What Are Password Managers And Are They Secure?
With just one password to rule them all, should organizations trust password managers to keep their passwords and data secure?
Humans have been relying on safes and vaults to secure their valuable goods for thousands of years. In fact, the first-ever safe, or, lockable device, is said to date to as far back as the 13th century BCE, and was discovered in the tomb of Pharaoh Ramesses II.
Today we use safes and vaults differently—we also use them digitally. Password managers are essentially digital vaults where, rather than relying on memory to remember passwords, users can instead store them within their own virtual lockbox.
But while many security experts consider password managers as the gold standard in password security, when it comes to using them, only around 1 in 5 American users actually use password manager apps, while a worrying 65% of users simply do not trust them to keep their data safe.
So, is this lack of confidence in password managers justified?
Throughout this article, we’ll take a look at what password managers are, how you use them, and whether you should trust them to secure your organization’s most sensitive data.
What Are Password Managers And How Do You Use Them?
Password managers are essentially digital vaults for your passwords. You can use one to securely store login details such as email addresses, usernames, and passwords across all accounts, as well as create new strong passwords during account creation or password resets.
Just like how every physical vault has only one combination, each password vault has only one key—this is what we refer to as the master password. And you should note that your master password is your only way into your vault—forgetting it might result in you permanently losing access to all passwords stored within.
Each time you log into an account via a web or app portal—as long as you’ve previously stored the credentials for that specific account within your vault—you can enable your password manager to auto-fill your login details into the relevant fields. You’ll be prompted to enter your master password to enable this, but often you can simply use a biometric scan to authorize.
Password managers also enable you to securely share passwords with others, as well as automatically generate strong and complex passwords when creating new accounts or during password resets. These features help prevent keylogger, phishing, and other password-related attacks.
For admins, password management solutions can also provide a detailed insight into password strength across the organization, as well as which users are reusing passwords—which enables them to create and implement password policies.
What Makes Password Managers Secure?
Before we look at some of the risks that come with using password managers, let’s first explore the benefits of using them, as well as the safety features installed on them to protect users’ data.
Zero-Knowledge Architecture and Master Passwords
Leading password managers operate using a zero-knowledge architecture—but what does that mean?
Well, when you save passwords to your password manager, they’re encrypted locally on your device. They’re then stored in a secure vault, to which there is only one key: your master password. Your master password functions not only as the key to unlocking the vault itself, but is also used as the key to decrypt the passwords within.
What this means, as “zero knowledge” suggests, is that password manager providers have no knowledge of the contents of your vault, and can only see encrypted versions of passwords. And, since they don’t store your master password either, they have no way to access the decryption key or see the data in its original, decrypted form.
This also means that even in the event that the password management provider suffers a data breach or hack, a criminal would be met with a series of cryptographic sequences that are virtually impossible to decipher without the key.
So, the overall security of using a password manager often depends on how strong your master password is. And it might sound risky to protect an entire vault with just one password, but consider this: using a master password that’s 13 characters long and contains a combination of numbers, symbols, and uppercase and lowercase letters, would take a hacker 2 million years to brute force. Raise this to 16 characters and it becomes a trillion years.
Because of this, we advise you to use passphrases, as opposed to passwords, to help achieve a higher character count for passwords.
AES 256-Bit Encryption
While some password managers might use Advanced Encryption Standard (AES) 128-bit or 192-bit encryption—which is still plenty strong—AES 256-bit is the strongest and most widely used to encrypt user information when it comes to password managers.
AES 256-bit is a world-class encryption standard that’s used by militaries, governments, and banks to protect top-secret information, and is also commonly used for Virtual Private Networks (VPNs), email encryption, and firewalls, as well as password managers.
This type of encryption is also a symmetric block cipher, which means that—unlike asymmetrical ciphers, such as public key pairs—there’s only one private key that’s used to both encrypt and decrypt information. In the case of a password manager, that’s your master password.
