Are Password Managers Safe?

Passwarden is a part of the MonoDefense security bundle

“How safe are password managers?” Many users who are concerned about their security and privacy ask this question - and for good reason! Your passwords are your most important line of defense against cybercrime. It’s tempting to use a dedicated tool - a password management app - to bolster your defenses. But are password managers safe enough?

In this piece, we’ll explore all the whats and hows of this matter. We will see how password managers secure your passwords, what types of management tools exist, and what are the risks of using them. We will also take a look at our own service Passwarden and answer the question “Should you use password managers?”

How Password Management Apps Secure Your Passwords and Data

Let’s start with the basics. How do password managers protect you, and why are they considered the best way to safeguard your data? 

1. Their first and most prominent security measure is data encryption. The industry standard is the AES 256-bit encryption protocol, considered strong enough that even the military uses it. Brute-forcing or cracking it would take decades, which in itself will repel any potential attackers.
2. The next step is the so-called zero-knowledge architecture. In lay terms, it means that your passwords and other sensitive information are encrypted before they leave your device. Even the parties that would normally have access to your data, e.g. the app’s provider and its employees, can only see it in the encrypted and scrambled form. You could say that password managers protect your data even from themselves!
3. Now that your passwords are safe and sound inside your app’s account, it’s time to protect the account itself. Most often, a password manager will use a Master Password for locking your account. Much attention is devoted to ensuring that it is strong. You can also use two-factor authentication (2FA, TFA) and other measures, e.g. biometric authentication. 
4. Finally, different password managers offer different unique features for extra security. Passwarden has the Duress mode to allow you to hide your most important data even when you’re forced to provide access to the app to someone (for example, at customs security check). Our password manager also provides secure data sharing, easy migration, and strong password generation options.

Password Manager Types

There are three broad categories of password management apps. All of them grant more or less similar levels of security, yet as always, the devil’s in the detail.

Browser-based password managers

As the name suggests, these password managers come built into web browsers. This automatically implies some big advantages - and even bigger problems.

The most obvious benefit of browser-based password managers is that they are easy to use, intuitive, and free. In the most technical meaning, they also offer an okay-ish level of security (by including data encryption and 2FA).

Alas, upon closer inspection things don’t look that bright. First of all, each such password manager only works on its respective browser, so hopping between browsers or synchronizing your vaults (let alone storing non-browser data) is not an option. Secondly, such solutions often lack even some basic features, like password generator, strength rating, secure sharing, etc.

Desktop-based password managers

This type of app runs and stores your data within your device. This affects your password safety in two ways: it’s highly secure and highly inconvenient. First, the pros. Desktop-based password managers don’t require an internet connection and are thus automatically protected from getting hacked directly. That’s it, that’s the only (albeit massive) advantage of this type.

The cons are more numerous. First of all, a careless user can still get their sensitive information stolen even when using desktop-based password managers, by inadvertently installing a hacking program called keylogger and having it nab your master password. Also, since your data isn’t synced with any external servers, it’s up to you to backup regularly. And, obviously, no cross-device access to the data for you!

Cloud-based password managers

With this type, your device data is automatically synced across the provider’s cloud servers. From this, stem the reasons why cloud-based password managers, such as Passwarden, are considered the most secure and convenient of the three types.

First and foremost, these password managers are extremely safe. Your sensitive information is encrypted with the military-grade AES-256 cipher and is then stored on the company’s cloud storage with zero-knowledge architecture. Your data can only be retrieved using your Master Password and after passing two-factor authentication. Not to mention other benefits, like cloud backup, secure sharing, and easy access from anywhere. 

Now, are cloud-based password managers utterly viceless? Of course not. The biggest issue is that you entrust the security of your sensitive information to a third-party company. That’s why it is always recommended to double- and triple-check the app provider’s history and background. For instance, Passwarden is developed by KeepSolid, experts in cybersecurity with 7+ years of experience, numerous security products under their belt, and 20M+ users worldwide. 

Password Managers Safety Risks and How to Avoid Them

Nothing is 100% safe online. Cybersecurity and cybercrime are in a constant arms race. However, statistically, many security breaches occur due to the victim’s negligence, rather than the hacker’s prowess. Here are the biggest risks to the safety of your passwords when using password managers, and how to avoid them.

1. All sensitive information in one place

With a password manager, you’re keeping all your eggs in one basket. Your passwords, personal data, payment credentials, secure notes - everything is stored there. If a breach occurs, you’ll be changing passwords for all accounts and blocking payment options for days.

Luckily, this issue is easily fixed by using a cloud-based password manager that encrypts your data. Even if its cloud servers get breached, hackers will not be able to decrypt your sensitive information. All they’ll retrieve is unintelligible gibberish of random characters instead of your password or credit card number.

2. Backup is not always available

When using desktop-based password managers, it’s up to you to take care of backups. Which another layer of problems if you keep your backups on a poorly protected cloud service or unprotected disk drive. But even with the cloud-based ones, if the server is down, you can only hope that the provider is making regular backup copies. 

The solution here is to use paid cloud-based password managers. Commercial solutions are normally well-funded and can afford to have backup servers, whereas free password managers will often not offer such luxury.

3. Your device is not secure enough

A big issue about desktop- and browser-based password managers is that these services rely upon the user’s device for security. As long as the device is free from malware, your data is safe. However, if your device gets infected with spyware, you won’t even know that your passwords are compromised until it’s too late.

How to avoid this? Firstly, similar to the previous risk, this one is negated with cloud-based password managers. Your data is stored on cloud servers in an encrypted form, out of reach of hackers. Secondly, it’s highly recommended to always use dedicated security tools to protect your devices, such as firewalls and antivirus.

4. Forgetting the Master Password

As we already mentioned, the Master Password is your only way to unlock your profile and access the stored data. That’s why you should make it strong and unique, never share it with anyone or write it down. Unfortunately, this means that if you forget it (which is all the easier if it’s a random combination of characters), you will lose access to your account and vaults. 

How exactly you can restore your Master Password depends on your particular password management app. We have a whole manual on how to recover your Master Password in Passwarden.

Should You Use Password Managers?

So, all risks considered, should you use password managers? Yes, you definitely should. Even with all the vulnerabilities and flaws, these tools are a far better option than the alternatives - re-using the same weak passwords over and over again or writing them down on sticky notes or digital sheets.

With that said, you should pick a password manager app (and the provider company) that you are ready to put your trust behind. Earlier, we described why KeepSolid is a trustworthy company. As to our password manager, you can try Passwarden for free and see if it’s worth your attention firsthand!