me into on line banking, it lets me access the entry to the account but I still have to enter the password for my account which changes every day.
    Moreover a big added facility with Roboform is that you can carry access to your passwords with you on a memory stick and you have only to remember the master password which can be sixteen characters long

  16. I use KeePassX to generate my various passwords.
    How does KeyPassX compare to Roboform and/or
    Last Pass? Should I consider dropping KeyPassX
    and move over to either of the alternatives, or am I
    in good shape with what I have? Up to the present
    I’ve had no problem with KeyPassX. Thanks for your anticipated response.

    I’m not familiar enough with KeyPass to give a compare/contrast evaluation. I’ve heard good things about it, though. If it’s working for you I don’t know of a reason to change.

    Leo
    10-Jul-2012
  17. AOL has just offered it;s “Premium” paying members a bunch of free services. One is a password protecting software like Roboform and Lastpass. It is called “AOL OnePoint”. AOL has been hacked before, so I don’t know if I can be confident about this service. They don;t give info as to who is behind the solftware … and what experience they have. Help on this.?

  18. I have been using RoboForm for many years and have never had a problem. RoboForm generates very secure passwords and also enables one-click logging in to all your secure web sites. It’s invaluable, especially if you have a memory like mine. I recommend it to all my friends.

  19. In the UK banks have a variety of methods of logging on. My bank uses a client number as the first part, then a variation on a password, and last, a variation on a really long user invented word.

    So every time a user logs on they are asked for entirely different variations of parts 2 and 3.

    So using LastPass doesn’t work because we have no idea what we will be asked when we log on.

    For everything elese I use LastPass based on Steve Gibson’s reccomendations and Leo’s suggestions.

  20. In conjunction with Speed Dial this is a cool way to automate and manage accounts. Speed Dial allows you to set up unlimited webpages listing sites anyway you want to categorize them. You click on the pointer and Last Pass logs you in. Roboform ticked me off after they tried charging me more money to upgrade to their Windows 7 version. I had paid for a lifetime subscription.

  21. most banks or financial institutions uses a electronic key which without it you can not access your bank account

    I’m afraid it’s not “most” banks. Those that do offer two-factor authentication are few and far between here in the US.

    Leo
    11-Jul-2012
  22. Horse Puckey! I have a file folder which contains my (more than 50) passwords. I keep it physically secure. When I log on to a site, I type my password. Oh, I also use Linux, so I’m safe these days.

    • “Oh, I also use Linux, so I’m safe these days.”
      LOL. Good luck with that. I don’t know why you Linux users think your systems are not subject to malware attacks. It’s an ignorant assumption and it’s a false assumption.

  23. Work requires that I have different passwords for the various things that I access (Windows logon, mainframe logon, Compensation website, encryption software, etc.). And work forces you to change your passwords every 90 days and repeating previous passwords does not work, nor does it work if the password is too similar. Passwords must be strong passwords. And writing down your passwords is a no-no.

    A couple years ago, I came up with a “formula” that fit the password requirements. Every 90 days I can use the “formula” again to come up with the new set of passwords for the various systems. All I really have to remember is the “formula.” I can always figure out my password if I forget what it is.

  24. I and the rest of my household use LastPass, each with our ownYubiKey second-factor security. Works like a dream. Very impressed with the service and there’s an Android app too, as well as a add-on for the Dolphin browser.

  25. Roboform is slowly finding ways around those institutions which try to prevent its use. I only have one problem account, and it works with IE, but not Firefox. No problem, since I only access it once or twice a month.

    I have one user name and password which I have been using since 1978 when I had a Department of Energy network account. It exists on literally hundreds of places, but all are in the “Don’t Care” category. The simplicity of always knowing what it is far out weights the possible problems of compromise. The few accounts which matter, such as banks, email accounts, and a few professional sites, are all long, complicated, and different.

  26. I’ve used Roboform for years. Main reason I began using it was to protect against KEYLOGGERS. I use Viper Anti-virus. Great combination!

  27. I strongly support Leo’s recommendation to use Roboform as a password manager. I just add that as it is so secure make sure you backup the Roboform data on an external disk in case you have a crash. If you do not do this a crash may cause loss of all password information which can be a serious problem

  28. I have to agree with Tregonsee . I got the idea from the book, Lord of the Rings. In the fortress, there were “lesser passwords” that were taught to everyone. Then, there were stronger passwords for more important stuff and more important people.