While “AES” signals the type of encryption, “256-bit” is the key itself. The higher the number of bits, the higher the number of possible combinations to the strings of encryption keys. For a 256-bit key, there are 2256 possible combinations, or, 115,792,089,237,316,195,423,570,985,008,687,907,853,269,
984,665,640,564,039,457,584,007,913,129,639,936 combinations—that’s a 78-digit number. To put this into perspective, the distance in kilometers from our sun to the nearest galaxy—the Canis Major Dwarf—is only an 18-digit number!
To crack this combination using brute force would take over a lifetime, so, for now, cracking this type of encryption is highly unlikely to be a target for cybercriminals.
Multi-Factor Authentication
Technology is often only as strong as its user—part of staying protected and remaining as least hackable as possible is making use of the security features that are built-in to a solution.
Most password managers offer multi-factor authentication (MFA) that can be used alongside a master password to secure your accounts. Using MFA means that even if a criminal were to learn your master password, they still would be denied access to your vault without also passing a second or third factor of authentication.
Additional factors commonly include biometric data—such as a fingerprint scan or face recognition technology using a built-in scanner within your device—or can be based on something you have, such as a security token or authentication app.
Enterprise Features
Many enterprise password managers might offer features such as reminders to prompt users to change passwords regularly, dark web scans to check whether any credentials have been compromised, reporting tools to enable admins to oversee the organization’s overall password security posture, and the ability to create and share password policies. Admins can also set requirements for master passwords, see which employees are reusing the same passwords across multiple accounts, restrict unsuccessful login attempts, and set password-sharing policies.
Generally, we wouldn’t recommend ever sharing passwords with others—but often in workplaces, where admin access might be shared, it’s unavoidable. Many enterprise password managers also offer password-sharing functionality, where users can send a password from their own vault directly to another, without having to send it in an IM or email. Admins can also set restrictions to limit sharing to certain groups or users, or require approval before sharing a password.
It’s Safer To Rely On A Password Manager Than On Memory
A worrying 67% of IT professionals report that their organizations currently rely on memory alone to manage their passwords. But with the average person managing 100 passwords, how can you be expected to create and memorize completely unique and complex passwords for each of these accounts?
Password managers offer a solution that not only securely stores passwords for you—meaning you don’t have to memorize dozens or even hundreds of unique and complex passwords, and can avoid reusing the same passwords across multiple accounts—but can also generate complex passwords for you.
In this sense, it’s far safer for you to place your trust in a password manager than it is for you to reuse the same passwords across multiple accounts or use weak, easily hackable passwords. You also benefit from a massive improvement in user experience.
The Risks Of Using Password Managers
When approaching the risks of using password managers, we’d like to preface this section with one overarching principle: nothing is un-hackable.
So, when it comes to investing in a cybersecurity solution, the goal should not be to be un-hackable, but rather, to be as least hackable as you can be.
Despite all these safety measures and technologies put in place to secure password managers for users, password managers have suffered breaches in the past.
In fact, well-known vendors have experienced hacks within the past decade—the two highest-profile breaches being OneLogin in 2017, and LastPass in 2015.
In OneLogin’s case, hackers managed to gain access to their AWS platform and, as a result, access databases containing information about users, apps, and keys. In response, OneLogin advised users to take appropriate action, and noticeably made security a part of their organizational culture, strengthening their overall posture.
In LastPass’ case, although the hackers managed to breach the system, thanks to the vendor’s zero-knowledge framework, users’ passwords were protected by encryption and their master password. As a result, the hackers were only able to access users’ email addresses and password reminders.
Hacks and breaches are extremely uncommon, but there are numerous other risks that organizations should consider when thinking about investing in a password manager.
Putting All Your Eggs In One Basket
The line “You’re putting all your eggs in one basket,” is one you’ll hear often in discussions around the risks of using password managers. And, while it’s a cliché, it’s not an invalid argument.
