ProtonBlog(new window)
are password managers safe?

Are password managers safe?

Share this page

Password managers are a great way to generate secure passwords, keep them in encrypted storage together with your credit card details, and improve your online security across the board. But you might be worried about keeping so much sensitive data in one place. Are password managers safe to use?

The answer is that it depends on which password manager you use. Some have known security issues, others may have ulterior motives (like profiting off your data), but the very best password managers are as safe as can be. We’ve analyzed several password managers and identified common issues and how these can be mitigated. Let’s go over some details to see how we came to our conclusion.

What does a password manager do?

A password manager(new window) is a program that stores your passwords for you and generates new ones. Then, as you browse the web and access the login pages of services where you have an account, a pop up will offer to fill out these passwords for you with one click. 

Password managers have a few benefits. For one, you no longer need to rely on your memory, meaning you can’t lose passwords. Second, because you don’t have to remember passwords anymore, you can create more complicated ones, increasing your security. Add to that how much easier a good password manager makes your browsing (see our article on password fatigue), and they’re a must-have.

What makes a password manager safe?

Password managers are designed to keep your passwords secure, but of course that raises the question of how safe they are themselves. After all, there’s a lot at stake. Generally speaking, a good password manager is designed to keep out intruders while keeping your data private. How well they do this, though, depends very much on the individual service.

There are a few things that the best password managers all have in common. The first of these is smart use of encryption(new window). A good password manager encrypts the vaults where you store your passwords with a state-of-the-art encryption algorithm like AES-256. 

However, if a service is truly focused on users’ privacy, it will also use something called end-to-end encryption(new window). In regular encryption, when you send data from your computer to the password manager’s servers the encryption key is shared by both you and the service you’re using. 

In contrast, when using end-to-end encryption, only you have the key. This eliminates the possibility of snooping by the service you’re using, both in transit and while stored. However, due to it being hard to implement on a technical level, not all password managers offer end-to-end encryption.

When services don’t use end-to-end encryption, the results can be catastrophic. The largest cloud storage breach to date, the 2012 Dropbox breach, happened because a Dropbox employee had been reusing their passwords(new window), which gave hackers a way into the system. The hackers decrypted the database and stole passwords of 70 million people. If Dropbox had used end-to-end encryption, this would not have been possible.

Using precautions like end-to-end encryption minimizes the chance of human error, and with it the chances of a breach. However, there are still some vulnerabilities you need to be aware of.

Password manager vulnerabilities

Even the best password manager isn’t perfect. No matter how well it has been designed, there’s no such thing as 100% security so you should focus on minimizing the risks.

One of the biggest flaws in a password manager’s security architecture is you, the user. This is because even the best security is useless if your password is, say, “password”. Many password managers enforce stronger security by using a master password, the password that lets you access your vault.

It’s very important that this password is strong(new window), so it can’t be cracked too easily, but also easy to remember so that you can’t forget it. After all, your password manager can’t remember it for you. The best solution for this is to use a passphrase rather than a password(new window), but whatever you do, make sure it’ll be hard to crack, and not a variation of your name or the street you grew up on.

Another important security measure is two-factor authentication(new window), or 2FA. This requires you to have a second device when accessing a service, usually your phone. This adds a layer of security and makes it harder for any hacker to gain control of your accounts.

Another problem is any malware that may infect your computer. In an extreme case, malware could be used to take over your system while you leave it unlocked, so it could access your vaults that way. Currently, the only real cure is prevention so make sure you regularly run firewalls and malware scans to make sure none of that ends up on your hard drive.

Finally, there’s social engineering and other confidence games, where a cybercriminal somehow persuades you to disclose your master password. Phishing(new window), where a criminal sends you an email, text message, or even a phone call pretending to be somebody else, is the most common example. The only good defense against con games like this is awareness, so know to never part with sensitive data unless you’re sure you know who you’re talking to.

Is using a password manager safe?

The dangers are real, but if you use a good password manager and remain vigilant yourself, you can minimize any risks. With that in mind, yes, password managers are perfectly safe to use, and will also upgrade your overall online security. 

That said, not all password managers are created equal, with some, like LastPass(new window), prone to breaches, while others are hard to use or have potential flaws in the way security is set up. 

This is why we developed Proton Pass, a password manager that incorporates all the lessons we learned from operating our other secure services, like Proton Mail, Proton VPN(new window), and Proton Drive.

Proton Pass security consists of several layers. On our side, we use end-to-end encryption for all the usernames, passwords, bank cards, secure notes, and other data you keep with us. Proton Pass also encrypts your metadata, like the websites each password is used to log in to. Proton cannot see any of your sensitive data. 

View the Proton Pass security model(new window) for an in-depth explanation of our encryption.

As a company founded by scientists, we also believe in the importance of transparency and peer review for maintaining high security standards. So while some password managers hide their code from scrutiny, Proton Pass is independently audited and open source, so anyone can inspect our code. 

On the client side, we protect you in several ways. We make use of 2FA, meaning it’s much harder to impersonate you to gain access to your account. We also offer Proton Sentinel, our unique AI-assisted security program that tracks and thwarts suspicious login attempts.

For us, privacy and security aren’t marketing slogans, they’re in our DNA. Unlike most of our competitors, we’re funded by our community meaning we don’t have ad revenue to worry about and can focus on what matters, your security. If that sounds like something you’d like to be a part of, create a free Proton Pass account today.

Protect your privacy with Proton
Create a free account

Share this page

Fergus O'Sullivan(new window)

Fergus has been a writer, journalist, and privacy advocate for close to a decade. In that time he has run investigations of the privacy industry, written on policy, and reviewed more programs and apps than you can shake a stick at. Before starting work at Proton, he worked for publications such as How-to Geek and Cloudwards, as well as helping host events at conferences like RightsCon.

Related articles

What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be