Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Is it Safe to Use a Password Manager?

by Natasha Stokes on July 30, 2018

Most of us know the rules for good password hygiene – make them complicated, don’t reuse them and change them every so often. But with nearly every site and app requiring users to sign up for an account, remembering an ever-growing stable of fiendishly complex passwords becomes a herculean task.

Enter password managers, which not only do the remembering but can also generate the random strings of lowercase and uppercase letters, numbers and symbols required to protect your online accounts from hackers and scammers. Passwords are saved to a ‘vault’ that is itself protected by a user-devised master password.

But what happens when the account that’s hacked is the password manager itself – as has occurred with popular password managers such as LastPass and 1Login? Can it really be safe to save all your passwords into a single online place?

Security experts agree that using a password manager is far safer than reusing passwords or writing them down, but there are security vulnerabilities to be aware of.  

Password managers 101

Just one in ten Americans use a password manager, and only three percent count it as their most frequent means of password entry. In a recent study published in Human-centric Computing and Information Sciences, researchers found that users of password managers mostly did so for convenience, while those who did not use them highlighted security issues.

“The typical alternatives to a password manager are using the same password everywhere or storing them in a spreadsheet,” says Sandor Palfy, LastPass CTO. “Some people may be hesitant to use a password manager because they’re afraid of ‘putting all their eggs in one basket’, but it is a very, very safe basket.”

Popular cloud-based password managers such as Dashlane, LastPass and Sticky Password use zero-knowledge security protocols that encrypt users’ master passwords with an encryption key that is stored only on users’ devices (so that the companies have ‘zero knowledge’ of users’ passwords). This encryption includes thousands of rounds of authentication hashing, where an algorithm converts a string of text into a longer string, making it more difficult for hackers to crack the hashed text.

Strong encryption means that in the event of a breach, even exposed master passwords shouldn’t be compromised – but other sensitive information that would allow attackers to breach users’ other accounts could be exposed.

For example, when LastPass was breached in 2015, there was no evidence that users’ master passwords and encrypted password vaults had been compromised - but user email addresses and password reminders were stolen. These details could allow for targeted attacks such as phishing, where attackers might be able to send a spoof login screen to a user’s email address, using the password reminder to lure users into inputting their master password. Access to users’ email address can also open the door for hackers to breach users’ accounts at other sites.

Password managers can be hacker targets

Because password managers contain so much data that is valuable to cyber criminals – along with passwords, managers such as Dashlane and LastPass can also save personal info for autofill forms, credit cards and frequent flyer details – they are often the target of hackers.

“Password manager vulnerabilities that have been exploited in the past have included full design flaws, spoofing attacks, faulty browser extension input validation, and more,” says Kurt Baumgartner, a principal security researcher at Kaspersky Lab.

The most convenient feature of a password manager is also one of the weakest links in its security.

Nearly all password managers include a browser extension that can autofill logins and generate passwords at new sites – but the feature also offers another, less secure “in” for attackers to take a swipe at your password vault. Security researchers have uncovered several major bugs in popular password managers that leave them vulnerable to such attacks.

Visiting a website that contains malware while using a password manager browser extension could, therefore, result in your passwords being stolen without you knowing about it.

Are browser password managers safe?                                                        

Many browsers can also save your passwords and automatically log you in. Though browser password managers don’t have a reputation for strong security, the level of security has ramped up in recent years.

On Chrome, passwords are encrypted by default and to view them, users must be logged in to their Google account and additionally authenticate themselves to their device – for example, the user password for a computer, or PIN for a smartphone.

Safari and Edge also encrypt passwords, which can only be viewed after an additional authentication – at least if you have set a password login for your computer and/or PIN on your smartphone!

The Firefox browser is the only one that protects its encrypted password vault with a master password, which adds an extra layer of protection that has to be cracked. However, Google posted that the reason Chrome doesn’t have a master password is that it offers a false sense of security, stating that it does not protect from risks such as someone with access to the computer – or installing a keylogger – cracking that master password to access the vault.

However, despite these safety measures, browser password managers are vulnerable to more security risks than a third-party password manager.

