There are people who believe that using password managers represents a single point of failure. Technically, they are mostly correct: if someone gains access to your password manager they have access to everything within it.
But not-so-technically I believe – strongly – that they are seriously misguided.
Using a password manager is, in my opinion, significantly safer than the alternatives most people choose.
Without using a password manager the idea is that you:
Yes, that would be ideal.
It’s also totally impractical for most people.
As far as I’m concerned, those requirements cannot all be met at the same time. In practice, at least, one of them will be compromised.
Without a password manager
When not using a password manager, most people will compromise their security in some other way.
- They’ll choose a less secure password that’s easy for them to remember (not complex)
- They’ll use the same password at multiple sites (not unique)
- They’ll save the password on their computer using some other, less secure technology, or even write the password on a sticky note kept close to the computer (not memorable)
Any one of those decreases your security significantly.
I believe avoiding technology specifically designed to keep passwords secure doesn’t increase your security. When you factor in human nature, it actually significantly decreases overall security.
With a password manager
Password managers make best practices easier; trivial even. Using a password manager allows you to:
- generate and use secure, completely random, and appropriately long passwords (they’re complex)
- never need to type or remember passwords (they’re memorable in that the password manager remembers them)
- use different passwords on different sites (they’re unique)
These are things that people typically don’t do unless they have a tool in place to help them.
On top of that, most password managers add several features that make improved security even more convenient. They
- synchronize your information across multiple computers
- use them on mobile devices
- automatically fill in not just passwords but common web forms
- store arbitrary notes
All with more security than almost all alternatives.
If you’re compromised, you’re compromised
It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever it is you have stored on the computer.
For example, while I’m logged into LastPass, or while a TrueCrypt volume is mounted, all the information in each is technically available to software running on my machine – good software or bad.
That’s a serious concern and not to be taken lightly.
But it’s a concern that exists regardless of whether you use a password manager or not. If you somehow manage to meet the three criteria (complex, memorable and unique) with your passwords, then all bets are still off if a keylogger captures what you enter when you log in to your bank account.
Avoiding a password manager didn’t increase your security one whit. In fact, I’d wager that there’s more malicious software out there waiting to see what you type in than there is targeted at stealing the contents of your password manager.
There’s just no substitute for keeping your machine secure to begin with.
But are password managers safe?
Used properly, yes. In fact, I’ll go so far as to say that they are safer than any practical alternative that you might think of.
Of course, there are no absolutes – that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware then all bets are off, no matter what technique you use to keep your password information.
In fact, I’ll put it this way: password managers are the safest way to keep a record of your online account information, but they are no safer than:
- the master password you use to access the password manager
- your own ability to use your computer safely
The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
What I do
I keep my machine(s) secure by doing the traditional things that you hear over and over: keeping software up-to-date, running up-to-date scans, avoiding malicious websites and downloads, not falling for phishing, and so on and so on.
I use LastPass as my password manager to manage my passwords and additional security information.
I use the Google Authenticator, a form of two-factor authentication to access my LastPass vault. (There are several forms of two-factor authentication available in LastPass.) What two-factor authentication boils down to is that if I’m not logged into my LastPass account, then you can’t get in even if you know my master password. To get access to my LastPass vault, you would need both my master password and my cellphone.
I have LastPass automatically log out after some amount of time on any device which I’m not 100% certain won’t get stolen or accessed without my permission.
Even with two-factor authentication, I keep my master password secure and complex.
I’m not going to claim it’s impossible for anything to happen – that’d be a foolish claim. I am, however, very satisfied with the risks and trade-offs.
Let’s face it, even doing business off-line has risks and trade-offs.
- LastPass – Securely keep track of multiple passwords on multiple devices One of the problems with current online safety advice is keeping track of multiple different secure passwords. LastPass not only does that, but does it across multiple devices and very securely.
- RoboForm Password Manager and more With lots of accounts on the web, good security says their passwords should all be unique. Your computer can remember them for you with RoboForm.
- Managing Lots of Passwords Managing multiple strong passwords can be a pain. I’ll discuss a couple of alternatives, including Roboform and LastPass.
- Has LastPass had a security breach? I recommend LastPass because of their transparency and security model: even LastPass cannot recover your login!
- How do I choose a good password? Password security has never been more important. With occasional security breaches at service providers and rampant email account theft you need to do everything you can to make sure you’re choosing and using secure passwords.
- What’s a good password? Good passwords are hard to crack and hard to remember. As a result, many people don’t use really good passwords, even though they should. We’ll look at what makes a good password, and some ways to make them easier to remember.