Are free password managers safe to use?
This question was answered on November 3, 2019. Much of the information contained herein may have changed since posting.
Everyone has heard the advice that you need to use long, complex passwords that are unique to each account that you use. Unless you only have one or two online accounts, the only way to adhere to these security measures is to use some form of password manager.
The most common approach to password management is using one of the many programs that act as a secured password vault for all your passwords that requires a master password to access. Most of them operate on the ‘freemium’ model, meaning that the basic options are free and they make money when you opt for the premium services.
There’s no such thing as a 100% secure system for anything that we do online, so using that as a criteria for deciding whether or not to use a password manager is a bit flawed. The real question should be, “Is it more secure then what I’m doing now?”.
If you currently use short, easy to remember passwords on multiple accounts, then the answer would be a resounding YES!
Security researchers are constantly looking for vulnerabilities in all kinds of software and since password managers are considered to be high value targets, they spend lots of time trying to exploit them.
Most of the ‘vulnerabilities’ that they discover are scenarios that are difficult to pull off in the real world and generally are reported as ‘proof of concept’ exploits. When the researchers discover these vulnerabilities, they contact the company and report the ‘bug’ so it can be patched, even though the chances of it every becoming a real-world threat is very remote.
Most serious exploits of password managers that I’ve seen would require a remote hacker to have high-level access to your computer. This would mean they’ve already compromised the entire system as if they were sitting in front of it, so passwords would be the least of your worries.
How They Work
Most password managers are designed to work across all your devices as an app or through your computer’s browser as an extension or add-on. Your collection of passwords is stored on their servers in an encrypted form, but they don’t store your master password – it’s referred to as ‘zero-knowledge security’. This is also done to make it impossible for anyone that works at the company to gain access to any of the user accounts.
This also means that if you forget your master password, you can’t simply ask the company to reset your password. You’ll have to jump through a bunch of hoops to regain access to your account, so if you decide to use a password manager, make sure to store a copy of your master password in a safe place offline.
Password managers can also generate long complicated passwords for each of your online accounts for you, so you only need to create one long complex password as your master password.
Another layer of security to protect your password manager is achieved by turning on the 2-factor authentication option available on all the popular free options, including LastPass, RoboForm, 1Password and Dashlane.
Once it’s setup, you’ll get a text message with a special code if the system doesn’t recognize your computer, location or browser. This extra step would keep someone that steals your master password and tries to use it on another device from gaining access to your account.
About the author
Posted by Ken Colburn of Data Doctors on November 3, 2019