- How do password managers work?
- Assessing the security of a password manager
- Password Creation
- Password Protection
- Personal Data Protection
- Access Security
- Access Recovery
- Exporting Data
- Product Updates
- Browser Support
- Device Support
- Are password managers secure?
- Am I using the best password manager?
- Resources and further advice
How do password managers work?
Password managers simply store your login usernames and passwords in a central, secure repository. This may be stored locally on a device or remotely in a cloud-based location. Accessing the password manager will require remembering a complex password, but at least you now only need to remember one. There are some great tricks for choosing and remembering complex character strings.
Assessing the security of a password manager
There are many different password managers available, and the best one for you will depend on your exact personal circumstances, how you use passwords and what types of devices you use. When it comes to how secure each product is, there are many different factors to consider:
Your password manager must be set up correctly to be secure, so usability is a critical factor. A misconfigured product is worse than not having a password manager as you’ve gone to the effort of collecting all your passwords into one place and left them vulnerable to theft. It’s also essential that the password manager is easy to use. Otherwise, you may well be tempted to use shortcuts or workarounds if the product is too slow or makes logging too frustrating.
Is the tool user-friendly?
The purpose of using a password manager is to allow the user to use long and complex passwords that they don’t need to remember. It then defeats the point if the tool is used to store simple passwords that could be easily guessed or cracked in a few seconds using a dictionary attack. Ideally, the password manager should enforce complexity standards and flag up any passwords that are too simple. The password manager should also be able to automatically generate complex random passwords.
Can the tool automatically create complex passwords?
The stored passwords are only as secure as the encryption used to protect them. There are two factors to consider, the strength of the encryption used to store the passwords at rest and, if different, the password’s protection while in transit between the store and your device whenever you retrieve the password to use it.
The in-transit encryption process is crucial for cloud synchronized multi-device password managers. The product should ensure that only authorized devices can send and receive password information safe from interception and modification. Also, bear in mind that if synchronization is not possible when a change is made, for example, a mobile device is locked or offline. The password information must be securely stored until the time that synchronization can occur.
What encryption is used for data at rest and in transit?
Personal Data Protection
It’s not only passwords that are stored; other authentication data such as usernames are also stored. Such information may also be valuable and needs protection using encryption, but not all password managers implement this.
What information is encrypted?
As the password manager stores all your valuable authentication credentials in one place, it’s essential that access to the tool itself is secure. As a minimum, the product should require a complex password that only allows a few attempts before blocking access to prevent brute force guessing. Ideally, the tool should have multi-factor authentication, so even if the password is guessed or disclosed, this alone will not afford an attacker access.
How secure is the logon?
Password managers are great unless you lose access, forget the password to access the password manager, and you’re effectively locked out of every account that the password manager is storing the credentials for. The password manager should have a recovery option should you forget the master password that is simple enough to use if needed but secure enough that you, and only you, can use it. A common trick for attackers to access systems and services is to use social engineering techniques to exploit account recovery services, especially if this process is remotely managed by a service provider.
How secure is the recovery process?
If you need to export the stored credentials to a text file or in an electronic format to transfer to another device or application, how secure is the export process? Could the exported data be vulnerable to compromise? There’s no point exporting the data to re-use if you immediately need to change all the passwords anyway because you cannot be sure it is secure.
How secure is the export option?
Password managers are, in essence, just another application and so should be treated as such. All applications come with vulnerabilities introduced in their development process and so will require periodic updates and patches. Check how the password manager is updated and if the process of issuing updates is secure. Given the contents’ potential value, organized attackers will invest considerable time and effort into finding ways to compromise a password manager. They may even try and trick users into installing a compromised software update containing malicious code.
How is the product updated, and is it secure?
One of the most common ways users store passwords for easy access is in internet browsers. The save and auto-fill functions offer a quick and easy route to password management for free, and some browsers even let you synchronize stored passwords between different devices. However, this may not be secure. Users can easily see the stored passwords with minimal security controls; any malware that makes it onto your device or websites running malicious code that you visit will have the same simple access. Some password managers can also auto-fill information in internet browsers and other applications. This offers the same convenience but more securely.
Does the product support auto-fill functions?
