Password managers are a great way to generate secure passwords, keep them in encrypted storage together with your credit card details, and improve your online security across the board. But you might be worried about keeping so much sensitive data in one place. Are password managers safe to use?
The answer is that it depends on which password manager you use. Some have known security issues, others may have ulterior motives (like profiting off your data), but the very best password managers are as safe as can be. We’ve analyzed several password managers and identified common issues and how these can be mitigated. Let’s go over some details to see how we came to our conclusion.
- What does a password manager do?
- What makes a password manager safe?
- Password manager vulnerabilities
- Is using a password manager safe?
What does a password manager do?
A password manager(new window) is a program that stores your passwords for you and generates new ones. Then, as you browse the web and access the login pages of services where you have an account, a pop up will offer to fill out these passwords for you with one click.
Password managers have a few benefits. For one, you no longer need to rely on your memory, meaning you can’t lose passwords. Second, because you don’t have to remember passwords anymore, you can create more complicated ones, increasing your security. Add to that how much easier a good password manager makes your browsing (see our article on password fatigue), and they’re a must-have.
What makes a password manager safe?
Password managers are designed to keep your passwords secure, but of course that raises the question of how safe they are themselves. After all, there’s a lot at stake. Generally speaking, a good password manager is designed to keep out intruders while keeping your data private. How well they do this, though, depends very much on the individual service.
There are a few things that the best password managers all have in common. The first of these is smart use of encryption(new window). A good password manager encrypts the vaults where you store your passwords with a state-of-the-art encryption algorithm like AES-256.
However, if a service is truly focused on users’ privacy, it will also use something called end-to-end encryption(new window). In regular encryption, when you send data from your computer to the password manager’s servers the encryption key is shared by both you and the service you’re using.
In contrast, when using end-to-end encryption, only you have the key. This eliminates the possibility of snooping by the service you’re using, both in transit and while stored. However, due to it being hard to implement on a technical level, not all password managers offer end-to-end encryption.
When services don’t use end-to-end encryption, the results can be catastrophic. The largest cloud storage breach to date, the 2012 Dropbox breach, happened because a Dropbox employee had been reusing their passwords(new window), which gave hackers a way into the system. The hackers decrypted the database and stole passwords of 70 million people. If Dropbox had used end-to-end encryption, this would not have been possible.
Using precautions like end-to-end encryption minimizes the chance of human error, and with it the chances of a breach. However, there are still some vulnerabilities you need to be aware of.
Password manager vulnerabilities
Even the best password manager isn’t perfect. No matter how well it has been designed, there’s no such thing as 100% security so you should focus on minimizing the risks.
One of the biggest flaws in a password manager’s security architecture is you, the user. This is because even the best security is useless if your password is, say, “password”. Many password managers enforce stronger security by using a master password, the password that lets you access your vault.
It’s very important that this password is strong(new window), so it can’t be cracked too easily, but also easy to remember so that you can’t forget it. After all, your password manager can’t remember it for you. The best solution for this is to use a passphrase rather than a password(new window), but whatever you do, make sure it’ll be hard to crack, and not a variation of your name or the street you grew up on.
Another important security measure is two-factor authentication(new window), or 2FA. This requires you to have a second device when accessing a service, usually your phone. This adds a layer of security and makes it harder for any hacker to gain control of your accounts.
Another problem is any malware that may infect your computer. In an extreme case, malware could be used to take over your system while you leave it unlocked, so it could access your vaults that way. Currently, the only real cure is prevention so make sure you regularly run firewalls and malware scans to make sure none of that ends up on your hard drive.
Finally, there’s social engineering and other confidence games, where a cybercriminal somehow persuades you to disclose your master password. Phishing(new window), where a criminal sends you an email, text message, or even a phone call pretending to be somebody else, is the most common example. The only good defense against con games like this is awareness, so know to never part with sensitive data unless you’re sure you know who you’re talking to.
Is using a password manager safe?
The dangers are real, but if you use a good password manager and remain vigilant yourself, you can minimize any risks. With that in mind, yes, password managers are perfectly safe to use, and will also upgrade your overall online security.
That said, not all password managers are created equal, with some, like LastPass(new window), prone to breaches, while others are hard to use or have potential flaws in the way security is set up.
This is why we developed Proton Pass, a password manager that incorporates all the lessons we learned from operating our other secure services, like Proton Mail, Proton VPN(new window), and Proton Drive.
Proton Pass security consists of several layers. On our side, we use end-to-end encryption for all the usernames, passwords, bank cards, secure notes, and other data you keep with us. Proton Pass also encrypts your metadata, like the websites each password is used to log in to. Proton cannot see any of your sensitive data.
View the Proton Pass security model(new window) for an in-depth explanation of our encryption.
As a company founded by scientists, we also believe in the importance of transparency and peer review for maintaining high security standards. So while some password managers hide their code from scrutiny, Proton Pass is independently audited and open source, so anyone can inspect our code.
On the client side, we protect you in several ways. We make use of 2FA, meaning it’s much harder to impersonate you to gain access to your account. We also offer Proton Sentinel, our unique AI-assisted security program that tracks and thwarts suspicious login attempts.
For us, privacy and security aren’t marketing slogans, they’re in our DNA. Unlike most of our competitors, we’re funded by our community meaning we don’t have ad revenue to worry about and can focus on what matters, your security. If that sounds like something you’d like to be a part of, create a free Proton Pass account today.
