Are password managers safe?

Tue Apr 09 2019 - 6 min read

Recently we've heard many stories about the vulnerabilities among the most popular password managers. Also, there were some security breaches in the past too where over two million users were exposed. And there are just a few recent examples, sadly. So naturally, before committing to any password managers, especially freemium services, users seek information about the safety.

What is a password manager?

In case you are not familiar, a password manager is a software that stores your passwords and other credentials in an encrypted vault. You can access this encrypted vault with your master password. And this is the point when people start questioning the password manager safety.

What happens if someone gets hold of my master password? What happens if I forget my key password? Does the password manager provider hold my decryption key? There may be more questions depending on how tech-savvy user is.

So why safety matters?

The safety of your credentials stored in the vault depends on the answers to the above questions. If your master password is exposed or encrypted unprofessionally, all the other usernames and passwords get compromised too. And this is why the safety of a password manager matters. Check the below key security factors, which you need to take in consideration before you sign up to any password manager. Of course, there could be more factors that can affect your credentials safety. But the below points are a good starting point.

The key security factors

Security needs to be balanced against usability and all the variety of features different password managers have to offer. More features, depending on what they are, could mean more vulnerabilities. However, when in doubt of safety, make sure you take the below points in consideration.

  • Client-side encryption. Client-side encryption ensures the maximal level of security as information is already encrypted before it leaves users devices. Sensitive data is encrypted locally in a 'vault' that is stored on the end user's device and on password manager’s servers. In this case, the password manager has zero-knowledge about the information you store in their servers. Information is meaningful just to you as a user, as the decryption key is with you. No one else could decrypt the data and check the content, even if your password manager gets compromised.

  • Master password and its recovery. A master password generates the encryption keys and authenticates the access to your secure vault. In other words, it's a gateway to your password storage. And this is why it's important that your password manager doesn't have any knowledge about it. This, indeed, complicates your password recovery. As the provider would not be able to look up for your master password, reset it, or create a new one. But it does increase a level of security and reassurance that service is taking your data security seriously. Recovery is still possible, but not the usual 'type your email address and we'll email you the reminder' way. So make sure you have done your homework and check the master password recovery process. If a password manager can send you your master password reminders, then it's a big chance that your data is not safe.

  • Multi-factor authentication. It's a method of confirming users' claimed identities by using a combination of two different factors: something you know, something you have, or something you are. It requires a second piece of information that only you have access to, such as a digital code, to verify your identity every time you log in. In some cases, instead of 2FA providers use your device or/and location authentication. This solution provides an additional layer of security. Providers that encourage their users to enable multi-factor authentication is a great sign. Meaning, that the company follows the best security practices. And if an attacker somehow discovers your master password, it's unlikely that he would also have access to a valid 2fa token. Multifactor authentication minimizes the chance of unauthorized access to a password manager account.

Conclusion

The combination of the above key factors and a strong master password makes password managers the safest way to keep and manage your passwords. While there's no foolproof solution to ensure you don't get hacked, a password manager can help keep your online accounts secure. Especially if you choose a trusted provider. We hope that this article helps you narrow the search.

Chad Hammond
Verified author
Chad loves traveling and technology. His global view and open-mindedness add interesting angles to various security topics. Hehas already traveled to over 80 countries and is not planning to stop any time soon.
Subscribe to NordPass news