Password vaults really are your most secure solution
Some believe using password managers presents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.
Not so technically, I strongly believe they are misguided.
Using a good password manager is significantly safer than any other alternative.
Become a Patron of Ask Leo! and go ad-free!
Good security demands you have a unique and strong password for every site or service ideally kept only in your head. Without a password manager to aid you, you’ll likely need to make a tradeoff that compromises your security. There’s no such thing as perfect security, but using a password manager ensures you’re as secure as possible without needing to make those tradeoffs.
Security best practices
Password security demands that you:
- Have good, strong passwords (long and complex).
- Keep them nowhere but in your head (memorable).
- Use a different password on every site or service (unique).
Yes, indeed, that would be ideal.
Without using a password manager, it’s also completely impractical.
Those requirements simply can’t all be met at the same time. At least one, if not two, will be compromised without the aid of a password vault.
Without a password manager
Without a password manager, you’ll compromise your security in some way.
- You’ll choose a less secure, easy-to-remember password (short and/or not complex).
- You’ll use the same password at multiple sites (not unique).
- You’ll save the password using technology that is not secure (not memorable).
Any one of those can significantly compromise your security.
With a password manager
Password managers make best practices trivially easy. Using a password manager allows you to:
- Generate and use secure, complex, and appropriately long passwords.
- Avoid the need to remember passwords yourself.
- Use different passwords on different sites.
These are things people don’t do unless they have a tool in place to help them. Password managers are specifically designed to securely do exactly that.
Most password managers add several features that make improved security even more convenient. They can:
- Synchronize your information across multiple devices.
- Be used on mobile devices.
- Automatically fill in not just passwords, but common web forms.
- Securely store other information of many types.
And they do all of that with more security than almost all alternatives.
If you’re compromised, you’re compromised
It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever it is you have stored on the computer. For example, while I’m logged into LastPass, all the information could technically be available to software running on my machine — good software or bad.
That’s a serious concern, and not to be taken lightly.
But it’s a concern that exists regardless of whether you use a password manager or not. All bets are off if a keylogger captures what you enter when you log in to your bank account.
Avoiding a password manager doesn’t increase your security one whit.
But are password managers safe?
Yes. Password managers are safer than any practical alternative.
There are no absolutes — that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware, all bets are off, no matter what technique(s) you use.
Password managers are the safest way to keep a record of your online account information, but they are no safer than:
- The master password you use to access the password manager.
- Your own ability to use your computer safely.
The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
What I do
I keep my machines secure by doing the things you hear over and over: keeping software up to date, running scans regularly, avoiding malicious websites and downloads, not falling for phishing, and so on.
I use LastPass to manage all my passwords and additional security information.
I use Google Authenticator, a form of two-factor authentication, to access my LastPass vault. You can’t get in to my LastPass account even if you know my master password. To get access, you need both my master password and my mobile phone.
I have LastPass automatically log out after some amount of time on any device which I’m not 100% certain won’t get stolen or accessed without my permission.
I keep my master password secure and complex.
I back up my LastPass vault regularly.
I’m not going to claim it’s impossible for anything bad to happen — that’d be a foolish claim. I am, however, very satisfied with the risks and trade-offs, and absolutely convinced that using LastPass (or any reputable password manager) keeps me as safe as possible, and safer than not using one at all.
Let’s face it: even doing business offline has risks and trade-offs.