Primer: Are password managers safe to use?
If you haven’t changed your Yahoo password since 2014, you’re overdue for an update, as the company confirms that information related to more than 500 million of its users was stolen in a hack two years ago. Can a password manager help you deal with the fallout from breaches like this?
Usernames, passwords, email addresses, birth dates and, “for some users,” security questions are all included in the database Yahoo says was stolen by a “state-sponsored” hacker. While you can’t change your birth date, you can use password managers to better control and protect your accounts, says Jessy Irwin, a security evangelist and former employee of password-managing software company 1Password.
A 2014 security paper cites reasons people create and reuse weak passwords: “One primary, if not the primary, concern with password authentication is the cognitive burden of choosing secure, random passwords across all the sites that rely on password authentication,” the study’s authors, including security researcher Zhiwei Li, wrote. “A large body of evidence suggests users have—possibly, rationally—given up, choosing simple passwords and reusing them across sites.”
Password management can be a challenge, even for security experts, Irwin says, citing a 2015 study in which 80 percent of expert participants admitted to reusing passwords, albeit inconsistently. (The 15 participants had a median of 64 accounts and 58 passwords; Li says that the average user has 26 accounts.)
Enter modern password managers, which experts uniformly recommend using to reduce the risk of an account hack due to a password’s weakness or repeated usage. (Nearly half of all passwords used to access Gawker.com alone, according to a 2011 study, were used on at least one other site.) Irwin points to benefits such as helping you choose tougher-to-crack passwords, making it easier to replace passwords (especially for accounts that have been caught in a breach), and reminding you to replace old passwords.
“People who suffer password fatigue are still better off to use a well-known password manager than to use or reuse a weak password across different sites.” — Zhiwei Li, security researcher
The most obvious fear of using a password manager is what happens when a hacker guesses your master password or exploits a previously unknown vulnerability.
“The real question to answer with password managers, and software in general: Is this software going to cause harm to the end user? With password managers, it’s very easy to see how the benefits outweigh the risks,” she says.
“There is no system that is unhackable,” adds Emmanuel Schalit, chief executive of password manager Dashlane. But, he says, many are built with extra consumer protections. “I could give you my master password right now, and you couldn’t get in because we have a master password with built-in two-factor authentication,” which requires two forms of logging in before you can access your passwords, he says. “You wouldn’t be able to access the (two-factor authentication) token.”
Schalit says Dashlane works, in part, with bug bounty programs and “outside hackers” to identify and fix vulnerabilities before they become widespread problems.
Measures like two-factor authentication and bug bounty participation make third-party password managers such as LastPass, Dashlane, and 1Password safer than password managers built into your browser, Irwin says. Representatives from Firefox and Chrome, which offer built-in password managers, were not able to respond to requests for comment in time for publication.
For his part, Li refuses to use a password manager. “I am reluctant to recommend any, as it remains to be a challenge for the password managers to be secure.”
How to choose a password manager
Nevertheless, Li sees the appeal of password managers. “People who suffer password fatigue are still better off to use a well-known password manager than to use or reuse a weak password across different sites.”
Security expert Mark Burnett has detailed several password-managing techniques he has taught his family to use. For his father-in-law, a secret notebook in which he could write down his passwords was best. For his 10-year-old son, a biometric reader. Burnett uses a password manager because he has “too many” passwords; his 19-year-old son uses one because it’s easier to type in just the one master password on his phone than his other passwords.
If you choose an online manager, Irwin suggests ensuring that it:
- has end-to-end encryption, such that the passwords are protected whether at rest on your machine or in transit
- supports a form of two-factor authentication that you will use
- has a browser extension so you don’t have to copy-and-paste passwords into the manager
“Make sure your master password is very strong and usable, whether you’re on an iPad, iPhone, Android, or desktop,” she adds. She recommends using a random word generator like Diceware, and creating an easy-to-remember rhyme to help recall it. What you don’t want, she says, is a password “so uncomfortable that you have to switch keyboards.”