Are password managers safe?

2019-04-09 - 6 min read

Recently we've heard many stories about the vulnerabilities among the most popular password managers. Also, there were some security breaches in the past too where over two million users were exposed. And there are just a few recent examples, sadly. So naturally, before committing to any password managers, especially freemium services, users seek information about the safety.

What is a password manager?

In case you are not familiar, a password manager is a software that stores your passwords and other credentials in an encrypted vault. You can access this encrypted vault with your master password. And this is the point when people start questioning the password manager safety.

What happens if someone gets hold of my master password? What happens if I forget my key password? Does the password manager provider hold my decryption key? There may be more questions depending on how tech-savvy user is.

So why safety matters?

The safety of your credentials stored in the vault depends on the answers to the above questions. If your master password is exposed or encrypted unprofessionally, all the other usernames and passwords get compromised too. And this is why the safety of a password manager matters. Check the below key security factors, which you need to take in consideration before you sign up to any password manager. Of course, there could be more factors that can affect your credentials safety. But the below points are a good starting point.

The key security factors

Security needs to be balanced against usability and all the variety of features different password managers have to offer. More features, depending on what they are, could mean more vulnerabilities. However, when in doubt of safety, make sure you take the below points in consideration.

  • Client-side encryption.Client-side encryption ensures the maximal level of security as information is already encrypted before it leaves users devices. Sensitive data is encrypted locally in a 'vault' that is stored on the end user's device and on password manager’s servers. In this case, the password manager has zero-knowledge about the information you store in their servers. Information is meaningful just to you as a user, as the decryption key is with you. No one else could decrypt the data and check the content, even if your password manager gets compromised.

  • Master password and its recovery.A master password generates the encryption keys and authenticates the access to your secure vault. In other words, it's a gateway to your password storage. And this is why it's important that your password manager doesn't have any knowledge about it. This, indeed, complicates your password recovery. As the provider would not be able to look up for your master password, reset it, or create a new one. But it does increase a level of security and reassurance that service is taking your data security seriously. Recovery is still possible, but not the usual 'type your email address and we'll email you the reminder' way. So make sure you have done your homework and check the master password recovery process. If a password manager can send you your master password reminders, then it's a big chance that your data is not safe.

  • Multi-factor authentication.It's a method of confirming users' claimed identities by using a combination of two different factors: something you know, something you have, or something you are. It requires a second piece of information that only you have access to, such as a digital code, to verify your identity every time you log in. In some cases, instead of 2FA providers use your device or/and location authentication. This solution provides an additional layer of security. Providers that encourage their users to enable multi-factor authentication is a great sign. Meaning, that the company follows the best security practices. And if an attacker somehow discovers your master password, it's unlikely that he would also have access to a valid 2fa token. Multifactor authentication minimizes the chance of unauthorized access to a password manager account.

  • Encryption algorithms.It's the most important thing users should pay attention to – password managers use encryption to protect their users' vaults. There are a lot of different algorithms out there. However, most password managers tend to stick to the golden standard – the AES. AES is a symmetric algorithm, most often used with the 128-bit and 256-bit keys. For example, the US government uses AES-128 for secret (unclassified) information and AES-256 for top-secret (classified) information. Therefore, it's popular to call it “military-grade encryption.” It is one of the most widely used algorithms in encrypted services. However, tech giants lately started swapping the AES for a never algorithm – the ChaCha20. It also offers 256-bit keys, so it's just as safe as AES, but since ChaCha20 is software-based, it's reasonably faster. You can read more about encryption algorithms in our blog post.

Why NordPass?

A safe password manager is one that doesn't know anything about you. Our zero-knowledge policy is a guarantee that only you will know what's inside your vault. NordPass also offers optional two-factor authentication, which adds an additional layer of security. And you won't be able to access your vault if you don't have either your master password or the recovery code.

It's essential to consider all these features when choosing a password manager. But the most important thing users should pay attention to is encryption. The majority of password managers use AES-256, and while it's a reliable and virtually unbreakable algorithm, we think that ChaCha20 is the future. It's fast, safe, and immune to timing attacks, unlike the AES.

There is no fool-proof way to ensure that you will never get hacked. But if you choose a trusted password manager, your online accounts will always be secure.

Chad Hammond
Chad Hammond
Verified author
Chad loves traveling and technology. His global view and open-mindedness add interesting angles to various security topics. He has already traveled to over 80 countries and is not planning to stop any time soon.
Subscribe to NordPass news