ProtonBlog
are password managers safe?

Password managers are a great way to generate secure passwords, keep them in encrypted storage together with your credit card details, and improve your online security across the board. But you might be worried about keeping so much sensitive data in one place. Are password managers safe to use?

The answer is that it depends on which password manager you use. Some have known security issues, others may have ulterior motives (like profiting off your data), but the very best password managers are as safe as can be. We’ve analyzed several password managers and identified common issues and how these can be mitigated. Let’s go over some details to see how we came to our conclusion.

What does a password manager do?

A password manager is a program that stores your passwords for you and generates new ones. Then, as you browse the web and access the login pages of services where you have an account, a pop up will offer to fill out these passwords for you with one click. 

Password managers have a few benefits. For one, you no longer need to rely on your memory, meaning you can’t lose passwords. Second, because you don’t have to remember passwords anymore, you can create more complicated ones, increasing your security. Add to that how much easier a good password manager makes your browsing (see our article on password fatigue), and they’re a must-have.

What makes a password manager safe?

Password managers are designed to keep your passwords secure, but of course that raises the question of how safe they are themselves. After all, there’s a lot at stake. Generally speaking, a good password manager is designed to keep out intruders while keeping your data private. How well they do this, though, depends very much on the individual service.

There are a few things that the best password managers all have in common. The first of these is smart use of encryption. A good password manager encrypts the vaults where you store your passwords with a state-of-the-art encryption algorithm like AES-256. 

However, if a service is truly focused on users’ privacy, it will also use something called end-to-end encryption. In regular encryption, when you send data from your computer to the password manager’s servers the encryption key is shared by both you and the service you’re using. 

In contrast, when using end-to-end encryption, only you have the key. This eliminates the possibility of snooping by the service you’re using, both in transit and while stored. However, due to it being hard to implement on a technical level, not all password managers offer end-to-end encryption.

When services don’t use end-to-end encryption, the results can be catastrophic. The largest cloud storage breach to date, the 2012 Dropbox breach, happened because a Dropbox employee had been reusing their passwords, which gave hackers a way into the system. The hackers decrypted the database and stole passwords of 70 million people. If Dropbox had used end-to-end encryption, this would not have been possible.

Using precautions like end-to-end encryption minimizes the chance of human error, and with it the chances of a breach. However, there are still some vulnerabilities you need to be aware of.

Password manager vulnerabilities

Even the best password manager isn’t perfect. No matter how well it has been designed, there’s no such thing as 100% security so you should focus on minimizing the risks.

One of the biggest flaws in a password manager’s security architecture is you, the user. This is because even the best security is useless if your password is, say, “password”. Many password managers enforce stronger security by using a master password, the password that lets you access your vault.

It’s very important that this password is strong, so it can’t be cracked too easily, but also easy to remember so that you can’t forget it. After all, your password manager can’t remember it for you. The best solution for this is to use a passphrase rather than a password, but whatever you do, make sure it’ll be hard to crack, and not a variation of your name or the street you grew up on.

Another important security measure is two-factor authentication, or 2FA. This requires you to have a second device when accessing a service, usually your phone. This adds a layer of security and makes it harder for any hacker to gain control of your accounts.

Another problem is any malware that may infect your computer. In an extreme case, malware could be used to take over your system while you leave it unlocked, so it could access your vaults that way. Currently, the only real cure is prevention so make sure you regularly run firewalls and malware scans to make sure none of that ends up on your hard drive.

Finally, there’s social engineering and other confidence games, where a cybercriminal somehow persuades you to disclose your master password. Phishing, where a criminal sends you an email, text message, or even a phone call pretending to be somebody else, is the most common example. The only good defense against con games like this is awareness, so know to never part with sensitive data unless you’re sure you know who you’re talking to.

Is using a password manager safe?

The dangers are real, but if you use a good password manager and remain vigilant yourself, you can minimize any risks. With that in mind, yes, password managers are perfectly safe to use, and will also upgrade your overall online security. 

That said, not all password managers are created equal, with some, like LastPass, prone to breaches, while others are hard to use or have potential flaws in the way security is set up. 

This is why we developed Proton Pass, a password manager that incorporates all the lessons we learned from operating our other secure services, like Proton Mail, Proton VPN(new window), and Proton Drive.

Proton Pass security consists of several layers. On our side, we use end-to-end encryption for all the usernames, passwords, bank cards, secure notes, and other data you keep with us. Proton Pass also encrypts your metadata, like the websites each password is used to log in to. Proton cannot see any of your sensitive data. 

View the Proton Pass security model for an in-depth explanation of our encryption.

As a company founded by scientists, we also believe in the importance of transparency and peer review for maintaining high security standards. So while some password managers hide their code from scrutiny, Proton Pass is independently audited and open source, so anyone can inspect our code. 

On the client side, we protect you in several ways. We make use of 2FA, meaning it’s much harder to impersonate you to gain access to your account. We also offer Proton Sentinel, our unique AI-assisted security program that tracks and thwarts suspicious login attempts.

For us, privacy and security aren’t marketing slogans, they’re in our DNA. Unlike most of our competitors, we’re funded by our community meaning we don’t have ad revenue to worry about and can focus on what matters, your security. If that sounds like something you’d like to be a part of, create a free Proton Pass account today.

Protect your passwords
Create a free account

Related articles

From the very beginning, Proton has always been a different type of organization. This was probably evident from the way in which we got started via a public crowdfunding campaign that saw 10,000 people donate over $500,000 to launch development. As
Your online data is valuable. While it might feel like you’re browsing the web for free, you’re actually paying marketing companies with your personal information. Often, even when you pay for services, these companies still collect and profit from y
Password spraying attacks pose a major risk to individuals and organizations as a method to breach network security by trying commonly used passwords across numerous accounts. This article explores password spraying attacks, explaining their methods
A secure password is your first defense against unauthorized access to your personal information. While there are tools that generate strong passwords, remembering these complex combinations can become a challenge. Even if you use mnemonic devices,
Choosing the best email hosting provider for your small business is crucial for maintaining security, control, and compliance with data protection laws.  For one, many popular providers, such as Gmail and Outlook, don’t apply end-to-end encryption b
Today, we’re excited to announce new enhancements to Proton Drive’s sharing functionality, giving you greater control over who you share with and how you share your files and folders. This feature builds on how sharing currently works in Drive by le