  29. Regarding banks and security… FIRST: When the banks get THEIR act together, then I might head their messages! They are not much better than the Feds when it comes to IT geniuses! I had a young friend who told me that they would practice on government accounts, then see how they could do with banks…he just smiled! Many have little old ladies in combat boots that have been around since WWII. I belong to Boeing Credit Union, I use Last Pass and have since they started. When I go to the BECU site, another pop-up window shows and Last Pass just jumps right in and posts the info…no hassles, no problems! It drives me crazy when service organizations (banks??) always “TELL YOU WHAT YOU CAN’T DO BUT NOT WHAT YOU CAN DO!”

  30. I Have had RoboForm 6 for several years. it is about 95% efficient. Sometimes it drops the pass word entry box for a site. When using it always use the “Virtual” key pad for the Master password and not your regular key board. This adds another layer of protection.

  31. I have used Dashlane as my password manager for the past 2 years and I love the way it works and it’s features. By using a password manager it trained me to use a different password for each site and also being more creative in forming passwords

  32. How does one extend the generated passwords to beyond eight characters in LastPass? I would like to have some be 16 characters and my bank accounts be 24 characters. I’ve searched in LastPass and just not finding the answer to my question. Thanks Leo!

  33. I have been using “Last Pass” for a few months. I haven’t allowed it to re-generate all of my old passwords yet though. I am concerned if in the future, should decide to stop using it or they go out of business how would I gain access to all the sites that it auto generated passwords for????

  34. A way to add security to a password manager is to store only partial passwords. For example, say you have a password of 25 random characters and the word rough. Have the password manager save the 25 random characters and add the word rough to the end once the password manager has filled out the password field. The last characters are easy to remember and you will not have recorded your entire password anywhere.

  35. I’d just like to stress Leo’s point “I have LastPass automatically log out after some amount of time…” I highly suggest all LastPass user’s configure that setting (Preferences, General, Security). I use LastPass at work, as well as home. I don’t want some sysadmin remote connecting to my PC when I’m not around and finding LastPass wide open. I have it log off after 30 minutes of non-use.

    Here is a good page listing several LastPass security measures you may want to consider, including those mentioned by Leo above: http://www.howtogeek.com/121267/11-ways-to-make-your-lastpass-account-even-more-secure/

  36. Worried about some ‘sysadmin’ finding your LastPass passworsds or some other file while you’re away for a period of time?

    DISCONNECT THE LINE. You won’t forget about it.

  37. I’m irritated by the few sites which don’t allow entering passwords by copying and pasting. I suppose this is done to prevent automated hacking attempts, but in my opinion, it has the opposite effect : in practice, forcing users to enter passwords manually limits their length and complexity. Therefore it decreases security.

    Besides, I’m sure most sites are programmed to reject log-in attempts if a single user makes too many of them in a short while. At least, I hope so…

    I use Kee Pass, which is supposed to pretect you even against keyloggers, since it can scramble the password before entering it. It is also very useful to store any amounts of various identification data, such as social security numbers, software licence numbers, etc.

    All you have to do, then, is make sure that you have multiple, up-to-date backups of your password database in various places.

    • I would simply caution you that no password manager can protect you against all keyloggers. The simple ones, sure, but a relatively sophisticated one can capture the password as it’s passed to the web site.

      • Leo, maybe I missed something, but are you saying that a keylogger could capture a complete password even if it’s entered to a site’s login page via a keystroke or two entered into the pw manager? That seems to go way beyond the scope of keylogger to me.

        • The only safe way to think about any type of malware, keylogger included, is that once a hacker has control of your computer they can do anything. What we want to do is everything in our power to prevent malware and hackers. There is not much value in devising strategies to manage malware and hackers who have control of your machine.

        • EXACTLY. Calling something a “key logger” doesn’t restrict what it can do. A keylogger is MALWARE and once on your system malware can do anything.

  38. After reading all of the above I have a question: When a password is generated by a password manager, can I see the what the password is after it has been generated?

    • Depends on the password manager. Most have a “reveal” option, or a way to see it. LastPass’s is displayed for you so you can even copy/paste it if you like.

  39. It’s worth mentioning, what LastPass (or indeed any PW manager) calls “2FA” actually isn’t 2FA at all.

    Two-factor authentication is simply not possible in this context. If your data/backups & master keys are stolen, “2FA” won’t help you.

