Password managers: Are they safe? Which is the best?
The key, if you’ll excuse the pun, is to abandon the truly random approach here and go for something you’ll remember – but in a format that makes it difficult for a human to make a guess or a machine to use brute force. You can combine words, with mixed cases and special characters in-between, throw in a few numbers and still have something that’s memorable but almost uncrackable. For example, the easily recalled phrase “my car is a pocket rocket” could be turned into a strong passphrase with the use of some misspelling and capitalisation, the addition of the numerals from your number plate and a couple of question marks to make it “?myKar13isaPokitRokit?”.
If the master password is your key to password file security, then encryption is the lock that protects that file. LastPass and 1Password, for example, encrypt your data locally on your device using the master password, so that any data stored online in the cloud is already encrypted before it arrives.
It’s a given when choosing a secure password manager that it should use a high level of data encryption. In practical terms, this means a minimum of 256-bit Advanced Encryption Standard (AES) or equivalent algorithm. One common myth, which we touched on earlier, is that your passwords become vulnerable as soon as they’re stored in the cloud.
The truth is that as long as your password data files are encrypted and protected by a secure master password – one that isn’t written down or reused elsewhere – then your passwords are safe even when stored online. In order to compromise them, an attacker would first have to compromise the password service, then crack the encryption protecting your password file. It really isn’t any more risky than if the password file were stored locally, as your laptop or USB drive could always be stolen; it’s the encryption that’s important.
For the truly paranoid it’s possible to strengthen your password vault further. Some password managers – RoboForm and LastPass Premium, for example – allow for the use of biometrics, by way of a fingerprint reader, to replace the master password for access. Both LastPass Premium and KeePass support the use of YubiKey hardware two-factor authentication tokens. These can be purchased cheaply online, and provide a time-variant secure login code when the button on the USB stick is pressed, by simulating a USB keyboard. This 128-bit code (which means the number of possible combinations is three followed by 38 zeroes) is unique every time the device is used and, as such, can’t be copied and reused. Adding a requirement for something you physically have (the YubiKey token) to something you know (your master password) considerably strengthens the access security to your password vault.
Password managers aren’t a magic bullet against those who would steal your data, and shouldn’t be regarded as a replacement for other essentials, such as security software and large doses of common sense. The autofill function of a password manager can make it harder for malware to capture live login data (a keylogger will fail since no keystrokes are being made), but it doesn’t make it impossible; a man-in-the-middle attack could still compromise your security once you’ve logged in.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
Comments are closed.