Are Password Managers Really Safe?
Password managers – are they trustworthy? Can they be hacked? Should you use one – why or why not? We’re here to set the record straight.
Let’s talk about password managers.
Ask any IT professional or cybersecurity specialist and they’ll tell you: password managers are a great tool and should be used by businesses of all sizes.
Presumably, if they’re endorsed by the experts, password managers must be good – safe, secure, cost-effective, all that jazz. And yet …
65% of Americans don’t trust password managers (source).
There’s clearly a disconnect, which raises the question…What the heck is going on? Why is there such a widespread distrust of a tool designed to help us stay safe online and protect our privacy?
Here’s what we think is going on. People like to think for themselves and understand the ‘why’ behind the ‘what.’ Experts telling individuals and organizations to use a password manager isn’t enough. We need to address your concerns, and help you understand why password managers offer a secure way of dealing with your online credentials and those of your employees. Instead of simply telling you to use a password manager, we need to explain why they’re safe and secure – and in plain English, too.
We need to, and we will – right now!
What is a Password Manager?
Before we delve into the nitty-gritty, let’s talk about what a password manager is on the most basic level.
A password manager is an app that both creates and stores your passwords. It also uses autofill to enter your passwords so you don’t have to do so manually (this isn’t just convenient; it also offers protection against keylogging).
What’s the Point of a Password Manager?
In today’s world, where practically every online service requires a distinct sign-in, most of us have a lot of passwords to keep track of – ten, twenty, even 100+.
And unless you’ve been blessed with a memory that’d put an elephant’s to shame, it’s impossible to simply memorize all of those credentials. So what do you do?
Well, some of us just give up on having unique passwords for our numerous accounts. A survey by Google found that 52% of us reuse passwords, and a shudder-inducing 13% use a single password for everything.
This is a terrible idea because if one of your accounts is breached, you’d better believe hackers will try that password on all your other accounts. A password is essentially a key to a lock, so if you have just one (or several) and you get hacked, it’s like handing a thief the key to your house, your car, your office, and your personal diary all in one shot.
Trying to memorize a plethora of different (not to mention sufficiently long and complex) passwords is virtually impossible. But using a single password or a small set of passwords is extremely risky and makes it drastically easier for hackers to wreak havoc on your life – identity theft, blackmail, you name it.
The fact that neither of the above two options is viable is why password managers exist. A password manager creates and stores unique passwords for all your accounts, relieving you of the burden of remembering them yourself. Moreover, the passwords it stores are long and random (often 50+ characters), which means they’re almost impossible to guess, even using the most advanced computing technology in the world. And if you’re wondering just how important password length is, here’s an eye-opening stat for you:
A 12-character password takes 62,000,000,000,000 times longer to crack than a 6-character password. That’s 62 trillion (source).
OK, but what if your password manager gets hacked? Isn’t it unwise to keep all your credentials in one place – all your eggs in one basket? If a hacker gets into that basket, you’re in big trouble, right?
The Eggs-in-One-Basket Objection
The above worry – the Eggs-in-One-Basket Objection – is understandable. Intuitively, putting all of your credentials in one place does seem like a recipe for disaster. This is, we suspect, the main reason behind the widespread distrust of password managers.
So let’s consider the Eggs-in-One-Basket Objection carefully – does it hold weight?
To understand the relative security of a password manager (note the word “relative” here – there is no such thing as absolute security in the cyber realm as everything is, in principle, hackable), you’ve got to understand the importance of your ‘master password’…
One Key to Rule Them All
If you’re going to put your eggs in one basket, you’d better make sure it’s one secure basket! So how secure is the basket – or ‘vault’ as it’s often called – provided by a reputable password management company?
The answer to this question is “it depends”; not all password managers are created equal, with paid versions typically outperforming their free counterparts. But, generally speaking, your basket is as secure as your “master password”: the password to your password manager.
If a hacker gets hold of your master password, they could, in theory, thereby gain access to every single one of your online credentials (which is why using additional security measures like MFA is crucial – more on this later).
So, MAKE SURE YOUR MASTER PASSWORD IS AWESOME – this cannot be overstated.
Here, “awesome” means long and random. Don’t even think about making it less than 10 characters, and ideally, make it a lot longer than that – 20, 30, even 50 characters. Remember, if you’re using a password manager, you don’t have to keep track of multiple passwords, as the manager does that for you. You only need to remember the one: your master password.
