How safe are online password managers?

How safe are online password managers?

Friday, 12 April, 2019

In today’s tech-dominated world, passwords are literally and metaphorically key to our daily lives.

Can you remember the last time you passed a day without entering a password into a web browser?

Equally, can you imagine what would happen if you lost all your passwords, or if someone else got hold of them?

Passwords are stolen and sold on the dark web every day. As a result, password security is as important as the steps we take to protect our homes and cars.

Yet the very nature of passwords makes them insecure.

We tend to use the same memorable password for multiple sites, in fear of forgetting the complex individual strings that would be safer for each platform.

That’s a problem, because even a standard brute-force password cracker can attempt 8,000,000 passwords per second.

Are password managers the answer?

Password managers are programs that generate, encrypt and remember credentials for users’ online accounts.

They’re capable of creating strong and unique passwords for each website, or storing existing user character strings.

Most password managers use a master password to let users access secure websites through a browser extension or app.

But while this gets around the problems of creating and remembering safe passwords, the idea of keeping sensitive data in one location online may seem counter-intuitive.

After all, one of the biggest threats to a password manager’s security is the master password being compromised.

For security reasons, most programs of this type don’t allow retrieval of the master password, so the user must keep it safe.

If they don’t, anyone who gets hold of it may gain access to all of their logins at once.

This danger is higher in password managers that don’t use two-factor authentication and/or biometrics to complete logins.

Also, criminals want personal data and logins to sell, making password managers a magnet for hackers.

Some don’t encrypt passwords when the user is logged in and may fail to clear it from the computer’s memory when they log out, unless the program is closed down completely.

That links password security to the protection and safeguards applied to the entire computer.

How can we guarantee password security?

The simple answer is that we can’t.

Passwords are inherently unsafe, and human nature means they always will be.

The only way to make passwords 100 per cent safe is to stop using them, and as biometrics become more affordable and practical, that will probably happen.

(Apple and Samsung handsets have been offering biometric logins to websites and apps for years, and many modern devices now provide this as an option instead of password entry).

Meanwhile, another approach to password security is to make login credentials more secure by creating bespoke passwords and writing them down in a safe place offline.

For most people, using a password manager program will be much safer than not using one.

Yes, there are theoretical risks, but you can mitigate these by choosing an option with solid security features like two-factor authentication, biometrics and strong encryption protocols.

A strong master password will also reduce the risk – and at least you’ll only have one obscure alphanumeric character string to remember, instead of dozens.

In short, while storing all of your sensitive data in one place online might seem unsafe, it’s probably preferable to any of the current alternatives.

Neil Cumins author picture


Neil is our resident tech expert. He's written guides on loads of broadband head-scratchers and is determined to solve all your technology problems!