Contents:
Cybercriminals are as relentless as ever, and passwords remain among their favorite loot. The line of annual breach statistics keeps moving upward—just look at the AT&T data breach that impacted over 70 million former and present customers, for example. Even if you’re taking extra measures to keep your credentials protected, you might have a nagging question in your mind—are password managers safe enough?
So, let’s clear up some misconceptions and concerns. Today, we’ll look into the different types of password managers out there, the technology they use to protect your data, and what you should keep in mind when choosing the right one for you.
What is a password manager?
Simply put, a password manager is a digital storage for passwords and other credentials. It’s a secure way to store sensitive information, as password managers are developed with end-to-end encryption and zero-knowledge architecture. This ensures that only the account owner can access and use their passwords, typically with a custom master password or biometric identification.
Types of password managers
From a technical standpoint, password managers are classified as browser-based, cloud-based, or local. While all serve the same purpose—providing secure storage for credentials—the extent of services they provide and how they are accessed varies.
Browser-based
Browser-based password managers might be considered the most accessible. In fact, it’s likely you’ve encountered a browser-based password manager, even if you think you’ve never used one. Any time you log in to a website and the browser—say, Chrome, Firefox, or Edge—prompts you to remember your credentials in the future, this data is saved in such a password manager.
Built-in browser password managers are usually free. Like other types of password storage software, they use some form of encryption to protect your sensitive data from unauthorized access. They’re available for both desktop and mobile browsers, which means once you’ve committed to a browser, you have to stick to it on every platform.
Cloud-based
Cloud-based password managers are the most popular of the bunch. They’re multi-platform software, meaning they can be installed on both desktop and mobile devices. The core technical aspect is that they use encrypted cloud storage to protect sensitive data. NordPass falls under the cloud category.
Cloud-based password managers are lauded for their efficiency and convenience. Synchronization is a core feature, ensuring access to sensitive data on the go. However, while the vault may be accessed even without an internet connection, other security functions may be inactive when you’re offline.
Local
Local or offline password managers are accessible without an internet connection. They’re the polar opposite of cloud-based managers—all sensitive data is stored on the device itself. Users may opt for local password managers for easier access if they don’t have a stable internet connection. Operating systems on desktops can offer both local and cloud-based storage, depending on whether you use synchronization or not.
Local password storage is lauded for its relative hardware security—if all credentials are kept in a static desktop computer that never leaves the desk, it’s less likely to be stolen than a phone or a laptop with a synced password manager. However, this also means you must have access to this device anytime you need to log in to an account, which can be pretty limiting.
How do password managers secure your data?
Encryption is the magic word when discussing how secure password managers are. It protects the user’s sensitive data from unauthorized access. Unlike passwords written in a readable format, such as spreadsheets or docs, all data stored in encrypted vaults is scrambled and cannot be read without a designated key to unlock it—usually a passcode, master password, or biometric protection. For security reasons, the key isn’t stored in the same databases as the encrypted data.
Password managers use either AES or XChaCha20 encryption. AES-256 is the most common encryption algorithm used by password managers, but other numbers, like 128 or 192, can be seen. The number reflects how many blocks your data is broken into during the encryption; the higher the number, the stronger the encryption. XChaCha20 is, likewise, a 256-bit encryption method. However, it runs faster than AES-256 and is easier to implement.
Another term that’s vital to data security in password managers is zero-knowledge architecture. Any time you log in to your vault, you must prove that you have the aforementioned verification key. However, to prevent unauthorized parties from imitating your access key, zero-knowledge architecture lets you prove you have it without revealing it.
By combining zero-knowledge architecture and encryption technology, password managers let you securely access your credentials and lower the chances that a malicious party will take over your vault. NordPass uses XChaCha20 to encrypt your data directly on your device so that by the time it reaches cloud servers, it cannot be read without your Master Password.
Pros and cons of using a password manager
As you can see, password managers are all about security. They’re built in a way that makes secure technology easy to handle. Take browser-based password managers, for example. You can access your credentials within your preferred browser’s settings.
The same goes for cloud-based password managers, which are increasingly available as browser extensions and a more reliable alternative to built-in managers. Browser and cloud password managers come equipped with synchronization, making sure your credentials are up-to-date and accessible on both desktop and mobile devices.