If you are using a password manager on different devices, you obviously need to ensure that all operating systems are supported. That could be Windows, macOS, or Linux on a laptop, iOS, or Android on a smartphone or tablet. While this may limit the choice of suitable products depending on your individual needs, having a device that isn’t supported may result in the adoption of unsafe workarounds like the export of passwords as plain text.
Does the product support all your platforms and devices?
Are password managers secure?
No software application can be completely secure; there are always flaws and vulnerabilities exposed over time.
Research undertaken on password managers running on a Windows 10 environment identified several exposed password credentials by allowing a decrypted plain text version to temporarily sit in the computer’s memory. It could then be exposed to malware residing on the computer scanning the memory. While the risk is undoubtedly low, the vulnerability exists.
Weaknesses in password managers are uncovered all the time. And there has been at least one reported case where an attack was successful.
But we need to balance the risks of using a password manager against the dangers of carrying on with the traditional approach of using easy-to-remember passwords, re-using the same password on multiples sites, or even writing passwords down.
Am I using the best password manager?
There are dozens of products in the marketplace. Below is a list of some of the more popular products. These are listed alphabetically without endorsement. The best password manager for you will depend on what features you want and what devices and browsers you need to support. This is not an exhaustive list, but now you know what features to look for, it’s a great place to start to see if your password manager is sufficiently secure or if better alternatives are available.
1Password works with Windows, macOS, Linux, iOS, Android and has browser plug-ins. It has a family feature where multiple users can share access to the password vault. 1Password security is based on multi-factor authentication for access control. A small number of security vulnerabilities have been reported.
Dashlane password manager offers a free single device product or a paid-for multi-device version for Windows, macOS, iOS, Android and includes browser plug-ins. Dashlane security is based on the highest encryption standards and comes with secure file storage features and a built-in VPN for safe browsing. A single security vulnerability has been reported.
KeePass is a single device application that’s open source for users who want complete control and do not want cloud-based synchronization. The downside is that synchronization between devices will have to be performed manually using a third-party shared storage solution such as Dropbox. KeePass security is based around whole database encryption using advanced encryption standards. A small number of security vulnerabilities have been reported.
Keeper is a paid-for product for Windows, macOS, Linux, iOS, Android, and broad browser plug-in support. The product features a family option for multiple users and a secure file sharing option between devices. No security vulnerabilities have been reported.
LastPass offers products for Windows, macOS, iOS, Android and has browser plug-ins. This product will securely store banking and credit card information compatible with eCommerce websites and supports multi-factor authentication. LastPass security is based around device-level encryption of sensitive data using advanced encryption standards. A small number of security vulnerabilities have been reported.
NordPass offers a free single device product or a paid-for multi-device product for Windows, macOS, Linux, iOS, Android, plus the standard browser plug-ins. As well as complex password generation, this product can also securely store banking and credit card information that can auto-fill the checkout fields on eCommerce websites. No security vulnerabilities have been reported.
RoboForm password manager offers a free single device product or a paid-for multi-device product for Windows, macOS, iOS, Android. It has a wide range of browser plug-ins and focuses on the autofill of personal information on websites, but includes most features expected for a password manager. A small number of security vulnerabilities have been reported.
Zoho Vault is aimed at business clients with user management and password policy features. It integrates with business tools such as Office 365 and Salesforce. While it’s one of the most secure password manager tools, it is also one of the most difficult to configure. No security vulnerabilities have been reported.
Password managers are an excellent solution for managing the large numbers of passwords we accumulate as more services move online. They take away the pain of remembering which password you chose for which site with the bonus that these passwords can now be of a complexity that would be beyond most people to remember.
While password managers will never be completely secure, those that we’ve listed are significantly more secure than the alternatives of remembering individual passwords. By reviewing the main criteria for assessing a password manager’s security against your particular requirements, we hope you have sufficient information to judge if your product of choice is adequate for your needs or if there is a better product available to you.
Resources and further advice
US Government Technology Transformation Services (TTS) Handbook - Requirements for Passwords | TTS Handbook (gsa.gov)
US Government Cybersecurity and Infrastructure Security Agency CISA - Choosing and Protecting Passwords | CISA
UK Government National Cyber Security Centre - What does the NCSC think of password managers? - NCSC.GOV.UK