If you’ve painstakingly gone through the hassle of setting up a password manager, you might think you’re safe from the prying eyes of hackers and cyber-criminals.
Yes, password managers are a valuable tool in the ongoing battle to keep yourself secure, but they aren’t failsafe or idiot-proof, nor do they offer sufficient protection on their own.
Here are four reasons why password managers aren’t enough to keep your passwords safe by themselves.
1. Password Managers Are the Holy Grail for Hackers
Are password managers very secure? Yes. Do they deploy rigorous encryption and cryptography systems? Yes. Can you categorically state no hacker will ever be able to crack the system and gain access to the millions of users’ passwords within it?
Think about it: password manager services are a hugely alluring prospect for hackers. If they could breach the outer walls of the password vaults, they’d have access to an untold amount of treasure. They’re going to keep trying to break-in. It’s inevitable.
Let’s use LastPass as an example. Cyber-criminals have attacked the servers twice in the last five years. Each time, the company was adamant that its users only needed to change the master password for their accounts and the password vaults were still secure.
But the hacks prove security holes exist. Is it only a matter of time until an authorized person gains access? Probably.
2. Experts Say Password Managers Have Serious Flaws
In 2014, security researchers discovered LastPass, RoboForm, My1login, PasswordBox, and NeedMyPassword all had several dangerous security flaws.
The most worrisome of the flaws allowed hackers to steal plaintext passwords directly from LastPass users using the bookmarklet, without either the user or the company being aware that anything was wrong.
LastPass also had a flaw whereby malicious code on a website could steal a user’s entire encrypted password vault, as long as the hacker knew the user’s email address.
RoboForm, My1login, PasswordBox, and NeedMyPassword all had equally severe defects, including a loophole which allowed attackers to steal a user’s full name, username, and any URL on which a password was entered.
Thankfully, the service providers have fixed these bugs, but it would be folly to believe they’re now perfect. There are almost certainly still undiscovered bugs, waiting for someone to find them.
Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem.
— Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, authors of The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers
Ultimately, you’re trusting the password manager with some of your most important details. Putting all your eggs in the same basket is unwise.
3. Cloud Databases vs. Local Databases
You will have noticed the five services I discussed above are all web-based. If you use a locally-based password manager (such as KeePass or 1Password), please don’t be lulled into a false sense of security; the study only looked at web-based options.
There’s an argument to suggest local managers are inherently safer than cloud-based managers. It’s harder for a hacker to gain entry and more difficult to steal the database.
But they’re not fool-proof. We all know how about the security threats facing desktop users: keyloggers, hackers lurking on public Wi-Fi networks, endless malware, and more. If you’re unlucky enough to find yourself under attack, your locally-saved password database might be one of the first things the hackers steal.
And what about if your database is saved on your mobile device? If you lose your device, it could easily end up in the wrong hands. Yes, it’s encrypted, but if you’ve set up your app to only need a master password or a fingerprint to access the database, the encryption won’t be worth a great deal.
4. Your Settings Might Leave You Vulnerable
I just touched on this briefly. Password managers have lots of settings you can tweak; some of them make the service more secure. However, lots of them are designed for convenience — enabling them will make you more vulnerable.
For example, LastPass will not automatically prompt you for your master password when you try to access the credentials of an individual in your vault (Settings > Advanced Settings > Re-prompt for Master Password).
Furthermore, most of the services’ mobile apps allow you to disable fingerprint and/or password authentication for up to 24 hours after each successful login. Don’t do it. Would you leave your online banking logged in for 24 hours to save a few clicks?
And of course, be careful who you share passwords with use the services’ built-in sharing service — perhaps their settings will leave your accounts exposed? Make sure your friends and family are aware of the security implications.
Don’t take shortcuts. Instead, spend time working through your services’ advanced settings, and making them all as robust as possible.
Password Managers: To Use or Avoid?
Are password managers better than storing all your details on an Excel sheet, or using the same credentials for each site? Unquestionably. But whether they’re as secure as you might like to believe is debatable.
Most people use the services for convenience as much as for security. But by doing so, you’re potentially compromising yourself. I’m not going to tell you to stop using them, but proceed with caution. For example, perhaps you should split your password across multiple managers?
And remember, the bottom line is there’s no replacement for your own brain. If you can create a strong code that you slightly adjust for each individual login, you’ll have more security than any password manager could offer.
Do you trust password managers? Let us know in the comments below.