Password managers: Are they safe? Which is the best?
The risk of using a cloud service isn’t as great as it may seem. Services such as LastPass use SSL for data transfer, in addition to your data being encrypted with 256-bit AES, and have a policy of not receiving private data that isn’t already locked down with your master password (which is never known to the company). By using local encryption and decryption on your PC, with locally created one-way salted hashes, and making brute-forcing of master passwords all but impossible by utilising a large number of PBKDF2-SHA256 iterations to create them, the number of attack vectors is reduced considerably.
The bigger question is what happens if a cloud service is unavailable – or, worse still, if the provider goes bust? Keeping an off-site backup of your password database, encrypted with an application such as TrueCrypt, answers the latter half of the question, but it won’t help you when you need access to a site or service and are stranded in the field without your password.
Local clients, with your encrypted database stored on the device from which you’re accessing them, aren’t reliant on third-party balance sheets or network connectivity. Even if the vendor goes out of business, you have the application installed and it still works. Such clients work on only the devices supported by the vendor, but 1Password supports Mac, Windows, iOS and Android platforms, while the open source KeePass has ports available for Linux, Windows Phone, BlackBerry and even PalmOS – in addition to the usual OS suspects.
So what happens if you lose the phone that stores your local client password manager, or your laptop dies? This isn’t a problem if you keep an encrypted backup somewhere else, or if you have the same database on multiple devices. By using 1Password, for example, you can sync your encrypted password database to Dropbox; from there, it will sync with any device running another instance of the local client. Since the password database itself is strongly encrypted before it arrives at Dropbox, even if Dropbox should itself suffer a breach, the risk of exposure is minimal. These hybrid password solutions combine the best of both worlds: the security of local storage and the convenience of the cloud. They remove the risk associated with a single point of failure.
Master password security
Many password manager applications combine two features that make for strong protection – namely, the ability to generate random and complex password strings, and the ability to automatically log the user into the service or site using those passwords.
Since you don’t have to remember each random string, each password can be as long and complex as you like, which adds to the security of your access. And if the login process is being handled by the application then you don’t even have to know what the password is in the first place.
The one password that needs to be long, strong and complex, but very much known to you, is the master password; it acts as the encryption key to lock away all the others. A password manager is only ever as secure as this master password, so it needs to be a good one. The idea of having to memorise a password that’s at least 12 characters long, which includes both cases, both numbers and letters, and special keyboard characters for good measure, sounds much worse than the reality. I use a master passphrase of more than 15 characters and change it every three months, yet have never once forgotten it.