If someone "acquires" the master password for my password manager program, then they have access to all my accounts. How's this different than a single password for all accounts?
This question was answered on April 8, 2021. Much of the information contained herein may have changed since posting.
This is a common and legitimate question that often keeps non-technical users from incorporating a password manager, but it’s important to understand that cybersecurity is never about achieving 100% security as it’s just not possible.
The real focus needs be on evaluating the degrees of security based on a number of variables and whether you are in control of them or not.
Using the same password on all your accounts means that if any one of those accounts is breached, they are all at risk because the standard operating procedure for cyber-thieves is to try the same password on thousands of other sites.
You are also only as secure as the least secure site that uses the same password.
Who’s In Control?
Protecting the personal information that you provide to any company is totally out of your control.
The fundamental security enhancement of using a different password for every account should be fairly obvious to everyone, but not possible without some form of password management.
Protecting how you manage your passwords is one of the most important things to focus on, which goes to your question.
If you were to write down all your passwords and keep them in a very secure place, that would be preferential to using the same password on every account.
The key is to not make it obvious that the information is a bunch of passwords in the event someone else finds it.
Password Manager Security
When you incorporate a password manager, you only have to create, remember and protect one password.
It’s important to use a very long and complex password that you have never used before for the best chances of keeping it secure.
Most password management programs provide lots of additional layers of protection that you can setup that include 2-factor authentication and rules that deny access based on location, device or IP address.
When you add these additional layers of protection, even if an unauthorized person acquires your master password, they won’t be able to use it because they won’t have the necessary additional items to be fully authenticated.
You’ll also get a warning of a failed or blocked sign-in attempt, which lets you know to change your master password to be safe.
What If They Get Hacked?
Another common question about password management services is “what happens if they suffer a breach?”.
Your passwords on all of the services are stored using powerful encryption, which means any breach of the encrypted data would require the hacker to spend time attempting to decrypt the information.
The service would automatically require you to reset your passwords, which would render the stolen information useless by the time it was decrypted.
For many years, I’ve recommended LastPass https://www.lastpass.com
because they offered lots of features in their free version of the program, but if you want to use it on both a computer and smartphone, it’s no longer free.
Another fee-based service that has lots of great features is 1Password https://1password.com
Both services offer individual or family-based plans that range from $3 - $5 a month.
About the author
Posted by Ken Colburn of Data Doctors on April 8, 2021