4 Reasons Password Managers Aren’t Enough to Keep Your Passwords Safe

Dan Price 16-03-2017

If you’ve painstakingly gone through the hassle of setting up a password manager 7 Clever Password Manager Superpowers You Have to Start Using Password managers carry a lot of great features, but did you know about these? Here are seven aspects of a password manager you should take advantage of. Read More , you might think you’re safe from the prying eyes of hackers and cyber-criminals.


You’re wrong.

Yes, password managers are a valuable tool in the ongoing battle to keep yourself secure, but they aren’t failsafe or idiot-proof, nor do they offer sufficient protection on their own.

Here are four reasons why password managers aren’t enough to keep your passwords safe by themselves.

1. Password Managers Are the Holy Grail for Hackers

Are password managers very secure Are You Making These 6 Password Manager Security Mistakes? Password managers can only be as secure as you want them to be, and if you're making any of these six basic mistakes, you're going to end up compromising your online security. Read More ? Yes. Do they deploy rigorous encryption and cryptography systems How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More ? Yes. Can you categorically state no hacker will ever be able to crack the system and gain access to the millions of users’ passwords within it?



Think about it: password manager services are a hugely alluring prospect for hackers. If they could breach the outer walls of the password vaults, they’d have access to an untold amount of treasure. They’re going to keep trying to break-in. It’s inevitable.

Let’s use LastPass as an example. Cyber-criminals have attacked the servers twice LastPass Got Hacked, Shenmue 3 Kickstarter, Final Fantasy 7 Remake, & More... [Tech News Digest] Change your LastPass password, kickstarting Shenmue 3, remaking Final Fantasy 7, Xbox One plays Xbox 360 games, Netflix gets a makeover, and Conan plays Halo 5: Guardians. Read More in the last five years. Each time, the company was adamant that its users only needed to change the master password for their accounts and the password vaults were still secure.

But the hacks prove security holes exist. Is it only a matter of time until an authorized person gains access? Probably.

2. Experts Say Password Managers Have Serious Flaws

In 2014, security researchers discovered LastPass, RoboForm, My1login, PasswordBox, and NeedMyPassword all had several dangerous security flaws.


The most worrisome of the flaws allowed hackers to steal plaintext passwords directly from LastPass users using the bookmarklet, without either the user or the company being aware that anything was wrong.

4 Reasons Password Managers Aren’t Enough to Keep Your Passwords Safe lastpass hack 412x500

LastPass also had a flaw whereby malicious code on a website could steal a user’s entire encrypted password vault, as long as the hacker knew the user’s email address.

RoboForm, My1login, PasswordBox, and NeedMyPassword all had equally severe defects, including a loophole which allowed attackers to steal a user’s full name, username, and any URL on which a password was entered.


Thankfully, the service providers have fixed these bugs, but it would be folly to believe they’re now perfect. There are almost certainly still undiscovered bugs, waiting for someone to find them.

Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem.

— Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, authors of The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

Ultimately, you’re trusting the password manager with some of your most important details. Putting all your eggs in the same basket is unwise.

3. Cloud Databases vs. Local Databases

You will have noticed the five services I discussed above are all web-based. If you use a locally-based password manager (such as KeePass or 1Password), please don’t be lulled into a false sense of security; the study only looked at web-based options.

There’s an argument to suggest local managers are inherently safer than cloud-based managers. It’s harder for a hacker to gain entry and more difficult to steal the database.


But they’re not fool-proof. We all know how about the security threats facing desktop users 5 Online Security Threats That You Need to Tell Your Friends About You'd be surprised to discover where all malware is lingering today. It's no longer just average computers, but more likely anything with some sort of connected device, including toys. Read More : keyloggers, hackers lurking on public Wi-Fi networks, endless malware, and more. If you’re unlucky enough to find yourself under attack, your locally-saved password database might be one of the first things the hackers steal.

