Starting from data breach cases and concerns, this article examines the pros and cons of using password managers, including data storage, encryption, and productivity features. It also provides an opinion from a security expert on the risks and benefits of using password managers, suggesting good cyber hygiene and considering alternatives to reduce the risk of data leakage.
On December 22, 2022, LastPass CEO published a notification of Security Incident.
According to the report, the Treat Actors could “target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts” if they succeeded in using data exfiltrated.
Not only Lastpass, but also Dashlane, 1Password and other Password Managers have suffered cybersecurity incidents resulting in data leakage; are these major companies not taking enough security measures? Or it’s just the managed password lifestyle that will never be secure? Then again, what are the options to keep so many passwords safe without losing them?
These questions will be the focus of this article, which aims to guide you in making an informed choice before using any Password Manager.
One Password to Rule Them All
The demand for password management is increasing and is legitimate. By developing more complex online offerings and more diverse content, companies want to have closer contact with customers by having them sign up with an account. To fulfil this duty and access apps, games, discounts, and all tailor-made services one could think of, a username and a password are most surely necessary.
The promise of using one password to keep hundreds or thousands (or hundreds of thousands) safe, however, sounds too good to be accurate; in fact, it might just be a farfetched promise onto which, all the same, Password Manager built a market worth (depending on the source) approximately 1 Billion, or even more.
Yet the regular cadence at which data breaches occur among Password Managers should have increased scepticism among users by now. As a matter of fact, scepticism and distrust in regard to Password Managers are present among both users and reviewers, yet the product proves to be resilient.
In order to understand the features and limitations of Password Managers, we must first summarize their mechanics. The average Password Manager offers three main services:
- Data Storage and Encryption: whether it is for credentials or files, Password Managers offer, first and foremost, encryption of data. Username and password, generally, are encrypted and stored in a database that the users access through one credential, also known as the master password. This way, theoretically, it would be sufficient to remember the master password to access all the other passwords stored. As Password Managers grow, so does their ability to organize passwords by website, by user-defined labels or even by AI-Defined categories, reducing the attrition and slowing down the process of saving or accessing the intended credentials.
- Productivity Features: mainly auto-fill and cloud backup/synchronization. Auto-fill is a feature that users must enable to allow the Password Manager to fill in credentials automatically once a website or an app requests credentials to log in; cloud sync/backup allows users to have their password database always up to date on all the devices they use. Both features reduce the time and complexity of using passwords significantly. Still, they can be considered the main “Security Concern” for users, as they rely on the fact that users’ credentials are not stored locally and on granting extra permission to the Password Manager (access to the clipboard, view over web activity etc.)
- Added Security Features: Multi-Factor Authentication and Dark Web Leak monitoring are only two of the features that are added on top of the Password Manager by the most known market players. These features usually complete the offering and target premium subscribers
Now that we have a clear vision of how Password Managers work, we can dive deeper in what are the stronger and weaker aspects of their offering.
Bright and Dark Sides of Password Managers
The features mentioned above can give a lot of value or a lot of trouble depending on the use you make of them; when evaluating the usefulness of a Password Manager, you should focus on the following tasks that Password Managers nail:
- They do generate stronger and more unique passwords than you could ever do on your own, and they do store them in a most secure and accessible way than you could on your own. This means that it is legitimate to say that a Password Manager does help you save time on an unavoidable task.
- They do increase productivity. Once more, saving a few seconds every time you input a password during the day means saving time and resources for other tasks. Especially now that most users own at least two devices and need to access passwords on both of them seamlessly during the day.
- They increase your security posture by allowing you to remember one password instead of hundreds. Less chance of forgetting a password means less chance of getting locked out of a platform during critical situations. Unless you have a dedicated plan for storing your password securely in a file, keeping them in the cloud also offers an additional layer of security, as you separate the storage of your passwords from the storage of other data.
This last statement, in particular, cannot be taken as an absolute truth, and in fact, part of the risks that you should consider when dealing with a Password Manager include
Cons of using Password Managers:
- Password Managers can become your single point of failure: If the Password Manager suffers a breach or you forget the master password, all the stored passwords and other sensitive information will be inaccessible or, worst, stolen. Concentrating all the eggs in one basket was no one’s best security practice.
- Password Managers raise Privacy concerns; as for many other services on the web, you are relying on a third party to handle some of your data, such as the website you have a subscription with, your payment details, your login data and device information. You are, in essence, relying on a third party in more than one aspect of your web activity, which leads to the next point:
- Password Managers do get breached, as they are in the bullseye of many malicious actors. Reliance on them, as a third party, can be a considerable concern, primarily if you handle special categories of data and you are mainly a security focus.
So how do you weigh these pros and cons, and what is the opinion of a security expert over this very debate? The answer in the next section
A security Expert Verdict on Password Managers
At the beginning of this article, I quoted LastPass’ notification of the Security Incident. In the same notification, the CEO suggested that it would have taken “millions of years to guess your master password” for the attackers to guess any of the leaked master passwords, as long as the users kept the default master password requirements active.
This statement is quite accurate, as the advanced encryption Password Managers apply on their data renders the data stolen a pile of gibberish code requiring millions of dollars over centuries to decode. Furthermore, the fact that data breaches are promptly notified allows you to re-secure your data and passwords long before they are used. A data breach is cause of concern only if not correctly addressed, and service providers in this area are doing their best to be transparent.
On the other side, nothing prevents you from using multiple Password Managers. Locally handled Password Managers, such as Keepass, do not offer many of the advanced features that other premium services grant but are an inexpensive and secure way to split the risk and keep your most confidential information closer to the chest.
As a general habit, generating secure passwords, managing them by keeping them updated, and having an eye over expired credentials and unutilized subscriptions leads to better cyber hygiene. You must always be aware of the potential impact of a data breach on your security posture and legal compliance, but the weight of these factors might not be as dramatic as it would seem.
On the other side, how would your productivity be impacted if you had to use unmanaged passwords? How would your security posture be if you ended up using similar, if not identical, passwords, not to end up losing them?
Single Sign On and Managed Sign On can solve this, but the “single point of failure” issue still stands even with those options.
We examined the pros and cons of using Password Managers: data storage and encryption, productivity features and added security features. We also had an overview of the limitations, and we strayed over the several data breaches that occurred and their impact on users. Password Managers did not solve the “single point of failure” issue over the years, yet they improved productivity and security in many aspects. Considering that there are no alternatives that offer the same benefit without any of their limitations, they are worth considering products, as they guide you towards taking up the habit of managing your credentials.