Do Password Managers Help or Hurt Security?
There has been some publicity lately about risks in password managers. A report by Independent Security Evaluators noted some cases where they leave passwords in memory. Malware in a computer could find and steal them.
Does this mean a password manager makes passwords less safe? Not for most users. If you can devise really strong passwords and remember them without storing them or writing them down anywhere, that's the safest approach. For most users, though, the benefits far outweigh the risk.
Why a password manager helps
A good password is long and hard to guess. Unfortunately, that generally means it's also hard to remember. Memorizing a lot of good passwords is still harder. Most people will respond by re-using their passwords, creating easy ones, or writing them down. All of these approaches are risky. If you use a password for multiple sites and it's stolen, the thief will try it on other sites which you may use. People can see or grab written copies, and simple, short passwords are vulnerable to guessing.
A password manager requires you to memorize just one long and difficult phrase. That's something most people can do. A good one stores passwords securely, so that even someone who breaks into your computer can't easily discover them. With a cloud-based service, you have access to your passwords from anywhere.
You don't have to memorize them, so you can make them as complicated as you like. You should keep a copy of them somewhere, just in case the password manager fails, but you won't need it often. The list can go in a locked box.
The risks in context
This approach does involve some risk. It's an "eggs in one basket" solution; someone who gets the master password gets access to all your passwords. You need to make it extremely hard to guess and guard it carefully. Use two-factor authentication if it's available, so you'll have some safety even if someone steals the password.
The flaws mentioned by the ISE report aren't easy to exploit. They don't affect a computer which isn't already infected. Even if there's malware present, it has to know what to look for. There don't seem to be any actual exploits of these weaknesses so far. As the creators of the tools discover problems, they'll fix them.
It's important to choose a reliable password manager. One from a no-name publisher is apt to be riddled with security problems. It could even be spyware, stealing your passwords as you enter them. Make sure to use a tool with a top reputation.
The very safest way?
The surest way to keep risks to a minimum is to devise a long, complicated password for each account, memorize it, and never enter it except when logging in. If you can do that, congratulations. Most people can't manage it. The next best answer is to write down complicated passwords and guard the list carefully. This has its own risks, especially in an office where strangers may pass through. The worst approach is to use easy passwords or use the same one everywhere. Those are easy targets for thieves.
It can be a good idea to withhold the very most important accounts from the password manager and rely on memory for them. That means just a handful of passwords to memorize and a bit more peace of mind about critical accounts.
For most users, a good password manager improves security significantly. Everything has some risks, and the point is to weigh them all and choose an approach that keeps them low. We can help you with managed networks and security, so you can make the best choices. Give us a call to learn more.