Pinterest Stumbleupon Whatsapp
Advertisement

If you’ve painstakingly gone through the hassle of setting up a password manager 7 Clever Password Manager Superpowers You Have to Start Using 7 Clever Password Manager Superpowers You Have to Start Using Password managers carry a lot of great features, but did you know about these? Here are seven aspects of a password manager you should take advantage of. Read More , you might think you’re safe from the prying eyes of hackers and cyber-criminals.

You’re wrong.

Yes, password managers are a valuable tool in the ongoing battle to keep yourself secure, but they aren’t failsafe or idiot-proof, nor do they offer sufficient protection on their own.

Here are four reasons why password managers aren’t enough to keep your passwords safe by themselves.

1. Password Managers Are the Holy Grail for Hackers

Are password managers very secure Are You Making These 6 Password Manager Security Mistakes? Are You Making These 6 Password Manager Security Mistakes? Password managers can only be as secure as you want them to be, and if you're making any of these six basic mistakes, you're going to end up compromising your online security. Read More ? Yes. Do they deploy rigorous encryption and cryptography systems How Password Managers Keep Your Passwords Safe How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More ? Yes. Can you categorically state no hacker will ever be able to crack the system and gain access to the millions of users’ passwords within it?

No.

Think about it: password manager services are a hugely alluring prospect for hackers. If they could breach the outer walls of the password vaults, they’d have access to an untold amount of treasure. They’re going to keep trying to break-in. It’s inevitable.

Let’s use LastPass as an example. Cyber-criminals have attacked the servers twice LastPass Got Hacked, Shenmue 3 Kickstarter, Final Fantasy 7 Remake, & More... [Tech News Digest] LastPass Got Hacked, Shenmue 3 Kickstarter, Final Fantasy 7 Remake, & More... [Tech News Digest] Change your LastPass password, kickstarting Shenmue 3, remaking Final Fantasy 7, Xbox One plays Xbox 360 games, Netflix gets a makeover, and Conan plays Halo 5: Guardians. Read More in the last five years. Each time, the company was adamant that its users only needed to change the master password for their accounts and the password vaults were still secure.

But the hacks prove security holes exist. Is it only a matter of time until an authorized person gains access? Probably.

2. Experts Say Password Managers Have Serious Flaws

In 2014, security researchers discovered LastPass, RoboForm, My1login, PasswordBox, and NeedMyPassword all had several dangerous security flaws.

The most worrisome of the flaws allowed hackers to steal plaintext passwords directly from LastPass users using the bookmarklet, without either the user or the company being aware that anything was wrong.

LastPass also had a flaw whereby malicious code on a website could steal a user’s entire encrypted password vault, as long as the hacker knew the user’s email address.

RoboForm, My1login, PasswordBox, and NeedMyPassword all had equally severe defects, including a loophole which allowed attackers to steal a user’s full name, username, and any URL on which a password was entered.

Thankfully, the service providers have fixed these bugs, but it would be folly to believe they’re now perfect. There are almost certainly still undiscovered bugs, waiting for someone to find them.

Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem.

— Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, authors of The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

Ultimately, you’re trusting the password manager with some of your most important details. Putting all your eggs in the same basket is unwise.

3. Cloud Databases vs. Local Databases

You will have noticed the five services I discussed above are all web-based. If you use a locally-based password manager (such as KeePass or 1Password), please don’t be lulled into a false sense of security; the study only looked at web-based options.

There’s an argument to suggest local managers are inherently safer than cloud-based managers. It’s harder for a hacker to gain entry and more difficult to steal the database.

But they’re not fool-proof. We all know how about the security threats facing desktop users 5 Online Security Threats That You Need to Tell Your Friends About 5 Online Security Threats That You Need to Tell Your Friends About You'd be surprised to discover where all malware is lingering today. It's no longer just average computers, but more likely anything with some sort of connected device, including toys. Read More : keyloggers, hackers lurking on public Wi-Fi networks, endless malware, and more. If you’re unlucky enough to find yourself under attack, your locally-saved password database might be one of the first things the hackers steal.

And what about if your database is saved on your mobile device? If you lose your device, it could easily end up in the wrong hands. Yes, it’s encrypted, but if you’ve set up your app to only need a master password or a fingerprint to access the database, the encryption won’t be worth a great deal.

4. Your Settings Might Leave You Vulnerable

I just touched on this briefly. Password managers have lots of settings you can tweak; some of them make the service more secure 8 Easy Ways to Supercharge Your LastPass Security 8 Easy Ways to Supercharge Your LastPass Security You might be using LastPass to manage your many online passwords, but are you using it right? Here are eight steps you can take to make your LastPass account even more secure. Read More . However, lots of them are designed for convenience — enabling them will make you more vulnerable.

For example, LastPass will not automatically prompt you for your master password when you try to access the credentials of an individual in your vault (Settings > Advanced Settings > Re-prompt for Master Password).