No security expert can deny that keeping all passwords in one place—no matter how secure the vault is—is risky on at least some level. In the unlikely event that a criminal was to discover your master password and gain access to all decrypted passwords, they could access every single account associated with the password manager.
And the time it would take for you to be made aware of the breach and change the passwords across potentially hundreds of accounts, would likely leave a hacker with more than enough time to inflict some serious damage.
Master Passwords Can Be Stolen
Strong master passwords are key to making a password manager as secure as possible.
Yet, as users, we’re notorious for setting weak passwords. In fact, the most common passwords of 2021 include the likes of “123456”, “qwerty”, and the infamous “password”—all of which take less than a second to crack. Even a seven-character password containing numbers as well as uppercase and lowercase letters would only take a minute to brute force.
So, without ensuring that you create a secure and complex master password to protect your account, you’ll face a greater risk of brute force attacks and security breaches.
But the other part of the risk comes down to malware that could be infecting your devices and social engineering attacks.
For example, keyloggers, a particularly hard-to-spot piece of spyware, can spy on your keyboard without being detected and log everything that you type, stealing your master password in seconds. Credentials can also be stolen in phishing attacks, where the bad actor poses as the password manager itself and tricks you into giving away their master password.
But it should be noted that these are risks that are preventable with the appropriate action, such as implementing email security and endpoint protection solutions.
Master Passwords Can Be Forgotten
As we covered earlier, most providers implement a zero-knowledge policy, which means you are solely responsible for creating and managing your master password. And that master password is the only thing that can decrypt the passwords in your vault.
This means that if you forget your password, the key to decrypting the passwords inside your vault is lost permanently, and there is no way to recover it.
While we advise that a secure password should be 16-characters, containing numbers, symbols, and uppercase and lowercase letters, it should be recognized that a password of this strength can be stressful to manage, and potentially extremely difficult to remember from memory.
While it’s not necessarily a security risk, forgetting a master password could range from annoying and time-consuming, to disastrous if dealing with accounts or data that are time-sensitive.
The Server Could Go Down
The issue with relying on password managers rather than memory to manage passwords is that, in the unlikely event that the server goes down, there’s no way for you to access your accounts without resetting your password or undertaking other account-recovery steps.
If the server does go down, you must often rely on the provider to keep a backup copy—as keeping your own version offline is risky.
The Verdict: Are Password Managers Secure For Businesses?
So, yes, numerous risks come with using password managers.
They can be hacked—but so can every other piece of technology in existence. Choosing the right solution for your organization isn’t about finding one that’s invincible—because that isn’t an option. It’s about finding the solution that’s better than the one you had before, a solution that mitigates the most risk, because eliminating it is impossible.
Based on that, and in line with the opinions of industry experts and security specialists, we advise that you invest in a password management solution to increase your overall security posture.
Of course, the risks are always relative to each industry and business, so you should evaluate the benefits against the risks of using password managers for your specific organization. But for most businesses, the benefits of using a password manager will greatly outweigh the risks.
However, we’d like to note that, just like with any other solution, implementing a password manager isn’t a one-and-done fix. And it’s not something that should be left to run in isolation, without additional security measures implemented to complement it.
If you’re thinking about implementing a password management solution, we also advise that you:
- Use a reputable enterprise password management solution that operates on a zero-trust framework and uses strong encryption
- Advise users to access their password manager only on trusted and secured devices
- Invest in strong antivirus protection to reduce the risk of infected devices causing breaches, and keep all software up to date
- Always enable multi-factor authentication to be used alongside users’ master passwords
- Advise users to create strong master passwords, and allow them to write it down and store it in a secure physical location—such as a safe—in case it’s forgotten
- Choose a password manager that supports all platforms used across the organization
So, how secure are password managers? They’re certainly secure enough—but only when used wisely and in conjunction with supporting security features.
Nothing is un-hackable, but by using password managers, your organization could be one step further away from a breach.