Proton
are password managers safe?

Password managers are a great way to generate secure passwords, keep them in encrypted storage together with your credit card details, and improve your online security across the board. But you might be worried about keeping so much sensitive data in one place. Are password managers safe to use?

The answer is that it depends on which password manager you use. Some have known security issues, others may have ulterior motives (like profiting off your data), but the very best password managers are as safe as can be. We’ve analyzed several password managers and identified common issues and how these can be mitigated. Let’s go over some details to see how we came to our conclusion.

What does a password manager do?

A password manager is a program that stores your passwords for you and generates new ones. Then, as you browse the web and access the login pages of services where you have an account, a pop up will offer to fill out these passwords for you with one click. 

Password managers have a few benefits. For one, you no longer need to rely on your memory, meaning you can’t lose passwords. Second, because you don’t have to remember passwords anymore, you can create more complicated ones, increasing your security. Add to that how much easier a good password manager makes your browsing (see our article on password fatigue), and they’re a must-have.

What makes a password manager safe?

Password managers are designed to keep your passwords secure, but of course that raises the question of how safe they are themselves. After all, there’s a lot at stake. Generally speaking, a good password manager is designed to keep out intruders while keeping your data private. How well they do this, though, depends very much on the individual service.

There are a few things that the best password managers all have in common. The first of these is smart use of encryption. A good password manager encrypts the vaults where you store your passwords with a state-of-the-art encryption algorithm like AES-256. 

However, if a service is truly focused on users’ privacy, it will also use something called end-to-end encryption. In regular encryption, when you send data from your computer to the password manager’s servers the encryption key is shared by both you and the service you’re using. 

In contrast, when using end-to-end encryption, only you have the key. This eliminates the possibility of snooping by the service you’re using, both in transit and while stored. However, due to it being hard to implement on a technical level, not all password managers offer end-to-end encryption.

When services don’t use end-to-end encryption, the results can be catastrophic. The largest cloud storage breach to date, the 2012 Dropbox breach, happened because a Dropbox employee had been reusing their passwords, which gave hackers a way into the system. The hackers decrypted the database and stole passwords of 70 million people. If Dropbox had used end-to-end encryption, this would not have been possible.

Using precautions like end-to-end encryption minimizes the chance of human error, and with it the chances of a breach. However, there are still some vulnerabilities you need to be aware of.

Password manager vulnerabilities

Even the best password manager isn’t perfect. No matter how well it has been designed, there’s no such thing as 100% security so you should focus on minimizing the risks.

One of the biggest flaws in a password manager’s security architecture is you, the user. This is because even the best security is useless if your password is, say, “password”. Many password managers enforce stronger security by using a master password, the password that lets you access your vault.

It’s very important that this password is strong, so it can’t be cracked too easily, but also easy to remember so that you can’t forget it. After all, your password manager can’t remember it for you. The best solution for this is to use a passphrase rather than a password, but whatever you do, make sure it’ll be hard to crack, and not a variation of your name or the street you grew up on.

Another important security measure is two-factor authentication, or 2FA. This requires you to have a second device when accessing a service, usually your phone. This adds a layer of security and makes it harder for any hacker to gain control of your accounts.

Another problem is any malware that may infect your computer. In an extreme case, malware could be used to take over your system while you leave it unlocked, so it could access your vaults that way. Currently, the only real cure is prevention so make sure you regularly run firewalls and malware scans to make sure none of that ends up on your hard drive.

Finally, there’s social engineering and other confidence games, where a cybercriminal somehow persuades you to disclose your master password. Phishing, where a criminal sends you an email, text message, or even a phone call pretending to be somebody else, is the most common example. The only good defense against con games like this is awareness, so know to never part with sensitive data unless you’re sure you know who you’re talking to.

Is using a password manager safe?

The dangers are real, but if you use a good password manager and remain vigilant yourself, you can minimize any risks. With that in mind, yes, password managers are perfectly safe to use, and will also upgrade your overall online security. 

That said, not all password managers are created equal, with some, like LastPass, prone to breaches, while others are hard to use or have potential flaws in the way security is set up. 

This is why we developed Proton Pass, a password manager that incorporates all the lessons we learned from operating our other secure services, like Proton Mail, Proton VPN(new window), and Proton Drive.

Proton Pass security consists of several layers. On our side, we use end-to-end encryption for all the usernames, passwords, bank cards, secure notes, and other data you keep with us. Proton Pass also encrypts your metadata, like the websites each password is used to log in to. Proton cannot see any of your sensitive data. 

View the Proton Pass security model for an in-depth explanation of our encryption.

As a company founded by scientists, we also believe in the importance of transparency and peer review for maintaining high security standards. So while some password managers hide their code from scrutiny, Proton Pass is independently audited and open source, so anyone can inspect our code. 

On the client side, we protect you in several ways. We make use of 2FA, meaning it’s much harder to impersonate you to gain access to your account. We also offer Proton Sentinel, our unique AI-assisted security program that tracks and thwarts suspicious login attempts.

For us, privacy and security aren’t marketing slogans, they’re in our DNA. Unlike most of our competitors, we’re funded by our community meaning we don’t have ad revenue to worry about and can focus on what matters, your security. If that sounds like something you’d like to be a part of, create a free Proton Pass account today.

Protect your passwords
Creați un cont gratuit

Related articles

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.