Are Password Managers Safe?

• in categories: advice • by: Michelle Balestrat

With a recent hack compromising cloud password manager service, LastPass, and vulnerabilities discovered within popular iOS/OS X manager, AgileBits’ 1Password, it’s natural to wonder: can I trust them?

And when it comes to storing your passwords, how much risk is too great?

A security guard travels down an elevator. From behind, we see the back of his shirt with 'Security' in big bold letters.

While it’s easy to cry “Duh, any risk at all!”, remember that the use of any app requires a certain level of trust in the developers (yes, even ‘Hay Day’… we’re sorry folks).

This risk hinges on a number of factors, including the origin of the app, how it sends and receives information, and many other key ingredients.

With the major password managers, the first of these criteria isn’t as much of a concern as the latter: what happens to your data?

It’s of course in a password manager development team’s best interest to ensure the safety of their users’ data – a serious compromise (think: a mass spillage of crackable passwords) in this arena would undoubtedly spell the end of the company.

Motives aside, it helps to know how these major players in the password manager game are actually conducting business. For the most part, they’re fairly happy to spell out what they do (and don’t) keep on their servers.

Here’s what they have to say for themselves:

AgileBits

“We’ve worked hard to make sure 1Password is incredibly secure. Your data file is encrypted with an exceedingly secure encryption algorithm called AES-256. Even if someone were to break into your cloud service and acquire a copy of your data file, it would be extremely difficult (approaching impossible in a human lifetime) for them to actually gain access to your passwords without knowing your Master Password. And here’s the catch: your Master Password isn’t actually stored in your vault where an attacker can find it. In fact, it’s not stored anywhere at all. That’s the reason why we can’t recover it for you if you ever forget it.”

(Source)

LastPass

“We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.”

(Source)

This sounds reasonable, and (hopefully) a lot more promising than many other apps you make use of daily.

So, while your passwords themselves might be really tough to crack, isn’t a password manager just creating a single point of failure? Just hack it, and you’ve got the keys to an entire online identity! (Right?)

Well, it’s the first part of that sentence that’s much easier said than done. And what if the keys you’ve stolen are essentially useless without a house full of Bitcoin-mining rigs to bruteforce them?

That’s exactly the situation when hackers steal information from password manager apps.

There are certain situations that are a disaster for your security, whether or not you use a password manager. If you’re infected by malware with the ability to record your keystrokes, your passwords are in big danger, full stop.

Whether you’re a World Memory Champion and keep unique, random passwords for every single website stored in your mind alone, or you simply let a manager like LastPass do it for you, your passwords will be captured regardless. In this case, you haven’t increased your security by refusing to use a password manager!

What can you do?

Isn’t a “single point of weakness”, if it’s highly secured, preferable to multiple points of weakness – sticky notes on your desk, weak passwords, the same password for everything – that make it dead easy to get hacked?

However, there are steps you can take if you’re wanting to double-ensure the security of your password manager. Here’s some tips that can help you optimize your usage habits for maximum security.

1) Don’t store all your passwords inside your vault.

Now that the pressure is off and you can dole out most of your passwords to your manager software, try to keep just a handful of the most important ones in your head.

Good candidates for memorisation are the passwords that might be cumbersome to place in a password manager, such as your Internet Banking login, Dropbox account (if you use it to sync your password vault), and computer login password.

2) Backups are key.

If your password manager isn’t the cloud-enabled type and your vault lives on your hard drive, it’s very wise to back it up somewhere secure.

Preferably, you’ll have more than one backup, but aim to have at least one reliable second copy, either on an external hard drive or on a cloud backup account.

Boost your breach protection!

Email Watchdog

Guard your online accounts.
  • 10 and 50 email packs available.
  • Detailed breach notifications.
  • Watchdog Update email newsletter.
  • Priority email support.
Learn More

Business Watchdog

Protect your company’s accounts.
  • Protect all email addresses in your domain.
  • Detailed breach notifications.
  • Exclusive access to your domain’s breach status.
  • Watchdog Update email newsletter.
  • Priority Email Support.
Learn More