Furthermore, most of the services’ mobile apps allow you to disable fingerprint and/or password authentication for up to 24 hours after each successful login. Don’t do it. Would you leave your online banking logged in for 24 hours to save a few clicks?

And of course, be careful who you share passwords with use the services’ built-in sharing service — perhaps their settings will leave your accounts exposed? Make sure your friends and family are aware of the security implications.

Don’t take shortcuts. Instead, spend time working through your services’ advanced settings, and making them all as robust as possible.

Password Managers: To Use or Avoid?

Are password managers better than storing all your details on an Excel sheet, or using the same credentials for each site? Unquestionably. But whether they’re as secure as you might like to believe is debatable.

Most people use the services for convenience as much as for security. But by doing so, you’re potentially compromising yourself. I’m not going to tell you to stop using them, but proceed with caution. For example, perhaps you should split your password across multiple managers 5 Best LastPass Alternatives to Manage Your Passwords 5 Best LastPass Alternatives to Manage Your Passwords Many people consider LastPass to be the king of password managers; it's packed with features and boasts more users than any of its competitors -- but it's far from being the only option! Read More ?

And remember, the bottom line is there’s no replacement for your own brain. If you can create a strong code that you slightly adjust for each individual login, you’ll have more security than any password manager could offer.

Do you trust password managers? Let us know in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Tom
    July 1, 2017 at 9:45 pm

    Sensationalism. There's a balance between convenience and security. I used to use an Excel spreadsheet with literally hundreds of passwords, kept on a secure drive. Everytime I needed to log into a site, I'd have to dredge through my system, connect the drive, unlock it (memorize frequently changed secure drive PW), manage the versions of the spreadsheet being collected over the years, back up the system on another secure drive, remember to update back ups any time a field in the mammoth spreadsheet changed--the system was a nightmare and began to consume far too much time. Just as bad, exhausted, I started reusing PWs or using weaker PWs.

    If the author is so confident web-based password managers are seriously flawed, how about offering a viable alternative or intervention? These articles spread fear without providing reasonable solutions. Reminder to self: skip the doom-and-gloom articles in the future.

  2. Nancy E Jones
    March 21, 2017 at 2:41 pm

    Steve Gibson still uses LastPass, and that's good enough for me.

  3. ReadandShare
    March 17, 2017 at 7:47 pm

    "Are password managers better than storing all your details on an Excel sheet, or using the same credentials for each site? Unquestionably."

    Unquestionably? Not necessarily. A password-protected Excel spreadsheet can be safe too -- after all, Excel also uses AES encryption.

    Mine is a listing with four columns: (1) website name with address embedded, (2) user name, (3) user password and (4) notes (like answers to challenge questions, etc.). And "cloud" backup means the list is accessible wherever there is internet connection - although all cautions about using public computers and Wifi also apply.

    Finally, I also agree that the article title is misleading click-bait.

  4. Tim
    March 17, 2017 at 2:24 pm

    I understand the point of the article, but I think it could have been stated in a more reasonable, less click-bait manner. Is any system foolproof? No, of course not. The point of password managers isn't to make you 100% safe, but simply to make it harder for your passwords to be stolen. It's the same as a lock on the front door of your house--any thief who wants in bad enough can get in, provided he is adequately prepared and has enough time. Given enough processing power and enough time, anyone can brute force any password.

    Does that mean using a password manager is a bad idea? No, of course not. Merely using a password manager won't automatically make you more secure anymore than just installing an extra lock on your front door will make you more secure. Like any tool, a password manager must be used correctly to be of any benefit. If your master password is "password," you're no better off than not using a password manager.

  5. TedAug1
    March 17, 2017 at 1:59 pm

    And what about good backup? Do u know maybe Xoperos solutions? I started use their product. Actually i am satisfied , but tell me if u know more backup solutions (for small company) or maybe you have some experience with Xopero too?

  6. Murteza
    March 17, 2017 at 1:50 pm

    I have 1 pattern and unique password for each service. I use neither web based nor local password manager nor excel spread sheets nor whatsoever but my own memory. It isn't difficult to remember a single pattern. By using same born I can produce longer than 20 character passwords for some services, all containing bothcapital and lower case letters, special characters (such as . , ! ?) and numbers.

  7. Rudy
    March 17, 2017 at 12:57 pm

    I have used LastPass safely for about 5 years with no breaches. I have 566 passwords saved. Are you suggesting I use 566 variations of one password? Good luck with that. What alternative is there to using one of the password managers? I also use NordVpn which I trust helps with my security.

    • Jacek
      March 18, 2017 at 4:43 pm

      I think the problem would be if someone hack LastPass servers, not your PC / mobile or yours passwords.
      I also have over 500 password and recently (1/2 half year) I have start using LastPass. Just for convenience. I hope I'm secure with 2 step verification but who knows what will happen when LastPass servers will be hacked. They say that even they can't see my password. Hopfully thats true. ;)