Password managers: Are they safe? Which is the best?
When an online service suffers a data breach – as recently happened to eHarmony, LinkedIn and Yahoo – there’s a risk that an intruder will discover your password and gain access to your account. That danger is multiplied if the compromised password has been used across multiple sites.
Passwords present an online dilemma; seemingly every service you use online requires a password, and for those passwords to be secure, they have to be complex. However, unless you’re blessed with savant levels of memory, it’s impossible to remember half a dozen mixed-case, alphanumeric, special-character inclusive, lengthy random keys – so it’s no surprise that people resort to reusing passwords.
This is where password managers come in – they do the remembering for you. But how do you pick the right one? What questions should you be asking of such applications, and is such an approach actually secure?
How safe are password vaults?
It’s been argued that using a password manager is “putting all your security eggs in one basket” – and with good reason: if you keep all your login data in one place, then any hacker successful in compromising it has been handed the keys to your online kingdom. At first glance, this may seem like an instant deal breaker. From a risk perspective, it requires a breach of only one service to have a domino effect on every other service you use.
Yet the actual risk of compromise is far less than if you reuse one password across multiple sites. In this scenario, you’re relying on dozens of sites keeping your data safe. It takes only one of them to suffer a breach and all the others are compromised as a result. Regular readers of PC Pro will be only too aware of how many popular internet services have suffered breaches over the past couple of years, with password databases being high on the list.
Meanwhile, the major players in the password manager sector haven’t suffered any breaches – with one notable exception. Certainly, there’s been no successful compromise of encrypted password hashes. Even the one exception, when LastPass security was possibly breached at the start of 2011, seems not to have caused catastrophic damage. LastPass noticed a traffic anomaly, rather than the theft of any data, and reacted immediately by forcing all users to change master passwords before their stored information could be accessed. For extra security, the change was required to be from a known IP address or confirmed with email validation. Even if password hash files were downloaded (and it isn’t clear that this was the case), as long as those users had followed the recommended advice regarding master password strength and complexity, their password vaults remained safe.
Passwords in the cloud
If you’re a typical PC Pro reader then you probably use a number of different devices running various operating systems during the course of a day. If your password vault sits on your Windows laptop, but you have access to only an iOS device at the time, then you’re in trouble. A password manager that keeps your passwords “in the cloud” gives you the convenience of accessing your passwords from any device, anywhere, at any time – but it means the actual database file isn’t under your direct control. A local store on your laptop or a removable USB drive is less of a target to hackers than a centralised cloud password store.