Are password managers safe? Security is a concern whenever you’re dealing with sensitive data, especially when all of that data is going to one place, with one company. Sure, you could go crazy and split your passwords among different password manager apps or just write them all down by hand…but there is a better way. You can have confidence that password managers are safe, and this is how.
As we become more digitally engaged, we have tons of passwords to remember. And since it’s almost impossible to follow all the best practices for passwords, people have started utilizing good password managers apps to secure themselves..
Password managers are your digital gatekeepers. They are convenient little apps that help you create stronger passwords and then securely stores them for you to use.
But isn’t that just putting all your eggs in one basket? If one app stores all your important passwords, what if that app gets hacked? How can you trust the company?
These are valid concerns. So how can we confidently answer the question Are password managers safe? Let’s take a look.
Fact: No Security Measure is Foolproof
Let me be blunt: if you’re relying on a single piece of software or a single strategy to secure yourself online, you’re setting yourself up to be disappointed and possibly hacked. No single security software is foolproof…and that includes password managers.
No single security software is foolproof.
But as security researcher Troy Hunt has noted, “Password managers don’t have to be perfect, they just have to be better than not having one“.
If you visit a construction site, you’re advised to wear a safety helmet. It won’t protect you from ALL accidents but it is still better than not wearing a safety helmet at all.
There are still hundreds of thousands of people online who secure their accounts with the word “password” as their password. Having a strong password, even if you’re using software that could potentially be exploited, is still better than nothing.
Password Managers Can and Have Been Hacked
In February of this year, a security report by independent consulting firm ISE disclosed flaws in the security of major password manager apps. Alarming, right?
All the password manager apps studied by the researchers have the same basic functionality. They are meant to:
- Help create strong passwords,
- Store those passwords (often in the cloud on their servers),
- Lock the passwords behind a vault that can only be opened by a master password, and
- Auto-complete online forms.
The report evaluated the working of Dashlane, 1Password, LastPass, and KeePass on Windows 10. The findings suggest that some passwords were left exposed even when the password manager app was in the locked mode.
In some cases, even the master password stayed in the computer’s memory – and that too in plaintext format. The master password is the key to the password vault, which means if it’s hacked, all passwords are stolen.
Unfortunately, these haven’t been isolated incidents. Consider the following:
- In 2015, LastPass faced an attack that exposed email addresses and security information of users.
- In 2017, OneLogin was attacked and customer data was leaked. The user data stored in their US datacenters was affected.
- That same year, a vulnerability in the Keeper browser plugin was exposed. This vulnerability allowed hackers to steal any password from the vault. Keeper sued the reporter for publishing the report. While they fixed the bug later before it affected any customer, the move of suing the reporter did not do good to their reputation.
I’m not going to sugarcoat it…this looks bad. And it looks bad because it is bad.
But as I’ve mentioned earlier, the fact that password managers aren’t perfect is not a reason to stop using them altogether.
You Should Still Use a Manager App…Here’s Why
Even as there are some security flaws in password managers, as in all technologies, using them is often better than not using them. It’s good to ask are password managers safe, but it’s also good to understand their advantages.
Password Managers do a number of things to improve your secure password etiquette. For example, they:
- Force you to create new passwords: Instead of reusing all your old passwords, you have to create new ones. Any good password manager app will alert you if you’ve used the same password too many times.
- Force you to create stronger passwords: This means long passwords (12+ characters) that includes letters, numbers, symbols, etc. Usually, we don’t do this on our own.
- Remind you to use 2-factor authentication: Good password manager apps can tell you which online logins offer 2-factor authentication (2FA) and give gentle reminders to make use of the 2FA feature.
These reasons alone are often worth the price of a password manager (even though you can do both for free).
However, there is one method I use that allows me to use my password manager app with complete confidence. It’s one of my favorite security hacks that I’d like to share with you.
#1 Ultimate Password Manager Hack to Secure Against Hacking!!
What I’m about to share with you is a hack known as the double-blind password hack. I got into more detail in that link, but I’ll quickly walk through it here.
Trust me – it’s worth sticking around and reading this, especially if you’ve been asking yourself, Are password managers safe?
But first, as with any life hack, it only works if you’re already covered on the basics. What I mean is this:
- You’re already using a good password manager: I use and have already published a review of 1Password, which has been my favorite among many. They offer a 30-day money back guarantee, so you can try them risk-free yourself.
- You already use 2-factor authentication: This is a no-brainer, but it bears repeating. If your password manager offers 2FA, use it. If any important online login (i.e. bank, social media, investment accounts, etc.) offers 2FA, use it.
- You already have a strong master password: Please don’t negate the power of a password manager by securing it with a dumb master password. If you need help, take a cue from my guide on creating a super-secure password.
Ok, with that out of the way, here’s an explanation of the double-blind password strategy:
I’m going to use my bank as an example. When I set up the password for my online banking, I asked my password manager to create a complex password that was 12 digits long.
I copied that into the password creation box but I didn’t stop there. I added 4 more characters (my “unique key”) that only I know to the end of the password, making it a total of 16 digits long.
Password Manager (12 characters) + Personal Touch (4 characters) = True Password (16 characters)
Hopefully I haven’t lost you here. Basically, what I’m doing is adding a personal password that only I know to the end of the password my manager app gave me.
In the end, when I log in to my account I ask my password manager to auto-fill the stored password and then I add my 4 characters to the end.
Here’s why this is genius: It doesn’t matter if somebody hacks into my password manager app and steals all my passwords. Unless they know these extra four characters that I always type in to the end of my stored passwords, the data in my password manager app is worthless!
In the end, I get the benefits of a password manager app as well as the confidence that I’m really secure. It doesn’t matter if you’re using Dashlane or 1Password, it works either way.
This takes a little time to implement, but if you’re truly worried about the security of your password manager, this hack is the way to go.
Final Thoughts | Are Password Managers Safe?
Overall, I recommend using a password manager such as 1Password. For most people, it’s a huge improvement over their current password strategy and forces them to think harder about how they secure themselves online.
Are password managers hack-proof? No.
Are password managers safe? The answer is invariaby yes.
Better yet, if you use 2-Factor Authentication on top of the awesome hack I shared with you above, you’ll set yourself up to be more secure than probably 95% of the online population right now. Trust me – hackers would rather grab the low-hanging fruit than to deal with someone like you.
What do you think? Would you still use a password manager after hearing about the potential security flaws?