You can write your master password down and keep it somewhere safe (like an actual safe), but this obviously carries its own risk. Simply memorizing it is generally considered best practice, so here are some tips for creating a password that’s super long, fairly random, and still memorizable…
Become a Master of Master Passwords:
- Use a phrase/sentence: e.g., Tallpeoplehittheirheadsondoorsoften
- Choose a phrase that evokes a strong image or ‘narrative’: e.g., Bobstoleanappleandwenttojail
- Add a misspelling to avoid “dictionary hacks”: e.g., Bobstoleanapleandwenttojale
- Add special characters to further increase complexity/randomness: e.g., Tall%peoplehit!theirheadsondoors#often
Of course, there is a tradeoff between complexity and ‘memorizability.’ So be careful implementing some of these tips. Adding too many special characters might result in a failure to remember your master password, which can be a massive inconvenience as most password management companies don’t allow you to reset your master password easily.
But why can’t a password management company just tell you your master password if you happen to forget it?
Because if they’re a password management company worth their salt, they don’t know what your master password is – only you do! A reputable password management company will follow a “zero knowledge” policy, meaning they don’t have access to any of your passwords. How can that be?
Encryption – that’s how. Your actual passwords aren’t stored by your password manager; instead, what’s stored are encrypted versions of your passwords that can only be decrypted (decoded) using – you guessed it – your all-powerful master password.
Layers, Layers, and More Layers
We’ve seen that your master password is as important as it sounds. It’s not only the key that unlocks the vault where your passwords are stored, it’s also the key that unlocks the code used to encrypt your passwords.
But couldn’t a hacker get into the vault without a key? Using, say, brute force? Actually, yes—and in fact, the term ‘brute force’ refers to a specific type of cyberattack.
The point is, password managers are human-made and therefore not infallible. They can, like anything else, be hacked.
That said, even a successful hack can run into a wall on account of encryption. Your passwords are gold, but when they’re encrypted, they’re garbage. Without your master password, changing that garbage into gold (i.e., decrypting your passwords) is extremely difficult, which is why, when choosing a password management solution, it’s imperative that you partner with a company that enlists state-of-the-art encryption methods.
You also want your password manager to incorporate some kind of multi-factor authentication.
Let’s say a hacker gets their hands on your master password, the gleaming key to your digital vault. But when they insert the key (enter your password), it doesn’t work. The key doesn’t turn; the vault remains closed. That’s when they notice a thumbpad. Without providing a fingerprint, they can’t unlock the vault!
This is an example of multi-factor authentication (MFA). In this case, the additional ‘factor’ required to gain access is a fingerprint. But it can also be a code sent your cell phone.
What matters is that it’s something – something in addition to a password. MFA makes things immeasurably more difficult for hackers to gain unauthorized access to your accounts – your email, your social media, your bank, etc. Actually, the benefit of MFA isn’t immeasurable…
A peer-review study found that MFA reduces the risk of commercial account compromise by 99.22%.
Finally, you want to supplement your password manager with other fundamental security tools and best practices, like regular software patching and a robust anti-virus.
Imagine you’ve invested in a premium password manager to bolster your cybersecurity. You come up with a master password that you’re proud of – it has a ton of characters, it’s very random, and you and only you know it by heart. But none of that matters because what you don’t realize is that you’re using a computer infected with malware that records your keystrokes and reports them to some hacker on the other side of the world.
Regular patching and robust anti-virus software could have prevented the malware’s intrusion. Security patches close vulnerabilities while vigilant anti-virus software detects and neutralizes threats, keeping your master password – and your other sensitive data – safe and secure.
A Message to Business Owners and Decision-Makers
Maybe, even after reading this blog post, you still believe that you have a superior method for handling your online credentials – some clever system you’ve devised to elude hackers and protect your privacy. While we’d be skeptical about the actual efficacy of your personal method, that’s not really the point. The point is this:
It’s not about you!
Using a password manager at your organization is a good idea because it protects not only your credentials, but also, those of your team. Because while you might practice good password hygiene, you can’t guarantee the same from every single one of your employees. And when one weak link can lead to a breach, password managers are invaluable for enforcing consistent and secure password practices company-wide. Without a password manager, the risk of poor password hygiene skyrockets – and with it, the chances of a data breach.
Are password managers infallible? No. But they’re the best option going. So until we enter the sometimes-promised ‘passwordless future,’ using a password manager at your organization – and in your personal life – is best practice.
Don’t Go it Alone!
Feeling overwhelmed by all this cybersecurity stuff, or even IT in general? A lot of small and medium-sized businesses feel this way. The truth is, modern IT is simply too complicated and multifaceted to handle on your own. This explains why more and more organizations are turning to managed service providers (MSPs) to take care of their IT needs.
If you’re looking for an experienced, reputable, and always-friendly MSP, look no further than The 20 MSP. We can help you bring your cybersecurity up to speed and under budget – and optimize your entire IT infrastructure to drive business forward.
Get in touch today to learn how we can help your business reach new heights.
Thanks for reading – and stay tuned for more security-focused blog posts as we celebrate the 20th annual Cybersecurity Awareness Month.
Stay safe out there, everyone!
