are password managers safe?

Password managers are a great way to generate secure passwords, keep them in encrypted storage together with your credit card details, and improve your online security across the board. But you might be worried about keeping so much sensitive data in one place. Are password managers safe to use?

The answer is that it depends on which password manager you use. Some have known security issues, others may have ulterior motives (like profiting off your data), but the very best password managers are as safe as can be. We’ve analyzed several password managers and identified common issues and how these can be mitigated. Let’s go over some details to see how we came to our conclusion.

What does a password manager do?

A password manager is a program that stores your passwords for you and generates new ones. Then, as you browse the web and access the login pages of services where you have an account, a pop up will offer to fill out these passwords for you with one click. 

Password managers have a few benefits. For one, you no longer need to rely on your memory, meaning you can’t lose passwords. Second, because you don’t have to remember passwords anymore, you can create more complicated ones, increasing your security. Add to that how much easier a good password manager makes your browsing (see our article on password fatigue), and they’re a must-have.

What makes a password manager safe?

Password managers are designed to keep your passwords secure, but of course that raises the question of how safe they are themselves. After all, there’s a lot at stake. Generally speaking, a good password manager is designed to keep out intruders while keeping your data private. How well they do this, though, depends very much on the individual service.

There are a few things that the best password managers all have in common. The first of these is smart use of encryption. A good password manager encrypts the vaults where you store your passwords with a state-of-the-art encryption algorithm like AES-256. 

However, if a service is truly focused on users’ privacy, it will also use something called end-to-end encryption. In regular encryption, when you send data from your computer to the password manager’s servers the encryption key is shared by both you and the service you’re using. 

In contrast, when using end-to-end encryption, only you have the key. This eliminates the possibility of snooping by the service you’re using, both in transit and while stored. However, due to it being hard to implement on a technical level, not all password managers offer end-to-end encryption.

When services don’t use end-to-end encryption, the results can be catastrophic. The largest cloud storage breach to date, the 2012 Dropbox breach, happened because a Dropbox employee had been reusing their passwords, which gave hackers a way into the system. The hackers decrypted the database and stole passwords of 70 million people. If Dropbox had used end-to-end encryption, this would not have been possible.

Using precautions like end-to-end encryption minimizes the chance of human error, and with it the chances of a breach. However, there are still some vulnerabilities you need to be aware of.

Password manager vulnerabilities

Even the best password manager isn’t perfect. No matter how well it has been designed, there’s no such thing as 100% security so you should focus on minimizing the risks.

One of the biggest flaws in a password manager’s security architecture is you, the user. This is because even the best security is useless if your password is, say, “password”. Many password managers enforce stronger security by using a master password, the password that lets you access your vault.

It’s very important that this password is strong, so it can’t be cracked too easily, but also easy to remember so that you can’t forget it. After all, your password manager can’t remember it for you. The best solution for this is to use a passphrase rather than a password, but whatever you do, make sure it’ll be hard to crack, and not a variation of your name or the street you grew up on.

Another important security measure is two-factor authentication, or 2FA. This requires you to have a second device when accessing a service, usually your phone. This adds a layer of security and makes it harder for any hacker to gain control of your accounts.

Another problem is any malware that may infect your computer. In an extreme case, malware could be used to take over your system while you leave it unlocked, so it could access your vaults that way. Currently, the only real cure is prevention so make sure you regularly run firewalls and malware scans to make sure none of that ends up on your hard drive.

Finally, there’s social engineering and other confidence games, where a cybercriminal somehow persuades you to disclose your master password. Phishing, where a criminal sends you an email, text message, or even a phone call pretending to be somebody else, is the most common example. The only good defense against con games like this is awareness, so know to never part with sensitive data unless you’re sure you know who you’re talking to.

Is using a password manager safe?

The dangers are real, but if you use a good password manager and remain vigilant yourself, you can minimize any risks. With that in mind, yes, password managers are perfectly safe to use, and will also upgrade your overall online security. 

That said, not all password managers are created equal, with some, like LastPass, prone to breaches, while others are hard to use or have potential flaws in the way security is set up. 

This is why we developed Proton Pass, a password manager that incorporates all the lessons we learned from operating our other secure services, like Proton Mail, Proton VPN(new window), and Proton Drive.

Proton Pass security consists of several layers. On our side, we use end-to-end encryption for all the usernames, passwords, bank cards, secure notes, and other data you keep with us. Proton Pass also encrypts your metadata, like the websites each password is used to log in to. Proton cannot see any of your sensitive data. 

View the Proton Pass security model for an in-depth explanation of our encryption.

As a company founded by scientists, we also believe in the importance of transparency and peer review for maintaining high security standards. So while some password managers hide their code from scrutiny, Proton Pass is independently audited and open source, so anyone can inspect our code. 

On the client side, we protect you in several ways. We make use of 2FA, meaning it’s much harder to impersonate you to gain access to your account. We also offer Proton Sentinel, our unique AI-assisted security program that tracks and thwarts suspicious login attempts.

For us, privacy and security aren’t marketing slogans, they’re in our DNA. Unlike most of our competitors, we’re funded by our community meaning we don’t have ad revenue to worry about and can focus on what matters, your security. If that sounds like something you’d like to be a part of, create a free Proton Pass account today.

Bescherm uw wachtwoorden
Maak een gratis account

Gerelateerde artikelen

Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you
What to do if someone steals your Social Security number
If you’re a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic
compromised passwords
  • De basisbeginselen van privacy
Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa
Is WeTransfer safe?
  • De basisbeginselen van privacy
WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it’s safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su
what is a dictionary attack
  • De basisbeginselen van privacy
Dictionary attacks are a common method hackers use to try to crack passwords and break into online accounts.  While these attacks may be effective against people with poor account security, it’s extremely easy to protect yourself against them by usi
Data breaches are increasingly common. Whenever you sign up for an online service, you provide it with personal information that’s valuable to hackers, such as email addresses, passwords, phone numbers, and more. Unfortunately, many online services f