  40. So, what happens when your hard disk develops bad sectors over the password data or your password manager itself? Can you still access your “more than 30 accounts all over the internet” after the manager is dead?

  41. Since I discovered password managers as a more secure anti-crack protection of my accounts (not so long ago), I used to use RoboForm.

    But yesterday, after thinking about differences between proprietary password managers and open-source ones, a question entered my mind:

    “How do I know that a proprietary software don’t see all my entrusted to them data without having to use any master passwords or such?”

    Truly, it is a fact – there is NO way to know if a proprietary software (such RoboForm, LastPass and others) don’t see your passwords/data (it certainly can), no way to say if it doesn’t just copy all your database on their server, maybe even in open view – without any master password or such, and therefore you just cannot know if your data is actually safe from crackers (ones which people use to call “hackers”), from RoboForm guys themselves, NSA and so on.

    On the other hand, an open-source software shows you exactly what that software is doing with your data and therefore, through a community of people who are able to read the code and determine that it doesn’t do any hidden/strange activity with your data, you can be more confident that your data is in fact safe. Therefore solutions like KeePass are the most reliable, trustworthy, although maybe (I don’t know for sure, as I am still to initiate to use it) KeePass is less convenient to use, and indeed has somewhat “uglier” design/user interface and, again maybe, are less integrated into different operating systems/different computing devices/different web browsers.

    • LastPass data is encrypted on your computer using LastPass, and only the encrypted passwords are uploaded to LastPass servers. Steve Gibson, a trusted friend of Leo Notenboom, has extensively tested the security features of LastPass. This video is very long, but you can skip to about minute 53 where he reviews the security of LastPass.
      http://twit.tv/show/security-now/256

      • While Steve and I have crossed paths ever so slightly, I’m not sure “friend” is the right word. But I do trust his analysis of LastPass, and it factored heavily into my adopting it.

  42. I have a small Truecrypt volume that has a *.txt file with all my info. It’s almost always unmounted. When I need access to my info. I mount it, use the info and then unmount it again. Isn’t this safer than using a password manager?

    Also, if Truecrypt fails, my volume is still accessible by reinstalling Truecrypt but, if a password manager fails, won’t you lose all your data?

    • It’s as safe, but in my opinion no safer and somewhat more inconvenient.

      Depends on what you mean by “fail”, but I don’t see a likely scenario where a simple failure would cause you to lose everything. I do recommend backing up the contents of your password manager periodically – just as I recommend backing up the contents of TrueCrypt volumes. 🙂

  43. If you are really looking for a password manager that works on all browsers running on any device (including mobile phones, tablets, computers, etc), take a look “Intuitive Password”. I use it all the time and it’s very convenient.

  44. As far as “security” goes, how can you tell (or how do you know) that the author of the software does not use any hidden tactics to secretly collect the data you enter into the password manager, thereby having access to all of your passwords?

      • Actually Steve Gibson of Security Now did a breakdown of LastPass a few years ago and confirmed the quality of the encryption and the code that’s running on your PC. That gives me a very high degree of confidence.

  45. What makes me nervous about the likes of LastPass is the increasingly frequent reports that some very well known and you would think, very secure sites are hacked these days. How certain are you that these site are immune to attack? Reading through your earlier comments, the big weakness of us users is our habit of using very easy to breach simple passwords or the same one many times. For this reason, I can see the argument that a password manager would be a whole lot safer. In my case I am at home, no one sits at my desk top but me and a I have a book full of such information to which no one else has access. Admittedly, a burglar might. There are no duplicates and I am slowly making existing passwords more complex. At present, I can look up or share a password if I wish with a trusted person and if my desk top goes down (and they do) , I can still get to my sites using another machine.

    At heart I suppose I do not trust the storage of information in the hands of others. This is all about the expansion of “Cloud” computing. Free it may be now but I simply do not see such facilities remaining free for long before a fee will be demanded for keeping our data “safe”.

    • If someone manage to break into the LastPass server, all they could get is a massive block of encrypted data.
      LastPass don’t know your master pass phrase. Only encrypted data ever travel between your device and the server that is encrypted and decrypted only locally.

      • Yeah, but…..

