Most of us know the rules for good password hygiene – make them complicated, don’t reuse them and change them every so often. But with nearly every site and app requiring users to sign up for an account, remembering an ever-growing stable of fiendishly complex passwords becomes a herculean task.
Enter password managers, which not only do the remembering but can also generate the random strings of lowercase and uppercase letters, numbers and symbols required to protect your online accounts from hackers and scammers. Passwords are saved to a ‘vault’ that is itself protected by a user-devised master password.
But what happens when the account that’s hacked is the password manager itself – as has occurred with popular password managers such as LastPass and 1Login? Can it really be safe to save all your passwords into a single online place?
Security experts agree that using a password manager is far safer than reusing passwords or writing them down, but there are security vulnerabilities to be aware of.
Password managers 101
Just one in ten Americans use a password manager, and only three percent count it as their most frequent means of password entry. In a recent study published in Human-centric Computing and Information Sciences, researchers found that users of password managers mostly did so for convenience, while those who did not use them highlighted security issues.
“The typical alternatives to a password manager are using the same password everywhere or storing them in a spreadsheet,” says Sandor Palfy, LastPass CTO. “Some people may be hesitant to use a password manager because they’re afraid of ‘putting all their eggs in one basket’, but it is a very, very safe basket.”
Popular cloud-based password managers such as Dashlane, LastPass and Sticky Password use zero-knowledge security protocols that encrypt users’ master passwords with an encryption key that is stored only on users’ devices (so that the companies have ‘zero knowledge’ of users’ passwords). This encryption includes thousands of rounds of authentication hashing, where an algorithm converts a string of text into a longer string, making it more difficult for hackers to crack the hashed text.
Strong encryption means that in the event of a breach, even exposed master passwords shouldn’t be compromised – but other sensitive information that would allow attackers to breach users’ other accounts could be exposed.
For example, when LastPass was breached in 2015, there was no evidence that users’ master passwords and encrypted password vaults had been compromised - but user email addresses and password reminders were stolen. These details could allow for targeted attacks such as phishing, where attackers might be able to send a spoof login screen to a user’s email address, using the password reminder to lure users into inputting their master password. Access to users’ email address can also open the door for hackers to breach users’ accounts at other sites.
Password managers can be hacker targets
Because password managers contain so much data that is valuable to cyber criminals – along with passwords, managers such as Dashlane and LastPass can also save personal info for autofill forms, credit cards and frequent flyer details – they are often the target of hackers.
“Password manager vulnerabilities that have been exploited in the past have included full design flaws, spoofing attacks, faulty browser extension input validation, and more,” says Kurt Baumgartner, a principal security researcher at Kaspersky Lab.
The most convenient feature of a password manager is also one of the weakest links in its security.
Nearly all password managers include a browser extension that can autofill logins and generate passwords at new sites – but the feature also offers another, less secure “in” for attackers to take a swipe at your password vault. Security researchers have uncovered several major bugs in popular password managers that leave them vulnerable to such attacks.
Visiting a website that contains malware while using a password manager browser extension could, therefore, result in your passwords being stolen without you knowing about it.
Are browser password managers safe?
Many browsers can also save your passwords and automatically log you in. Though browser password managers don’t have a reputation for strong security, the level of security has ramped up in recent years.
On Chrome, passwords are encrypted by default and to view them, users must be logged in to their Google account and additionally authenticate themselves to their device – for example, the user password for a computer, or PIN for a smartphone.
Safari and Edge also encrypt passwords, which can only be viewed after an additional authentication – at least if you have set a password login for your computer and/or PIN on your smartphone!
The Firefox browser is the only one that protects its encrypted password vault with a master password, which adds an extra layer of protection that has to be cracked. However, Google posted that the reason Chrome doesn’t have a master password is that it offers a false sense of security, stating that it does not protect from risks such as someone with access to the computer – or installing a keylogger – cracking that master password to access the vault.
