How Safe Are Password Managers?
|A password manager stores all your passwords and automatically fills them in your web browser and mobile apps. But is trusting an app with your passwords and storing them all in one place a smart idea?
Yes, yes, it is. We recommend everyone use a password manager, which is far superior to other ways of keeping track of your passwords. Here7;s why they7;re a safe choice.
Password Managers Are Safer Than the Alternative
A password manager stores your passwords in a secure vault, which you can unlock with a single master password2;and, optionally, an extra two-factor authentication method to help keep everything extra secure.
Password managers let you use strong, unique passwords everywhere. This typically isn7;t possible for most people2;can you really remember unique, strong passwords for every website you use? Password managers can generate and remember passwords like E.wei3-uaF7TaW.vuJ_w.
If you don7;t use a password manager to store your passwords, you probably can7;t remember all the unique, strong passwords you would need to use. Most people end up reusing passwords on multiple websites2;that7;s the most dangerous thing, as a password database leak at once website means your accounts on another site are wide open. Someone just has to try signing in with the same email address and password combination from the breach.
You could try creating ;unique; passwords yourself based on a pattern. For example, maybe your base password is _p@ssw0rd_. You could modify it based on the domain2;for example, when signing into facebook, you could take the ;f; and the ;a; and make it fp@ssw0rda. Repeat this for each account you use, and you have unique passwords you can remember yourself, right? Well, not really2;your passwords are now predictable. And what happens when a website doesn7;t allow special characters or limits you to a specific number of digits and your method doesn7;t work?
With a password manager, you just have to create one strong password and remember it.
While you do have to place some trust in whatever password manager you choose, using a password manager is more secure than the alternatives. The password managers we recommend have never had their passwords compromised, but many people have gotten in trouble through reusing passwords. Exploiting those reused passwords is often how attackers ;hack; accounts these days.
How Password Managers Secure Your Passwords
We2;and many other sites2;recommend 1Password and LastPass as our top picks. Both protect your password vault with strong encryption (AES-256, specifically), even while it7;s stored in the cloud. While the passwords are on your PC, phone, or tablet, they7;re protected with a ;master password; you know that makes them unreadable by anyone without that password. On modern devices, you can also unlock your vault with biometric authentication2;like Face ID or Touch ID on iPhones.
Both services say the master password never leaves your device, and they couldn7;t access your passwords if they want2;they have ;zero knowledge; of your passwords. They7;ve undergone third-party audits and code reviews. Neither has ever suffered a serious breach, and both are up-front and transparent about how they protect your data. See the 1Password and LastPass websites for more details.
Prefer doing it yourself? Open-source password managers like Bitwarden and KeePass also exist. You can use these open-source applications to store your password on your own devices or servers. For example, you could set up your own sync server for Bitwarden or manually sync a KeePass database between your devices. It will likely be more complex and more work2;and the apps aren7;t as user-friendly2;but if you prefer open-source software, options are available.
Can You Trust Password Manager Companies?
Ultimately, you are placing some trust in the password-manager companies here. Sure, the companies promise to keep your passwords safe, but they could update their software to capture your passwords, or a massive security hole could open your passwords to attack. The companies are audited for security, but what if they turned bad?
Sure, that7;s a risk. You trust your password manager like any other application you use. The same is true for any application on your PC or most browser extensions: They could spy on you and phone home, reporting your passwords, credit card numbers, and communications to someone else.
But that hasn7;t happened yet. These are reputable companies in the business of security. It7;s probably more dangerous to install random browser extensions2;many of which get full access to everything that happens in your browser and could phone home with those details2;than store your passwords in a password manager.
We Use Password Managers and Recommend Them
We follow our own advice and use password managers like 1Password and LastPass here at How-To Geek, too. The password managers built into browsers like Chrome and Apple7;s Safari are getting better, but they just aren7;t as powerful or fully featured yet.
On top of the safety, password managers offer many convenience benefits. You can easily share your passwords with a friend, family member, or coworker. You can automatically fill those passwords on mobile without typing them in2;even on an iPhone or iPad. Password managers like 1Password and LastPass provide alerts if any of the passwords you7;re using have been breached in an attack and recommend passwords you should change. It7;s a big improvement over trying to keep track of all your passwords without any help.