Amer Owaida, Security Writer at ESET explains that a password manager can make your digital life both simpler and more secure. Are there any downsides to relying on software to create and store your passwords?
Recently we commemorated World Password Day with an article that dealt with five common mistakes to avoid when it comes to passwords. And although password protection can be considered a cornerstone of our digital existence, we rarely give it deep thought. Nothing drives that point home more than the annually compiled lists of the most-used passwords, which have ranked 12345 and password among the most-common choices year after year.
Our preference for flimsy passwords can be partly attributed to our use of a gazillion different services, which – unless you connect everything to your Google or Facebook account – often implies creating a new account. On the other hand, if you do have multiple complex passwords, they may prove difficult to remember. So, you opt to recycle the same simple password, since you’re thinking: where is the harm? Well, if a hacker breaks a recycled password, then your accounts may become an all-you-can-eat breakfast buffet for the attackers.
This is what a password manager – an application specifically designed to store your login details in an encrypted vault and to generate complex passwords for you – can help you avoid. By making it supremely easy to create, save and autofill a unique and strong password for each of your online accounts, this ‘digital safe’ can be an effective solution to your conundrum. All you need to remember is a single password called ‘master password.’
Types of password managers
Most popular password vaults function as cloud applications that can be accessed through a browser. Regardless of your password manager of choice, you’ll have to create one strong master password that will protect all your stored credentials used to access the different services you use; so be very careful about your choice. In the case of a cloud-based manager, this is part of creating an account.
The manager will then take it from here. You can add all your existing accounts to it and when you sign up for new services, you can either use your own passphrases or it will use a built-in generator to create randomized, long, and secure passwords. Once you want to sign into any of the services that you use, the password manager automatically fills in your credentials and you’re all set.
If you have an issue with trusting cloud-based applications with your passwords, you can opt for a locally hosted vault, which will store everything on your device. In fact, you can choose from a number of open-source options, which provide a lot of the functionality of their cloud competitors, albeit often in a more modest design package. But what these apps may lack in aesthetics, they make up for in features.
Another option that you can go for besides cloud-based and open-source solutions are the managers that are included in reputable endpoint security suites and represent a suitable option to help you manage and secure your login credentials.
The pros and cons of using a password manager
There are various types of password managers to choose from, with cloud-based options being among the most popular. The added benefit of them using the cloud is having access to your passwords from anywhere. Most of the popular brands (1Password, Dashlane, LastPass, etc.) offer apps for your smartphone, so if you use multiple devices (which most of us do), then cloud-based services will sync all your passwords across all devices. Some even have desktop options and browser plug-ins, so they have all of the bases covered.
When it comes to subscriptions, the basic set of options is offered for free. If you find those lacking, you can always pay for one of the more premium tiers, which usually include more settings and added security features.
As convenient as all of this sounds, it comes with one caveat. You’re putting all your eggs in one basket, as it were; and some online password managers have faced their share of problems in the past. A few months ago for example, researchers found security flaws in a number of popular password managers: some Android versions of their apps were found to be susceptible to phishing attacks, while others allowed endless attempts at entering the master PIN.
It is important to keep in mind that since your data is stored on a server, in case of a breach or a successful hack, cybercriminals can download the information in bulk and your account may end up in that data trove. Should this happen, you are dependent on the operators of your chosen service having properly implemented strong encryption and on the strength of your master password; keep in mind that it guards the gate to most of your digital life.
As with any service, do your due diligence and read through the cybersecurity blogs and reviews from reputable independent testing organizations to see if the password manager of your choice has had any reported vulnerabilities recently. You should also thoroughly read through and understand and act upon all the security measures that the service has put in place to secure your passwords and accounts.
When it comes to the locally installed open-source applications, some are able to generate passwords that cater to the specific requirements a site has for their creation. KeePass, for example, also has the nifty option of running straight from a USB. With open-source applications such as KeePass, you can also search for professional security audits of the core encryption and security function code.
Some things that might seem like drawbacks in password managers that store everything locally may actually add security. Since the codes are stored on a specific device, you may not have the option to sync them across all your other devices, but for a cybercriminal to gain access to them, they would have to target you specifically; this makes their job all the more difficult to perform. One of the ways they can access your passwords is by compromising your device by installing a keystroke logger. That makes the case for password managers included in endpoint security solutions, which are specifically designed to protect you from such threats.
On the other hand, you have to keep in mind that if you lose the device or it malfunctions, you may lose access to all your passwords that were stored on it. So, always keep a backup at hand, you never know when you’ll need it. That applies to locally installed open-source solutions as well; losing a device should be less of a problem with a cloud-based solution since you can still access your passwords from another device.
Final thoughts
Although most of us have similar needs when it comes to managing our digital lives, there may be minute differences in our preferences. So, you need to be aware of which option suits your requirements the best. There are at least a few questions you should answer for yourself when choosing a password manager:
- How does the service you’ve chosen store your data?
- If something happens to your device, is the data recoverable?
- Are there any additional security options you can activate to boost protection?
Be sure to choose your password manager carefully and avoid the common mistakes we mentioned at the beginning of the article when you’re creating your master password. For extra security, you can also add an extra authentication factor for all your valuable online accounts, or even for the password manager itself.