For one, while browser password managers are a hassle-free way for you to save existing logins, they do not offer a means to generate random, unique passwords for each account. This includes the Edge, Firefox, Safari and Chrome browsers. “Some of the most common ways people are leaving themselves vulnerable online are by using weak, easy to guess passwords, and then re-using those passwords on multiple other online accounts,” notes Palfy.

Saved passwords may also be all too easily accessed via browser attacks. Though each of the four major browsers encrypts its saved passwords and asks for a login before displaying these passwords, passwords are not protected by the same level of encryption as dedicated password managers – and as such, could potentially be more easily breached.

That other ultra-convenient feature – auto-fill – is also one of the biggest vulnerabilities of a browser password manager.

Research by Proofpoint, a cybersecurity company, recently found that the autofill feature in browser password managers has been exploited by digital ad companies to scrape users’ data, including email address. The same technique could be used to expose saved passwords.

“What makes that scenario tricky is that site owners add these third-party ad scripts to their web pages, making them part of the web site’s own code. The web browsers’ built-in protections that isolate external, third-party scripts from the site’s code don’t work in that case, which makes protecting against these attacks very tricky,” says Palfy.

7 tips to using a password manager safely

So far, the picture may be looking pretty grim for password security. However, the benefits of a good password manager - generating and saving complex, unique passwords you can easily update – mean that most experts recommend using one. “While it’s impossible to be completely immune from the most advanced threats, selecting the right third-party password manager can help users to protect their credentials from the majority of attacks that they may face,” says Baumgartner.

You can also take the following seven steps to ensure you're protecting your accounts:

1. Choose a password manager without master password recovery

Whatever you do, choose a password manager that does not allow for recovery of the master password. “If a malicious actor is able to get ahold of the master password through account recovery tools, this renders even the most secure password management programs useless,” says Baumgartner.

2. Use Two-factor authentication

Any online account has a risk of being hacked. One way to circumvent this risk is to use two-factor authentication to protect your password manager. Chrome supports two-factor authentication with your smartphone, and, along with Firefox and Edge, also works with authentication hardware keys such as Yubico. Third-party password managers including Dashlane, LastPass and Sticky Password supports two-factor authentication with your smartphone. “While two-factor authentication may still have some risks due to threats like SIM hijacking, at a minimum it puts one more layer of defense between the cybercriminal and your full arsenal of login information,” says Baumgartner.

3. Turn off autofill

You may want to consider turning off autofill. This also means logging into your password manager, then copying and pasting your passwords into the login screen.

4. Use strong passwords

When composing your master password, make it strong. “By today’s standards this means 20 characters or more, randomly generated passwords that contain lower and uppercase letters, digits and symbols,” says Palfy.  You might be proud of how devilishly uncrackable it is – but don’t reuse your master password.

5. Make sure all of your passwords are unique

Make sure all your other passwords are unique. Dashlane Premium is one of the options that can automatically check for weak or repeated passwords then automatically replace them with a random, complex password.

6. Keep your software up to date

Download security updates for your password manager as soon as available – often, they will be patching newly discovered vulnerabilities.

7. Be wary of downloads and browser extensions

In general, be wary of your downloads especially browser extensions – unwittingly installed malware could end up logging keystrokes or copying logins.

Choosing the right password manager

The best password managers do not allow you to recover your master password, they let you use two-factor authentication, they monitor your accounts for password breaches and weak passwords, they generate strong passwords for you, they back up your passwords securely online and they let you use a fingerprint or face ID to log in on your smartphone. Our favorite password manager, Dashlane Premium ($60 per year), has all of the aforementioned features and more. It also fills out forms, including your credit card information, syncs across all of your devices, scans the Dark Web for personal data and account information and provides VPN service for your computer and smartphone to encrypt all of your data when using internet-based services over public WiFi.

[Image credit: computer login concept via BigStockPhoto]


Topics

Computer Safety & Support, Computers and Software, Internet & Networking, Phones and Mobile, Mobile Apps, Tips & How-Tos, Privacy


Discussion loading

gravatar

From Tony on July 31, 2018 :: 6:33 pm


I get the reservations, but LastPass has been a lifesaver. That combined with ExpressVPN has made an entire online network much safer.