        While LastPass has never actually exposed (unencrypted) user passwords, the company’s systems have been compromised more than once with email addresses, cryptographic salts and hashed passwords being stolen. Next time – and there *will* be a next time: these database are the Holy Grain for cybercriminals – it could be much worse.

        The simple fact is that nothing is 100% secure. Remember the bookmarklet bug that would have enabled a malicious site to extract logins for other sites from LastPass without the users’ knowledge? Or how about the OTP bug, which could have had absolutely devastating consequences had it been exploited in conjunction with the user details extracted in the previously mentioned breaches? And it’s pretty much a given that other bugs will be discovered down the road. How critical will those bugs be? Your guess is as good as mine…..

        As an aside, it’s also worth noting that using a password manager could possibly be in contravention of your bank’s terms of service – meaning that, were somebody to gain unauthorized access to your account and misappropriate funds, you could experience problems getting those funds reimbursed.

  46. Nearly all of these password managers state that they cannot decrypt or view your passwords or other data. However, I don’t know of anyway to verify that. Might they indeed have masterkey or backdoor that would allow them to do so? With all of the international cyber espionage and hacking, couldn’t these tools be used as a great trojan horse to collect valuable data? All of the on-line credentials could be used to create a great deal of chaos in another country when desired.
    Has anyone researched, pursued or reported on this potential risk??

  47. Agreed 100%. I either have to write-down all my passwords to have unique passwords or use the same or similar password. There are just too many to remember unique passwords. A password manager, if it is properly used, is safer than the alternatives.

    Of course it would also be easier to remember unique passwords, if there was a standard password protocol. I have some passwords that must be 8 characters. I have some passwords that can be as long as I want. I have some passwords that only allow letters and numbers. I have some passwords that require a special character.

  48. Thank you for a very interesting article.
    It made me wonder if I could not add to the security by simply add a few easily remembered characters to the password stored in LastPass, each time I need to inter a password?
    These characters would then not need to be unique as such, but could, to a certain degree, be varied a little, based on the site logging into?

    Comments would be very much appreciated.

    • I use a password manager simply for its form-filling capabilities and convenience, but do not permit it to store sensitive passwords for sensitive accounts such as banking (see my comment above for reasons). For sensitive accounts, a simply use an easily remembered passphrase ($tupidOldRay99, say) and then modify it on a per-site basis ($tupidOldRay99Bank, for example).

  49. I use a password manager that is capable of storing the encrypted passwords on a stick drive. If the stick drive is not attached to my PC, no access to passwords is possible, even if a hacker obtains the 16-character pass phrase that is needed to open the password manager. Of course, always backup your encrypted password file–somewhere other than on your computer!

  50. any chance that a password manager is in fact a spamware capable of stealing passwords
    stored whenever there is internet connection?

    • Of course. That’s why you only download and install trusted password managers with good reputation, and only download them from their official sources.

  51. My suggestion is to use a good password manager but store only half of every password in it,so by seeing the half password from password manager you should be able to recollect the other half from your memory and then enter it in website to login. By doing this even if your password manager is compromised you will lose nothing than incomplete passwords which won’t work. I follow the same thing.

    • That is stifling your password manager’s ability to be secure and useful. A good password manager, like LastPass, makes it very easy to store and change passwords over time. When you are logged in to LastPass it will autofill password fields, and even help generate secure passwords. It can also be used across multiple devices so you always have secure access to your difficult passwords. Since it’s important to have different passwords on different accounts it’s far better to allow your password manager to do the job it is well suited to do.

    • LastPass automatically saves your passwords. I don’t believe there’s any practical way to make it store a partial password. If there’s is any workaround to do it by editing the password field, it seems it would be easier to have an encrypted list you can copy and paste from.

  52. Where do I ask a simple question???? Such as: If I give permission for a supposed friend to assist me in correcting a supposed problem with my computer….what is the access that I have given him / her in accessing data on / from my computer??? Can he / she go into my personal files and access personal data…or is the clearances I gave them constricted to repairs to my computer??? On a general basis.

    Thank you from a late computer bloomer?

    Rae

    • You can ask a question by subscribing to the Ask Leo! newsletter. There is a place to sign up on the home page.

      And yes, if you have a friend or a technician help you with your computer you need to be able to trust them. There are many problems that they cannot fix unless they have full access. Trying to limit their access will limit their ability to help. Never allow a stranger over the phone to remote access your computer. My personal recommendation is to find a real-live, local person whom you can look in the eye!