However, despite these safety measures, browser password managers are vulnerable to more security risks than a third-party password manager.
For one, while browser password managers are a hassle-free way for you to save existing logins, they do not offer a means to generate random, unique passwords for each account. This includes the Edge, Firefox, Safari and Chrome browsers. “Some of the most common ways people are leaving themselves vulnerable online are by using weak, easy to guess passwords, and then re-using those passwords on multiple other online accounts,” notes Palfy.
Saved passwords may also be all too easily accessed via browser attacks. Though each of the four major browsers encrypts its saved passwords and asks for a login before displaying these passwords, passwords are not protected by the same level of encryption as dedicated password managers – and as such, could potentially be more easily breached.
That other ultra-convenient feature – auto-fill – is also one of the biggest vulnerabilities of a browser password manager.
Research by Proofpoint, a cybersecurity company, recently found that the autofill feature in browser password managers has been exploited by digital ad companies to scrape users’ data, including email address. The same technique could be used to expose saved passwords.
“What makes that scenario tricky is that site owners add these third-party ad scripts to their web pages, making them part of the web site’s own code. The web browsers’ built-in protections that isolate external, third-party scripts from the site’s code don’t work in that case, which makes protecting against these attacks very tricky,” says Palfy.
7 tips to using a password manager safely
So far, the picture may be looking pretty grim for password security. However, the benefits of a good password manager - generating and saving complex, unique passwords you can easily update – mean that most experts recommend using one. “While it’s impossible to be completely immune from the most advanced threats, selecting the right third-party password manager can help users to protect their credentials from the majority of attacks that they may face,” says Baumgartner.
You can also take the following seven steps to ensure you're protecting your accounts:
1. Choose a password manager without master password recovery
Whatever you do, choose a password manager that does not allow for recovery of the master password. “If a malicious actor is able to get ahold of the master password through account recovery tools, this renders even the most secure password management programs useless,” says Baumgartner.
2. Use Two-factor authentication
Any online account has a risk of being hacked. One way to circumvent this risk is to use two-factor authentication to protect your password manager. Chrome supports two-factor authentication with your smartphone, and, along with Firefox and Edge, also works with authentication hardware keys such as Yubico. Third-party password managers including Dashlane, LastPass and Sticky Password supports two-factor authentication with your smartphone. “While two-factor authentication may still have some risks due to threats like SIM hijacking, at a minimum it puts one more layer of defense between the cybercriminal and your full arsenal of login information,” says Baumgartner.
3. Turn off autofill
You may want to consider turning off autofill. This also means logging into your password manager, then copying and pasting your passwords into the login screen.
4. Use strong passwords
When composing your master password, make it strong. “By today’s standards this means 20 characters or more, randomly generated passwords that contain lower and uppercase letters, digits and symbols,” says Palfy. You might be proud of how devilishly uncrackable it is – but don’t reuse your master password.
5. Make sure all of your passwords are unique
Make sure all your other passwords are unique. Dashlane Premium is one of the options that can automatically check for weak or repeated passwords then automatically replace them with a random, complex password.
6. Keep your software up to date
Download security updates for your password manager as soon as available – often, they will be patching newly discovered vulnerabilities.
7. Be wary of downloads and browser extensions
In general, be wary of your downloads especially browser extensions – unwittingly installed malware could end up logging keystrokes or copying logins.
Choosing the right password manager
The best password managers do not allow you to recover your master password, they let you use two-factor authentication, they monitor your accounts for password breaches and weak passwords, they generate strong passwords for you, they back up your passwords securely online and they let you use a fingerprint or face ID to log in on your smartphone. Our favorite password manager, Dashlane Premium ($60 per year), has all of the aforementioned features and more. It also fills out forms, including your credit card information, syncs across all of your devices, scans the Dark Web for personal data and account information and provides VPN service for your computer and smartphone to encrypt all of your data when using internet-based services over public WiFi.