And what about if your database is saved on your mobile device? If you lose your device, it could easily end up in the wrong hands. Yes, it’s encrypted, but if you’ve set up your app to only need a master password or a fingerprint to access the database, the encryption won’t be worth a great deal.

4. Your Settings Might Leave You Vulnerable

I just touched on this briefly. Password managers have lots of settings you can tweak; some of them make the service more secure 8 Easy Ways to Supercharge Your LastPass Security You might be using LastPass to manage your many online passwords, but are you using it right? Here are eight steps you can take to make your LastPass account even more secure. Read More . However, lots of them are designed for convenience — enabling them will make you more vulnerable.

For example, LastPass will not automatically prompt you for your master password when you try to access the credentials of an individual in your vault (Settings > Advanced Settings > Re-prompt for Master Password).

4 Reasons Password Managers Aren’t Enough to Keep Your Passwords Safe lastpass reprompt 670x376

Furthermore, most of the services’ mobile apps allow you to disable fingerprint and/or password authentication for up to 24 hours after each successful login. Don’t do it. Would you leave your online banking logged in for 24 hours to save a few clicks?

And of course, be careful who you share passwords with use the services’ built-in sharing service — perhaps their settings will leave your accounts exposed? Make sure your friends and family are aware of the security implications.

Don’t take shortcuts. Instead, spend time working through your services’ advanced settings, and making them all as robust as possible.

Password Managers: To Use or Avoid?

Are password managers better than storing all your details on an Excel sheet, or using the same credentials for each site? Unquestionably. But whether they’re as secure as you might like to believe is debatable.

Most people use the services for convenience as much as for security. But by doing so, you’re potentially compromising yourself. I’m not going to tell you to stop using them, but proceed with caution. For example, perhaps you should split your password across multiple managers 5 Best LastPass Alternatives to Manage Your Passwords Many people consider LastPass to be the king of password managers; it's packed with features and boasts more users than any of its competitors -- but it's far from being the only option! Read More ?

And remember, the bottom line is there’s no replacement for your own brain. If you can create a strong code that you slightly adjust for each individual login, you’ll have more security than any password manager could offer.

Do you trust password managers? Let us know in the comments below.

Related topics: Online Security, Password Manager.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Bob
    June 10, 2020 at 8:16 pm

    Please update this article, because your points against offline password managers are incredibly weak. You even admitted yourself that they were unsubstantiated, yet continued anyway. So, here's my counterargument.

    Whats more profitable as a hacker? Making/spreading a malware that specifically targets the small demographic of offline password manager users, or a keylogger that affects everybody regardless? And if Im dealing with an adversary that specifically wants to hack me to the point of looking through my computers files, do you really think they wont also be patient enough to sit there with a keylogger until I inevitably give them all the info they want? You still have to type them in at some point unless you never use your accounts. Sure, that'lI take longer than simply stealing a password manager file, but If they gained control of my PC without me knowing in the first place, "more time to react" is an incredibly thin layer of protection. And why the hell would someone security concious enough to use a password manager login anywhere on public WiFi?

    And your point about a stolen phone. So instead of factory reseting and selling my phone, the random asshole that steals my phone is gonna bypass my lock screen, ignore my already logged in email and my 2fa app, and go "AES-256 bit with a 30 character master password that I don't know? LMAO piece of cake,weak encryption". (I don't know the exact length of my master password, just making a reference).

    My point is, everything you mentioned is a risk to everybody whether they use a password manager or not. While offline password managers arent perfect, you shouldn't imply that its the offline password managers fault that your passwords are at risk. Someone who gets control of your device can do basically whatever they want to get into your accounts. The "flaws" you're reffering to are the jobs of your antivirus and your VPN, not your offline password manager. The security benefit to your accounts far outweighs the added risk.

  2. Jim
    August 15, 2017 at 8:23 pm

    I use a local/cloud manager called SplashID. Has anyone reviewed it and compared it to some of the others? I usually don't see it as part of any review.