Reply

gravatar

From Riley King on July 22, 2019 :: 6:32 am


Even though password managers are super convenient, they’re still vulnerable to attacks—at the end of the day, they’re still only a single password defending your account. My friend wrote a great article about their vulnerabilities: https://doubleoctopus.com/blog/password-mangers-vs-passwordless-authentication/

Hope this is helpful!

Reply

gravatar

From David Serfass on August 10, 2018 :: 9:39 am


I use Roboform To Go,which is a thumbdrive based manager, storing everything on the drive. Sadly they have discontinued support for this, opting instead for cloud based version. It has many of the features you recommend.Comments please!

Reply

gravatar

From Josh Kirschner on August 10, 2018 :: 3:02 pm


It’s always a good idea to stop using security products when they’re no longer supported by the company because issues can go unpatched. So upgrade to the new version of Roboform or use one of our other best password manager picks.

Reply

gravatar

From Bruno on September 27, 2018 :: 5:36 pm


I´m not an computer expert, so please help me:

I believe that if I turn off the auto-fill I´ll be more exposed to phishing sites and keyloggers, is it correct?

So, what is more dangerous, the risk of phishing by copy and paste the login information from the password manager on a false webpage or the risk of having the password manager content hacked by entering a website with a script the hacks its content?

Thanks!

Reply

gravatar

From DASR on December 04, 2018 :: 4:33 am


If you turn off autofill, you will have to copy and paste the password, and the keylogger will only capture CTRL+C and CTRL+V, not the password itself.
I think that for phishing you have to user other measures to not be caught, that is pay attention to the browser bar (lock symbol and https, and if the address is correct, don’t click on links that looks like fake and, of course, be informed about what can be fake).

Reply

gravatar

From Bruno on February 16, 2019 :: 7:03 pm


Thank you!

Reply

gravatar

From Antony Kidless on February 06, 2019 :: 3:41 pm


I don’t trust third-party password managers, so I use my own password generator + Excel. If someone wants to try it https://randompasswordgenerator.org/

Reply

gravatar

From Michael on February 21, 2019 :: 5:37 pm


You know that every password generated by the random password generator gets added to someone’s dictionary so the attack using that password is much faster

Reply

gravatar

From Josh Kirschner on March 05, 2019 :: 9:22 am


Using an unknown party to generate your passwords for you is a bad idea. They may have the best intentions, but they may not, and there’s no way to know how “random” the generated passwords really are. Stick with our recommendations to use a well-regarded password manager to do your password generation for you.

Reply

gravatar

From Brian T on March 06, 2019 :: 6:34 am


I have always been wary of two factor ID for two practical reasons:  My wife and I use the same home laptop at home and if my phone is the recipient of the 2 factor code and I’m away, how can she access the computer?  Second, I take that laptop with me while I am in America for 4-6 months a year, and change my phone access/contract to a different SIM card/ #.  So that 2 factor ID is not available to me.
Any suggestions, aside from re-inserting the SIM card, rebooting the phone to get the ID code each time? ((Not practical)

Reply

gravatar

From Josh Kirschner on March 06, 2019 :: 9:24 am


There are trade-offs to the extra security of two-factor authentication, so it may not work in all circumstances. But you can always turn it on and off, depending on the circumstances.

At home, you can leave two-factor authentication off so your wife can access the computer. Or, better, you should have two user logins on your computer - one for you and one for your wife - and she should have her own password manager on that computer under her account, and each of you has your own two-factor authentication setup. There are many other benefits to setting things up that way, including personalized bookmark and browsing history, separate file/document management, program settings, etc.

When you’re on the road, it’s easy to change your two-factor authentication settings to use a different phone number. So that shouldn’t be an impediment to using it. Also, many password managers use an authenticator app, not a phone number for two-factor authentication. These apps, like Authy, Microsoft Authenticator and Google Auth, aren’t SIM card-based.

Reply

gravatar

From Brian T on March 11, 2019 :: 5:18 am


Danke, Josh.  Will look at those suggestions.

