What you should consider when choosing a password manager

Password managers offer many convenient options, but some come at the expense of security

Many security experts feel that passwords are no longer sufficient to keep online accounts safe from hackers, but we're still a long way from widespread adoption of biometrics and alternative methods of authentication.

Most of us are stuck with using passwords as the primary keys to our online lives, so we should at least strive to follow best security practices when it comes to managing them. This includes using long and complex passwords or phrases that can withstand brute-force attacks, using separate passwords for every online account and changing those passwords periodically.

The thought of doing all that can be intimidating, but fortunately there's an entire class of programs called password managers that can automate most of the process. Password management implementations vary, from the rudimentary password-storing features in most browsers to specialized products that synchronize the saved passwords across different devices and automatically fill log-in forms as needed.

Many password management services provide add-ons for different browsers, stand-alone applications for desktop and mobile platforms and even give users the ability to access their password vaults online. They're highly convenient, but if used incorrectly they can lead to a single point of failure, since almost all of them rely on one master password to unlock all other saved passwords.

What you need to know

Users should carefully consider the security models of the password management applications they intend to use. For cloud-based implementations that provide online access and synchronization, it is important to understand how the service provider stores users' data on its servers and whether it ever has access to the user's master password.

Some providers use a zero-knowledge model, where they only store an encrypted copy of the password vault on their servers. Then, contents of the vault get synchronized with the client applications or are sent in encrypted form to the user's browser during online access. The decryption process is always done locally, based on the user's master password, which is never shared with the service provider or sent over the Internet.

In this case, the company's servers are only used for storing encrypted copies of the password vaults and in the case of a server compromise attackers would not get keys to access the passwords stored inside. LastPass, Dashlane, 1Password and Mitro, the last of which recently went open-source after being acquired by Twitter, are some of the providers that claim to use such implementations.

Double down

However, this model does not protect against client-side attacks. For example, attackers could still obtain users' master passwords if they infect their computers with keylogging malware. That's why it is also important to choose a password manager application that offers two-factor authentication.

This form of authentication combines something you know -- the master password -- with something you have, like a mobile phone or a hardware token. The most common implementation of second authentication factors are one-time-use codes that are received via text messages or generated using special mobile applications like Google Authenticator. Fortunately, most of the popular cloud-based password management services currently offer some form of multi-factor authentication, but it's best to double-check before choosing one.

Two-factor authentication prevents attackers from accessing a user's password vault from a different computer or device by using a stolen master password. However, they could still use an existing malware infection to piggyback on a user's active password manager session and access their online accounts via the local browser, especially if the auto-login option is turned on. Auto-login features may be convenient, but can also be fraught with peril. Users should think carefully about whether they want to activate them.

It's also best to use password management applications that can automatically log off the user after some time of inactivity, especially if the browser is kept open for long periods of time or if someone else might have access to the computer while the user is away. This might not always protect against active malware on the computer, but it does add another layer of security.

Users may also be tempted to flag a device as trusted. Many password management applications offer an option of skipping the second authentication step in the future on a given device once they've completed a two-factor authentication with it. While convenient, this method assumes an attacker will never gain control over that device, which is not always the case, so users should carefully consider whether they can live with inputting the second factor every time.

Don't rely just on a password manager

One of the primary benefits of using a password management application is that it allows the use of different complex passwords for every account without having to remember them all. However, it's equally important for the user's master password to be strong so that it can resist brute-force attacks.

Users who find it hard to remember complex passwords that include digits, lower-case and upper-case letters and even special characters, should try using long pass phrases as their master passwords instead. These are sequences of random real words that make up hard-to-guess phrases and provide the same or even better level of protection against brute-force attacks as a strong password, but are easier to remember. Pass phrases can also be used for critical accounts that need to be accessible even if when the password management application or server is unavailable for some reason.

Finally, many of the largest online services, such as Facebook and Gmail, are now offering two-factor authentication themselves, so even if you're using a password manager and follow best security practices in general, turn on two-factor authentication whenever it's available. It can make a really big difference, especially if your password manager does get compromised.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Facebookdata protectiononline safetyAccess control and authenticationLastPassMitroDashlane

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?