  3. Tom
    July 1, 2017 at 9:45 pm

    Sensationalism. There's a balance between convenience and security. I used to use an Excel spreadsheet with literally hundreds of passwords, kept on a secure drive. Everytime I needed to log into a site, I'd have to dredge through my system, connect the drive, unlock it (memorize frequently changed secure drive PW), manage the versions of the spreadsheet being collected over the years, back up the system on another secure drive, remember to update back ups any time a field in the mammoth spreadsheet changed--the system was a nightmare and began to consume far too much time. Just as bad, exhausted, I started reusing PWs or using weaker PWs.

    If the author is so confident web-based password managers are seriously flawed, how about offering a viable alternative or intervention? These articles spread fear without providing reasonable solutions. Reminder to self: skip the doom-and-gloom articles in the future.

    • Me
      July 14, 2019 at 8:15 pm

      There is no viable alternative. Online anyway.
      I would NEVER, EVER use an online password manager! NEVER!

      It's foolishness to do so.

      The only way password managers are going to be foolproof is when quantum computers are perfected and have gone mainstream. It will be impossible for hackers to hack passwords once they are implemented.

  4. Nancy E Jones
    March 21, 2017 at 2:41 pm

    Steve Gibson still uses LastPass, and that's good enough for me.

  5. ReadandShare
    March 17, 2017 at 7:47 pm

    "Are password managers better than storing all your details on an Excel sheet, or using the same credentials for each site? Unquestionably."

    Unquestionably? Not necessarily. A password-protected Excel spreadsheet can be safe too -- after all, Excel also uses AES encryption.

    Mine is a listing with four columns: (1) website name with address embedded, (2) user name, (3) user password and (4) notes (like answers to challenge questions, etc.). And "cloud" backup means the list is accessible wherever there is internet connection - although all cautions about using public computers and Wifi also apply.

    Finally, I also agree that the article title is misleading click-bait.

  6. Tim
    March 17, 2017 at 2:24 pm

    I understand the point of the article, but I think it could have been stated in a more reasonable, less click-bait manner. Is any system foolproof? No, of course not. The point of password managers isn't to make you 100% safe, but simply to make it harder for your passwords to be stolen. It's the same as a lock on the front door of your house--any thief who wants in bad enough can get in, provided he is adequately prepared and has enough time. Given enough processing power and enough time, anyone can brute force any password.

    Does that mean using a password manager is a bad idea? No, of course not. Merely using a password manager won't automatically make you more secure anymore than just installing an extra lock on your front door will make you more secure. Like any tool, a password manager must be used correctly to be of any benefit. If your master password is "password," you're no better off than not using a password manager.

  7. TedAug1
    March 17, 2017 at 1:59 pm

    And what about good backup? Do u know maybe Xoperos solutions? I started use their product. Actually i am satisfied , but tell me if u know more backup solutions (for small company) or maybe you have some experience with Xopero too?

  8. Murteza
    March 17, 2017 at 1:50 pm

    I have 1 pattern and unique password for each service. I use neither web based nor local password manager nor excel spread sheets nor whatsoever but my own memory. It isn't difficult to remember a single pattern. By using same born I can produce longer than 20 character passwords for some services, all containing bothcapital and lower case letters, special characters (such as . , ! ?) and numbers.

  9. Rudy
    March 17, 2017 at 12:57 pm

    I have used LastPass safely for about 5 years with no breaches. I have 566 passwords saved. Are you suggesting I use 566 variations of one password? Good luck with that. What alternative is there to using one of the password managers? I also use NordVpn which I trust helps with my security.

    • Jacek
      March 18, 2017 at 4:43 pm

      I think the problem would be if someone hack LastPass servers, not your PC / mobile or yours passwords.
      I also have over 500 password and recently (1/2 half year) I have start using LastPass. Just for convenience. I hope I'm secure with 2 step verification but who knows what will happen when LastPass servers will be hacked. They say that even they can't see my password. Hopfully thats true. ;)