Password managers provide secure alternatives for storing and organizing login credentials. They increase the use of strong, complex passwords and diminish the stress of remembering them.
If you’re like most of us, you have accounts for many online services ranging from banking to social media. Most of these companies and services strictly require users to maintain accounts that are password-protected. Furthermore, these companies usually require passwords to be “strong”; the definition of “strong” may change from company to company as each typically has different criteria. Either way, the point still stands: Companies are beefing up account security via passwords to deter break-ins. With many people having a large collection of online accounts, juggling multiple passwords can be a hassle, especially when considering that different accounts should each have a unique, long password.
To diminish the stress involved in balancing strong password protection and remembrance, people have turned to password managers. Fittingly, a password manager is a vault that manages and organizes a user’s passwords. The only way to access the vault is by entering a very secure master password. As an added benefit, some modern password managers can automatically fill forms and generate strong passwords to increase the ease of maintaining strong account security.
Types of Password Managers
There are quite a few password managers that users can choose from. When deciding which password manager to choose, users can go in two general directions: Using browser-based password managers like for Chrome and Safari, or downloading/installing special applications/extensions. Both store your passwords in their own ways.
Browser-based password managers are probably what Web users are most familiar with. As a standard feature on most browsers, when you first create an online account, say a new Facebook profile, your browser will prompt you with an option to save your login credentials (i.e., username and password). The next time you try to log in, your credentials are prepopulated, thus eliminating your need to remember.
Browser-based password managers may seem like the obvious choice since they don’t require any additional installs. They just work. That being said, they don’t offer the same level of security provided by password manager applications/extensions, especially when considering that in many cases they require a system password to authenticate users and reveal account passwords. This authentication method could become a problem if using a shared device, as multiple people may have knowledge of the system password and thereby your account passwords.
Password manager applications/extensions try to bridge the gap between security and accessibility. Once installed, they prepopulate login fields just like their browser-based cousins. Installing these applications/extensions takes a little time though since after creating an account and master password the credentials for every website stored in the vault needs to be added one by one. However, after this initial setup, the added security benefits derived from regularly using them are invaluable.
One argument in favor of browser-based password managers is that they offer more portability than password manager applications/extensions since the former essentially require only an installed Web browser. This may be true, but many password manager applications/extensions are also very portable due to their multiplatform strategy that encompasses desktops, Web browser extensions, and mobile systems; additionally, these applications can sync across platforms. Compared to browser-based password managers, password manager applications/extensions offer a better balance of security and portability.
Many password managers are considered “online password managers,” meaning that they store your information on their servers. On the other hand, “offline password managers” store information on a user’s device. Online password managers often offer more accessibility than offline password managers as the former remains accessible while not being in the proximity of your personal device. However, online password managers need to have an Internet connection to communicate with the cloud. Both online and offline password managers do a good job at protecting your login credentials, but the added benefit of portability offered by online password managers makes this a better option for most people.
Security Considerations
Most password managers work by storing all your credentials in a vault with only one way in or out. The only key to open and close this vault is the correct master password. If a user clicks submit after signing up for a new online account, their password manager will prompt the user to add these credentials to the vault. If approved, the credentials will be encrypted and stored in the vault for safekeeping.
But what happens if government entities have warrants that try to force password managers to share vault information? To uphold user privacy and security, some password managers have implemented a “no knowledge” stance, meaning that the company will not store your master password on their servers. And furthermore, they will encrypt data inside the vault.
Each password manager takes a unique approach to arrive at their objective of increased user security and password protection. For example, let’s look at LastPass. For simplicity, LastPass breaks down their “How It Works” process into three steps:
- Installing the browser extension
- Creating an account with a strong master password
- Managing your LastPass vault
On the surface, the functionality of LastPass seems straightforward, but the mechanics behind the application are more complex. LastPass operates in an online and offline environment as passwords can be decrypted locally and/or encrypted into the cloud using the AES cipher with the SHA hash function. As an added benefit, users have the option to add an extra layer of security via two-factor authentication that requires another login step before gaining vault access. After entering your master password and clicking the submit button, LastPass authenticates you through an encrypted SSL connection that secures the link between the Web server and Web browser. If successful, access into your vault is granted.
As mentioned before, password managers require users to create a very strong master password to limit the possibility of a break-in. Considering that this password is the main line of defense against an intruder and all of your other login credentials, taking time to create and store a strong password is critical. You may believe that you can remember your master password since it gives you access to your other accounts, but think twice about not making a digital or physical copy of it. If you were to lose this password, you would be permanently locked out of your account. If that were to happen, you would have to recover login information for each account in the vault, which may turn into a very time-consuming ordeal. Creating, remembering, and backing up a master password helps to increase the usefulness and functionality of password managers.
With all these benefits, password managers must sound like a surefire way to maintain strong passwords and protect your data. Generally, this is true, but password managers are not perfect as some have experienced cyberattacks. For example, in 2015, LastPass was the victim of a cyberattack that gave intruders access to user data. Wired reported that the data accessed by the hackers included “users’ email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords.” Furthermore, LastPass had an earlier breach in 2011. Password managers do a great job of empowering users to maintain effective security via strong, complex passwords; however, they are susceptible to the same attacks that threaten other entities and individuals.
Password managers are a great way to avoid using simple, crackable passwords that may put sensitive data and accounts at risk. Without password managers, users may be stuck in the same conundrum that’s existed since the beginning of digital passwords: Trying to balance ease of remembrance with length and complexity. This may become tiresome very fast when considering the increasing number of accounts created and maintained by users.
Password managers help solve this problem, but they are not the complete answer, especially since security breaches have impacted some password managers. As another level of security, users should consider backing up their passwords to have an emergency copy. Also, regularly changing account passwords will help to increase the level of account security. Password managers are a great tool to increase security, but as with many other tools, they are only one piece of a larger security scheme.