Nowadays, practically every service or website requires you to set up an account to access their offering. All you need is two seemingly simple things: a username and a password. Username? Easy. Just use your email or some variation of your name. Password? Hmmm.
Each website has varying criteria for what they want in a password – how can you please them all?! Creating a legitimately strong and unique password for every single account we have and THEN remembering them all is a bit of an impossible task, am I right? Feeble security practices, like using multiple weak passwords in rotation just because they’re easy to remember or creating one relatively strong password which is either reused or adapted slightly for each account and each website’s different password criteria, can lead to accounts being compromised. Why bother risking it? Let a password manager do the work for you instead!
“What does a password manager do exactly?” I hear you cry. Password managers allow you to create very long, complex and unique passwords for each account – and (the best part) you don’t need to commit any of them to memory, woohoo! Passwords are stored in an encrypted database protected by a user-defined password – the only password you’ll actually need to remember. By creating and using strong, unique passwords, you are protecting yourself from both dictionary and brute-force password attacks. Not only do you not have to remember your passwords anymore, you don’t even have to type them either – the password manager does this for you! Password managers aren’t just for the lazy, they also help to protect against phishing attacks by ensuring that the URL of the site matches the one associated with your password. Now, I know what you’re thinking… Why on earth would I store all my passwords in one place so all my important accounts can be compromised in one go?
Well, you’re right… to some extent. For your passwords to be compromised, the attacker first needs to obtain the encrypted database file from your device and then use your master password to decrypt the file. To do this, the password would have to be either disclosed, guessed or obtained via brute-force attack.
If your password manager has been set up securely, a hack shouldn’t be possible. It’s much more likely that a website you use has been compromised and your weak password cracked (and subsequently used to access your other accounts) than someone hacking your password manager. Another potential risk is that an unknown vulnerability is found within your password management application, like the one recently discovered in LastPass which allowed the latest set of credentials to be extracted. Although the bug only affected Chrome and Opera browser extensions, it was reported by a Google security researcher and immediately fixed by the LastPass team. Some password managers like LastPass have an open bug bounty program, allowing security researchers to test the security of the application. In turn, this helps to ensure that bugs are identified and fixed quickly so users don’t have anything to worry about.
Yes, vulnerabilities are discovered from time to time in password managers, but this shouldn’t discourage you from using one. Password managers are still WAY more secure than the alternative of not using one at all, not forgetting that they make security easier and more convenient for the everyday user. If security (or any task, for that matter) is difficult and tedious, users tend to find a way around it, therefore weakening their overall security posture. Life is always easier when you get someone else to do it for you, so why not take the leap with your passwords too? (Also, did anyone count how many times we said the word password?!)