Is it really safe to use a password management program that stores all your passwords in one place?
This question was answered on September 14, 2016. Much of the information contained herein may have changed since posting.
If you only had one or two to remember, creating long, complex passwords that you could easily remember wouldn’t be too difficult, but estimates are that most people average between 25-30 distinct online accounts.
This has led to the common, but unsafe practice of using the same password on multiple online accounts, which the security community has warned against ad nauseam.
All Security Eggs In One Basket?
Companies like LastPass, RoboForm. 1Password and Dashlane offer a solution that may seem a bit counter-intuitive: put all your security eggs in one basket.
On its face and from a purely technical standpoint, storing everything in one place seems a bit risky, but you need to compare it to what you’re currently doing.
No process is 100% secure, but if you’re using the same password everywhere, you’re in about the highest risk category that exists.
Password managers allow you to use strong unique passwords for every account, but only require you to remember a single master password.
Encryption Is The Key
Every password manager uses some form of encryption to secure your basket of passwords. This doesn’t make them impossible to compromise, it just makes it more difficult and a less desirable target.
Even when a breach occurs at an online password management service, the stolen data is encrypted, which means the thieves still have to spend the time to crack the security. By the time they can actually crack the encryption, you’ll have been notified to change your passwords by the breached service, rendering the stolen info useless.
Online vs Offline Managers
There are generally two ways that password managers store your encrypted passwords; in the cloud or on your computer.
Online password managers tend to trade a bit of security for convenience, because there is nothing to download or install and you aren’t limited to using the service on specific devices. Any device that has an Internet connection can potentially be used to access your accounts, but that also means that it’s potentially accessible by others.
Offline password managers are technically more secure because the only place that your information exists is on your computer or mobile devices, but that also means you’ll only be able to access your accounts from those specific devices.
This can become problematic if your computer goes down or you’re using a computer that you don’t own to try to access your accounts.
If you decide to use a password management system, the single most important password you’ll create is the master password.
Making sure it’s long (at least 12 characters) and complex as well as activating 2-factor authentication (https://twofactorauth.org) is critical to keeping everything secured.
Keep in mind, if you lose your master password, most of the services can’t help you recover it because they generally don’t store it anywhere as a security precaution.
Making Your Decision
If you’re not tech savvy, using an online password manager is likely more secure then what you’re currently doing and it’s a lot less complicated.
If not, you can always use my low-tech password management suggestion: https://goo.gl/v8Rvjo
About the author
Ken Colburn of Data Doctors on September 14, 2016