In 2021 the Federal Trade Commission issued its Password Checklist Guidelines; one of those voices included: “consider [the use of] a reputable Password Manager” to store passwords. Millions of Americans and hundreds of Millions of users worldwide already use Password Managers to protect their credentials and the popularity of these tools was rising long before the FTC found out about them.
But how do you deem a Password Manager reputable? And what are the things to consider when choosing one?
These are the very subjects of the following article.
Risks related to using Password Managers
Despite their usefulness and popularity, Password Managers are no strangers to security concerns and questions surrounding their contribution to the Cyber Security cause.
On one side, keeping all your password complex but still organized and properly encrypted in one vault sounds like a great way to avoid breaches and wastes of time. On the other side, the same practice constitutes a single point of failure and exposes multiple, if not all, of your credentials to attackers.
As a matter of fact, any hacker would prefer aiming at one big pot containing hundreds of thousands of credentials at once, rather than chasing the same information used by the end user. For this reason, Password Managers can be considered a big bull’s eye for malicious actors instead of a safe for the common user.
The next section follows a list of vulnerabilities that increase the risks of using Password Managers as a solution and the remediations that companies try to put on these products.
Guardio is a Chrome extension that monitors suspicious activity and blocks hackers from stealing your data.
Verified by Google Chrome.
Instant Results.
4.6/5 based on 3,127+ Trustpilot reviews
Master Password Leak
The master password is the password used to access a Password Manager’s vault. Having one password to access hundreds eases the process of creating and storing credentials, however, if the master password is leaked, the thief would have access to all of a user’s stored passwords.
As a way to mitigate this risk, Password Manager companies make use of strong encryption and multi-factored authentication measures. Consider that, even if a Password Manager company database, containing all the master passwords record, leaks the master passwords, thanks to strong encryption it would take decades if not centuries for an attacker to crack all passwords. Also, if multi-factor authentication is active on any account, unless a second device is also stolen, the attacker would be unable to access any password.
If users do not implement these security measures, or if the password is given by the user to the attacker directly (due to phishing or other reason) none of the above measures would be effective.
Finally, Password Manager companies suggest often through notifications or another form of communication, to change periodically passwords so that users’ data are kept safe, even if the password is leaked without anyone noticing.
Social Engineering
As just said, users can be prone to social engineering attacks, through which attackers gain the password by having a user simply hand it to them. This can occur through various forms of phishing or by simply shoulder surfing the user.
In order to address this issue, some Password Manager companies try to inform and educate their users as much as possible by keeping articles, blog posts and reports updated. Informative campaigns are also made through mailing lists so that even users. However, users who are not subscribed to these communications or simply do not check the Password Manager’s webpage, are not influenced by these actions.
Device theft
If a user's device is lost or stolen, an attacker may be able to gain access to their Password Manager data by attempting to view the data directly from the stolen machine. Password Manager companies try to avert this situation by implementing features such as session control and auto-lock.
The former allows a user to terminate any active session on any owned device, and the latter automatically locks (and encrypts) the information inside the vault after a specific amount of time or specific action.
However, if a user is unaware of any possible breach, chose to not activate auto-lock, or simply set too lax conditions for auto-lock (e.g 1 year or only after the PC is turned off), these remediation's effectiveness is severely reduced.
Guardio is a Chrome extension that monitors suspicious activity and blocks hackers from stealing your data.
Verified by Google Chrome.
Instant Results.
4.6/5 based on 3,127+ Trustpilot reviews
Master Password Loss
Last but not least, you might simply lose the master password, for the same reason you could have lost any other password, and find yourself locked out from all accounts at once.
To prevent this from being a major issue, Password Manager providers offer you recovery codes and recovery mail accounts that you can use to get access to your Password Manager again.
However, this very recovery measure poses another risk of its own, as you would have to find a way to store those security codes somewhere where you wouldn’t lose them if you were locked out from your account, nor the code would be easily leaked, allowing a malicious actor to impersonate you.
Verdict on Password Managers
All these risks and remediations seem to balance each other out, yet, ultimately, it is evident that, unless users enforce all of them at all times, no remediation offers full cover over the risk of using a Password Manager.
So are Password Managers safe?
The question you should ask yourself in the first place is: how safe are my passwords currently?
If you use a single, not complex password, for most of your profile, and you store that password on a file on your desktop. If you use passwords that differ little from each other and very often find yourself locked out from your accounts. If you often share your passwords with friends and collaborators so that they can access the same work profile and you rely on sms or mail to manage those credentials.
In all these cases you are exposed even more to the same risks without having any of the benefits of using a Password Manager, nor you would be benefitting from any of the quite good mitigation that Password Manger companies offer.
A Password Manager would definitely offer an improvement to your safety in such cases and you should not hesitate to avail yourself even with a basic one.
Also, if you find difficulties in storing secure information such as passwords and recovery codes, then you must upskill yourself not just to be able to use Password Manager. Smart banking services, digital wallets and many other crucial services make use of these techniques to help you manage remotely your assets and if you want to stay up to date, you will have to train yourself in keeping this information as secure as available, when needed, regardless of your need for a Password Manager.
Conclusions
Password Manager can expose you to many known risks and, despite all the countermeasures taken by Password Manager companies to mitigate those risks, you would still end up suffering consequences of a data breach, phishing or any other malicious attack carefully aimed at you. However, the fact that you could be more secure, doesn’t mean that a Password Manager would make you less secure than you currently are now.
If you are not taking any measures to protect your passwords at the moment and you are exposed to many more risks than the ones associated with Password Managers, then, rather than focus on the possible downsides, you should immediately try to correct your current Cyber Security posture.
Guardio is a Chrome extension that monitors suspicious activity and blocks hackers from stealing your data.
Verified by Google Chrome.
Instant Results.
4.6/5 based on 3,127+ Trustpilot reviews
FAQ
What are Password Managers?
Password Managers are handy programs that allow you to securely store encrypted passwords in one location, where you can access them by signing one credential. Also, they help you create and manage the credentials better than you would do on your own, by using auto-fill, password and credentials generators and other premium features.
What are the most realistic risks of using Password Managers? AS all your password is in one location, an attacker would only need to gain access to your vault to potentially access all the data stored in it. Due to this, Password Managers encrypt your credentials with strong encryption and allow you to take even additional steps to secure all your data. Still, if by any means an attacker manages to guess or gain the password, all these security measures are rendered ineffective, so you need to be careful and aware of it.
Which Password Managers protect best my information security?
All of the most commonly used Password Managers take security with utmost seriousness, so you can rely on those as long as you are aware of the limitations of the security implemented and you apply changes to default settings with responsibility.
What do I do in case my Password Manager Company was breached?
Verify that you have access to your account. Change as many credentials as possible and implement a multi-factor authentication if you didn’t before.
Guardio is a Chrome extension that monitors suspicious activity and blocks hackers from stealing your data.
Verified by Google Chrome.
Instant Results.
4.6/5 based on 3,127+ Trustpilot reviews