Reply

gravatar

From PW on June 11, 2019 :: 9:36 am


Hello,  I do use a password manager.  Have used it for several years.  Needless to say, all of my passwords are in the vault.  I tried to get into my manager today.  I was unable to access using biometrics.  I inputted my password.  I received a message to “return iPhone to .....” then I was locked out.  The only contact information for the manager I am using is an e-mail.  I have started canceling and reordering credit cards. What else should I do?  Thank you!

Reply

gravatar

From Josh Kirschner on June 12, 2019 :: 9:53 am


What password manager are you using? Can’t imagine why you would be getting a message about returning your iPhone from a password manager. And why do you think your password manager was hacked vs broken for some other reason?

If your password manager was breached, the accounts I would be most worried about are your bank account, brokerage accounts, email accounts and cellphone accounts. Those would be the first ones I would change the passwords to because they would allow a hacker to take out real money and regain access to every one of your other accounts, even if you had already changed the password.

Reply

gravatar

From Neil on November 19, 2019 :: 11:43 am


The irony of an article talking about the unsafe nature of javascript ads and site protection from a website that 24 ‘necessary’ cookies over 200 tracking and other advert cookies, as well as a dozen external javascript libraries.

In addition to this, a site where you can’t even ‘reject all’, in fact you can’t even ‘reject’ cookies, which as far as I can tell is illegal under the terms of the GDPR (or written in such a way as to obfuscate how to disable them).

Reply

gravatar

From Josh Kirschner on November 19, 2019 :: 3:13 pm


First of all, the exploit we discuss above could only be done on a site that has both login and unsafe scripts operating on the same site. Techlicious doesn’t have any type of native login, so there is nothing to capture.

As far as the external javascript, we are in the same boat as pretty much every other content website, in that we rely on third parties to provide ads and other underlying technology services. However, we only use well-known ad partners to supply our services, each of whom has their own security screening processes and standards to prevent malevolent advertising for getting into the network. Not perfect, but it’s the same standard used by reputable sites across the internet.

Finally, to comply with GDPR, we have code on site (served by Cookiebot) that blocks all “non-necessary” cookies for residents of the EU unless they agree to “accept” cookies. If you are visiting from a country covered by GDPR, you will see the cookie popup clearly and conspicuously appear when you visit our site. I just went back to check the settings and everything appears to be working correctly on our end. Please notify us if you see something different.

Reply

gravatar

From Neil on November 19, 2019 :: 3:29 pm


Uk.

200 cookies listed in the cookie section. No ability to disable them.

But besides, if you valued customer privacy you would allow disabling cookies regardless of location.

Reply

gravatar

From Josh Kirschner on November 19, 2019 :: 5:43 pm


For GDPR countries, the cookies listed in the cookie section are disabled unless you enable them by clicking “accept” (except for “necessary” cookies) or continuing to use the site.

gravatar

From Neil on November 20, 2019 :: 3:51 am


If you can make do with the slight inconvenience, use an offline password manager like password safe. Which is secure, recommended by security specialists for its algorithms, and completely free and open source.

Backed up to a nas, I’ve been using mine for years and never felt the need to have it any other way.

Reply

gravatar

From Robbie on January 06, 2020 :: 10:16 am


What is a nas?

Reply

gravatar

From Neil on January 06, 2020 :: 10:19 am


Would you like me to Google Nas for you, or can you do that yourself 😉

Reply

gravatar

From Josh Kirschner on January 13, 2020 :: 1:47 pm


NAS is short for “Network Accessed Storage”, that is, a storage device (hard drive/SSD) attached to your network. You could also use a HD/SSD connected directly to your computer.

The flipside of offline solutions solutions is that if you were to lose your computer and backup due to fire/theft/flood etc., you would be out of luck. Offline solutions typically offer far fewer features than the password managers we recommend, such as autofill, use across devices (PC/mobile) and access when traveling.

Reply

gravatar

From Clark on July 10, 2020 :: 10:51 pm


It boggles the mind how anyone these days can write an article about password management and fail to mention Keeper in the discussion when the article is citing other solutions as recommendations.  Keeper verifiably has the best security of any SAAS solutions, it is rated #1 by G2 and PC Mag, and has more downloads than any of the others. 

In any case, good on you for trying to help people realize life is easier and safer with a good and trusted password manager.  (Avoid Paulie Pete’s Password Pack)

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.