There are people who believe that using password managers represents a single point of failure. Very technically, they are mostly correct: if someone gains access to your password manager, they have access to everything within it.
But not-so-technically, I strongly believe they are seriously misguided.
Using a password manager is, in my opinion, significantly safer than the alternatives.
Security best practices
Without using a password manager, the idea is that you:
Yes, that would be ideal.
It’s also impractical for most people.
As far as I’m concerned, those requirements cannot all be met at the same time. At least one of them will be compromised.
Without a password manager
Without a password manager, most people will compromise their security in one way or another.
- They’ll choose a less secure password that’s easy to remember (short and/or not complex).
- They’ll use the same password at multiple sites (not unique).
- They’ll save the password using unsecure technology, or write the password on a note kept nearby (not memorable).
Any one of those decreases your security significantly.
I believe avoiding technology specifically designed to keep passwords secure doesn’t make you safer. When you factor in human nature, it decreases overall security significantly.
With a password manager
Password managers make best practices easy – even trivial. Using a password manager allows you to:
- Generate and use secure, complex, and appropriately long passwords.
- Never need to type or remember passwords – the password manager remembers them for you.
- Use different passwords on different sites.
These are things that people don’t do unless they have a tool in place to help them.
On top of that, most password managers add several features that make improved security even more convenient. They can:
- Synchronize your information across multiple computers.
- Be used on mobile devices.
- Automatically fill in not just passwords, but common web forms.
- Store arbitrary notes.
All with more security than almost all alternatives.
If you’re compromised, you’re compromised
It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever it is you have stored on the computer.
For example, while I’m logged into LastPass, all the information is technically available to software running on my machine – good software or bad.
That’s a serious concern, and not to be taken lightly.
But it’s a concern that exists regardless of whether you use a password manager or not. If you somehow manage to meet the three criteria (complex, memorable, and unique) with your passwords, then all bets are still off if a keylogger captures what you enter when you log in to your bank account.
Avoiding a password manager doesn’t increase your security one whit. In fact, I’d wager there’s more malicious software out there waiting to see what you type in than there is targeted at stealing the contents of your password manager.
There’s just no substitute for keeping your machine secure to begin with.
But are password managers safe?
Used properly, yes. In fact, I’ll go so far as to say that they are safer than any practical alternative that you might think of.
Of course, there are no absolutes – that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware, all bets are off, no matter what technique you use to keep your password information.
In fact, I’ll put it this way: password managers are the safest way to keep a record of your online account information, but they are no safer than:
- The master password you use to access the password manager.
- Your own ability to use your computer safely.
The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
What I do
I keep my machine(s) secure by doing the traditional things that you hear over and over: keeping software up-to-date, running up-to-date scans, avoiding malicious websites and downloads, not falling for phishing, and so on and so on.
I use LastPass as my password manager to manage my passwords and additional security information.
I use Google Authenticator, a form of two-factor authentication, to access my LastPass vault. (There are several forms of two-factor authentication available in LastPass.) What two-factor authentication boils down to is that if I’m not logged into my LastPass account, then you can’t get in even if you know my master password. To get access to my LastPass vault, you need both my master password and my cellphone.
I have LastPass automatically log out after some amount of time on any device which I’m not 100% certain won’t get stolen or accessed without my permission.
Even with two-factor authentication, I keep my master password secure and complex.
I’m not going to claim it’s impossible for anything to happen – that’d be a foolish claim. I am, however, very satisfied with the risks and trade-offs.
Let’s face it, even doing business off-line has risks and trade-offs.
- LastPass – Securely keep track of multiple passwords on multiple devices One of the problems with current online safety advice is keeping track of multiple different secure passwords. LastPass not only does that, but does it across multiple devices and very securely.
- RoboForm Password Manager and more With lots of accounts on the web, good security says their passwords should all be unique. Your computer can remember them for you with RoboForm.
- Managing Lots of Passwords Managing multiple strong passwords can be a pain. I’ll discuss a couple of alternatives, including Roboform and LastPass.
- Has LastPass had a security breach? I recommend LastPass because of their transparency and security model: even LastPass cannot recover your login!
- How do I choose a good password? Password security has never been more important. With occasional security breaches at service providers and rampant email account theft you need to do everything you can to make sure you’re choosing and using secure passwords.
- What’s a good password? Good passwords are hard to crack and hard to remember. As a result, many people don’t use really good passwords, even though they should. We’ll look at what makes a good password, and some ways to make them easier to remember.