Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Isn’t Storing Your Passwords In One Place a Security Risk?

It depends on the place.

All the eggs - One basket.
(Image: canva.com)
Yes, password managers put all your information in one place. It better be a very good place.
Question: Isn’t it a security issue of using password managers that all passwords are stored in the same place?

Yes. Yes it is.

But an additional question might be: what’s the alternative?

Ultimately, password managers are the “least worst” solution to having to deal with passwords at all.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

There is no perfect solution to security or password management. Reputable password managers store your information securely and enable you to make better decisions when you’re choosing what kinds of passwords to use where.

No perfect solution

Every approach to managing lots of passwords has pros and cons. Each has things going for it and arguments against it.

Using a password manager is by far the best approach, even though it is not perfect.

All your eggs in one basket

The concern everyone raises is exactly what you’ve asked here: using a password manager puts all of your eggs in one basket.

So the issue boils down to: how secure is that basket?

This is why I keep recommending trusted and reputable password managers, like LastPass, among others. They make very good baskets.

When passwords are stored in their database — be it only on your machine, or in the service’s cloud — a good password manager encrypts the database in such a way that

  1. Even they cannot open it if no one provides the master password.
  2. The encryption would take decades to “crack” (assuming you use a properly secure master password).

Security is never absolute

No solution will be perfect.

For example, with a malicious keylogger on your machine, any or all of your passwords could be compromised, no matter how complex they are or what technology you use to keep track of them.

Password managers enable you to use the gold standard for passwords: long, strong passwords that are different for every site or service, without needing to remember them all yourself.

I call this “least worst” solution to the problem of needing to use passwords at all: the best of all the bad alternatives.

But it doesn’t alleviate you from being responsible for your overall security.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

12 comments on “Isn’t Storing Your Passwords In One Place a Security Risk?”

  1. I agree with the article (naturally). because with a password manager your basically doing your part to make yourself secure online (without too much effort to do so even though initial setup can take a while) as if someone does get a keylogger etc onto your computer you got bigger things to worry about at that point like securing your own computer. so if you fail here, I would just assume just about anything you do on it is compromised until a clean install of the operating system is done (i.e. wipe one hard drive and reinstall from scratch).

    but it’s easy enough to secure ones computer by just being more on the cautious side in general. so don’t install anything you don’t trust and any websites asking to install browser extensions (or claiming your computer is infected etc) are almost certainly shady. so if your pretty good there and as long as you don’t get Phished, the website your using would pretty much have to somehow become compromised for anything bad to potentially happen to you (like say someone stealing your credit card info etc) at which point this is really out of your control (and at which point using a password manager would increase your security quite a bit since it won’t be using the same password on multiple websites. so even if someone managed to get a hold of your really secure password for one site, the damage will be limited to that site since you won’t be using that same password on other websites. so it will stop those hacker types from potentially taking over other accounts you might have and you definitely don’t want someone taking over your email since it can be used to potentially reset password for many other websites you got).

    also, while probably not a option for most people, if a person can, run Linux (I suggest Linux Mint (linuxmint dot com ; it’s completely free) since it’s a simple enough OS for those who are used to Windows) instead of Windows as that will further lower ones risk online since it’s off the radar of shady people in general, unlike Windows and other popular operating systems. hell, with Linux, short of someone falling for say a Phishing scam, their chances of getting hit with a virus and the like is slim right from the start. so the average person browsing the internet is generally more secure on a Linux machine than Windows. NOTE: but those using Linux Mint for example, it does not do automatic updates like Windows does, so you need to manually allow updates to install occasionally to keep your computer secure since your browser updates (and other system updates etc) run through it’s ‘Update Manager’ which it automatically checks for updates but will never install them without your say so. so for someone who never updates, would be running a outdated version of Firefox for example which could be a potential security risk, especially if you go too long without updating.

    but with all of that said… I think sadly, those who need this security info the most, probably are not even aware of it, or if they are somewhat aware, they probably don’t care enough to do anything about it and think they will probably be okay using their same so-so password across multiple websites since many just want maximum convenience and many are willing to sacrifice security even though it’s a bad idea after a certain point as these people are rolling-the-dice as they are basically hoping no one gets a hold of their so-so password and we just got to hope that the password they are using is not too easy to guess (like above the low hanging fruit standard. or if not, that their sign-in name is not easy to guess). they might get away with it for a long time, but all it takes is one slip up and some shady person could potentially take over many other accounts they got, especially if their user name is pretty much the same across multiple websites.