      Here is a good article with some possible solutions: https://askleo.com/how_do_i_secure_a_hard_drive_before_sending_it_in_for_repair/

  53. My Last Pass seems to log out after a certain amount of time. Not sure at the moment if that is something I set or can control. When it is logged out, it cannot automatically sign in to any website, and needs the Master Password to be entered again. I’m thinking of improving my “best practice” by deliberately logging out of Last Pass if I will be away from my computer.

    Further to that, there are options to how Last Pass accesses different sites. The more sensitive sites such as those relating to finance can be set to require a Password Re-prompt even though Last Pass was already switched on. Attempting to access my bank I get “Your current settings require you to enter your LastPass password to complete this action.” My other bank previously did not allow me to use Last Pass but now with their website upgrade I can.

    • Last pass allows you to change that setting:
      Click on the LastPass icon, select preferences on the next screen, you’ll see:

      Automatically Log out when all browsers are closed and Chrome has been closed for (mins)
      Automatically Log out after idle (mins)

      Uncheck the second box, and it will stop that from happening.

      The setting for re-entering your password before logging on is also something you can change. Click on the LastPass icon and select Show Matching Sites, click on the account name in the flyout menu (there may be more than one if you have alternate logins for that website). Next click Edit. Uncheck Require password reprompt. In Chrome, instead of clicking on the account name from the first flyout menu, click the wrench (spanner for those across the puddle) icon next to the account name.

      • Thanks Mark, but I wasn’t wanting to undo those restrictions. I was suggesting they can be used even more for blocking access if someone else somehow gets on to my computer.

        • I didn’t catch that when I read your comment, but they can also be used in reverse to protect your passwords by automatically logging off. I have a short idle time before logging off on my work laptop, and a longer idle time on my home computer.

  54. I am looking for an answer to this question. Suppose there is a keylogger which gets installed on my machine(which is not a remote possibility). Now, if I am getting this right, it can deduce my master password for the password manager I am using. If that happens, am I vulnerable? If yes, then I think it is more unsafe to use a password manager, rather than writing down some thing from which you can deduce your password(partial information, in codes, which only you can decipher).

    • It would be helpful to change your thinking around a bit. The best strategy is to avoid the keylogger rather than plan for the keylogger as if it is inevitable. Writing passwords on paper can be a good solution if your computer is in a safe location, if you are very organized, and if you never travel. I’ve seen lots of people who write down passwords in such a way that it is completely useless. Often a password is not changed for years, and the paper lost or forgotten. Or it can be changed online and the change not noted. Or any number of things.

      Here’s Leo’s best article on being safe on the internet: https://askleo.com/internet_safety_7_steps_to_keeping_your_computer_safe_on_the_internet/

    • A keylogger would capture your passwords when typed in. All you passwords. So avoiding a password manager is kinda silly, since the keylogger would instead capture all the other passwords you type in instead. The thing to avoid is the keylogger. My position remains that a password manager is far safer, as it allows you to use more different stronger passwords that protect you from a variety of other threats. Avoid malware, avoid the keyloggers.

  55. Hi

    Is Lastpass easy to use, user friendly ? What is your opinion on Roboform 8 ?

    I tried using KeePass so as not to have to store my passwords online (I am absolutely terrified at the idea of storing passwords online–especially bank accounts and credit cards) but i found it to be a pain to use. Not user friendly at all (my opinion only).

    Thanks

  56. Hey Leo, do you use LastPass to enter your email as well? Since the Google Authenticator is connected to gmail right, and if we use lastpass to log-in into gmail, isn’t that a loop?

    for example: if I already use lastpass and google authenticator. and somehow I got both logged out. when I want to log in into my lastpass, it asks me the google authenticator code. when i want to check my google authenticator, I already set that lastpass will auto-fill it, which in this case will not, because it have not logged in into lastpass, and I can’t possibly tell those scrambled-jibberish words that lastpass made for my gmail password.

    • I’m a little confused by the scenario you describe. I DO use the Google Authenticator (in the form of Authy, but same thing) for both Gmail and Lastpass. Works fine. No loops that I’ve encountered.

      Login to LastPass: need password, prompted for second factor, which I enter after looking at the authenticator app.

      Login to Gmail: LastPass enters email and password, I’m then prompted for second factor, which I enter after looking at the authenticator app.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.