Adding to the convenience, password managers let you generate and store unique and secure passwords. They often offer autofill, meaning that you don’t have to manually search the password vault to find the correct credentials, and instead can use the password manager to input them for you. Autosave works similarly—each time a password manager detects you entering new credentials, it prompts you to save them.
In addition to the storage itself, password managers may offer additional security services. This is particularly common among cloud-based managers. They might offer extended security features to protect other information, such as your ID documents, banking information, or personal address.
We’ve already covered some of the cons related to specific types of password managers—local managers tie you down to a single device to access your credentials, while cloud-based services are limited without an internet connection. Browser-based managers come with a unique set of issues. Unlike other types, built-in browser password managers rarely adhere to a no-logs policy, meaning that your passwords could be exposed without your consent.
But can a password manager be hacked? Unfortunately, yes—not even password managers are completely breach-proof, as evidenced by the LastPass breach in 2022. According to the company, the breach occurred due to an exploited vulnerability in third-party software, allowing the attackers to access encrypted and unencrypted customer data.
While the risk of a cloud-based password manager getting breached is real, they employ defense mechanisms to minimize the damages of a potential data breach. The key here is the master password. As a user, you can only decrypt your sensitive information by unlocking your vault with the master password. Cloud-based password managers do not store master passwords in the same servers as other sensitive information, which means they cannot be stolen all at once. Without acquiring the master passwords, cybercriminals cannot decipher the data.
How to choose a secure password manager
First, determine which type of password manager would be the most convenient for you. While offline password managers are robust, their access can feel limited. So, if you want something easily available on the go, you should consider either a cloud-based or a browser-based password manager.
In general, a cloud-based password manager is built with a security-first approach, while the built-in browser feature is more of an add-on to a different product with a lesser focus on privacy protection. This means that free browser-based password managers may not be as safe as their alternatives. You can also download a cloud-based password manager as a browser extension, saving you time and ensuring you’re using a tool based on zero-knowledge architecture.
Check the type of encryption algorithm the password manager uses. While AES-256 remains the most widely used algorithm, XChaCha20 is gaining popularity not just in cybersecurity but among some of the best-known names in tech in general—and is the algorithm of choice for the NordPass password manager.
Then, consider what you need the password manager for—personal use, business needs, or perhaps both. NordPass is tailored to suit your needs, whether you’re looking for an individual solution or a business-ready product. With this come the perks of extra features to improve your overall cybersecurity. For instance, NordPass offers features like Data Breach Scanner, Password Health, and Email Masking for all-rounded online safety.
Best password security practices
Setting up a password manager is just step one to keeping your accounts safe. If all you do is store credentials, you’re covering your basics. Password managers are safe, but it’s always good to take an extra step to ensure that they're fully equipped to protect your sensitive data.
Set up strong, unique passwords for your accounts. Use a Password Generator to ensure your accounts are sufficiently protected. Don’t worry about remembering them all—NordPass’ autofill will handle it for you.
Refresh your credentials frequently. The longer you use a password, the more likely it is to be breached. Password Health lets you check if you’ve saved any old, weak, or reused passwords.
Keep an eye on breaches. The time between a data breach and your learning of it may be critical. Use Data Breach Scanner to receive live alerts as soon as your passwords, email addresses, or credit card numbers show up on the darknet.
Protect your email from spam. Let’s say you need to set up an account for a quick purchase, but you’re worried about third parties acquiring your data. Set up a decoy email address with Email Masking and protect your real information from being used in social engineering attacks.
Switch on multi-factor authentication (MFA). If any of your account passwords get breached, MFA helps ensure that they remain inaccessible.
Swap passwords for passkeys. Make account handling even simpler by setting up passwordless login with biometric identification. Store and manage passkeys directly in your NordPass vault.
FAQ
Although password managers offer resilient protection, there have been cases of password manager breaches. However, any breached encrypted data usually cannot be deciphered without the user’s master password.
Cloud-based password managers are generally safe. They use encryption algorithms such as XChaCha20 or AES-256 to protect access to sensitive data. Unlike browser-based password managers, they must also adhere to no-logs policies and are based on zero-knowledge architecture.