    Sadly, I would imagine most people I know probably have so-so security online in general as, while I don’t know for certain, I am confident either all or nearly all of them don’t use a password manager which I suspect comes back to the inconvenience of the initial setup being too time consuming (some probably are not even aware of the risks either). I suspect for them, their best security probably is mainly betting on not being hit by anything shady to begin with. hell, I am sure I brought this stuff up a little with my sister a while ago but it pretty much goes in one ear and out the other (especially since she’s always focused on her kids etc) as she’s probably like most who don’t take this stuff seriously until they get burned. but like I mentioned above, hopefully their passwords are at least a little above the low-hanging-fruit standard especially more serious accounts like their email/banking etc.

    Reply
    • I don’t find installing and setting up a password manager at ail inconvenient. Just go to the LastPass (or other password manager) website, download, install it, and fill in the blanks when asked. It takes around three minutes.

      Reply
      • Mark Jacobs ; It’s not quite that simple for someone who’s currently using weak passwords on their websites (of which many people have many websites they sign into) and then wants to start using a password manager. because first one needs to install a password manager (which is simple enough as you mentioned), then needs to generate secure passwords with their password manager and apply it to the database file, which is simple enough, but then, and here is the time consuming part, apply those securely generated passwords from the password manager to each website so that your no longer using the weak passwords to sign-in prior to using the password manager, but using the ones the password manager generated for you to sign-in.

        that’s what’s inconvenient as it’s time consuming, at least initially, and that’s why I think it turns some people away from using them in the first place and they opt for the less secure route many default to which is using the same password, or maybe a handful of passwords, across all of their accounts (which as you know is a bad idea since if one is compromised, others could potentially be to).

        for the record… I have been using Password Safe (the one by Bruce Schneier that Rony Shapiro currently maintains ( pwsafe dot org (for Windows version even though I am using Linux version) ) since I want to say around 2005-2007.

        Reply
        • That can be done gradually as you log on to each website. Whenever you go to a website that LastPass doesn’t have an entry for, you can have LastPass generate a new password fo rthat site. Doing it all at once would be daunting.

          Reply
        • They are both very similar in features, especially the paid versions. The advantage of the free LastPass is that you can access your passwords on the web. The paid version of RoboForm is cheaper than LastPass. I haven’t used RoboForm in years and the reason I switched to LastPass was because at the time, the free version of RoboForm limited the number of stored logins. Now they allow unlimited logins. I can’t make a real recommendation as RoboForm has changed sin I’ve used it.

          Reply
  2. I think that the biggest problem with passwords is that now every site, even those that are not important or sensitive, financially, commercially or socially, are requiring passwords. My solution is using a generic password for most of the sites I visit and to have very strong individual password for around a dozen sites important to me or paid subscription places. I use Roboform for keeping those passwords.

    Reply
    • Unfortunately, in my experience, many sites people consider unimportant are anything but. If hacked they can be used to impersonate you, or even as a foothold into more serious hacking of more important accounts. It’s not just the information IN the account that you need to worry about, it’s the fact that a hacker could begin impersonating you and causing all sorts of grief. In my opinion, NO account is unimportant.

      Reply
  3. My problem is “What happens when I want out of LastPass?” LastPass has been generating passwords for all my sites and now I want to do it myself? What happens?

    Reply
    • I’m not sure what you’re asking. Nothing happens. Generate your own passwords. Or do you mean ENTERING your own passwords? Export your LastPass database so you have the passwords, and then enter them manually when needed when logging in.

      Reply
    • Just stop using it and manage those passwords yourself. You can export your LastPass vault to a .csv file which is compatible with Excel or Libre Office. You can then encrypt the spreadsheet by, for example, zip encrypting it. .

      Reply
  4. Great article Leo, couldn’t agree more. I really like Bitwarden password manager, the free edition is more than adequate. Best of the bunch imho.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.