What you should consider when choosing a password manager

Password managers offer many convenient options, but some come at the expense of security

Many security experts feel that passwords are no longer sufficient to keep online accounts safe from hackers, but we're still a long way from widespread adoption of biometrics and alternative methods of authentication.

Most of us are stuck with using passwords as the primary keys to our online lives, so we should at least strive to follow best security practices when it comes to managing them. This includes using long and complex passwords or phrases that can withstand brute-force attacks, using separate passwords for every online account and changing those passwords periodically.

The thought of doing all that can be intimidating, but fortunately there's an entire class of programs called password managers that can automate most of the process. Password management implementations vary, from the rudimentary password-storing features in most browsers to specialized products that synchronize the saved passwords across different devices and automatically fill log-in forms as needed.

Many password management services provide add-ons for different browsers, stand-alone applications for desktop and mobile platforms and even give users the ability to access their password vaults online. They're highly convenient, but if used incorrectly they can lead to a single point of failure, since almost all of them rely on one master password to unlock all other saved passwords.

What you need to know

Users should carefully consider the security models of the password management applications they intend to use. For cloud-based implementations that provide online access and synchronization, it is important to understand how the service provider stores users' data on its servers and whether it ever has access to the user's master password.

Some providers use a zero-knowledge model, where they only store an encrypted copy of the password vault on their servers. Then, contents of the vault get synchronized with the client applications or are sent in encrypted form to the user's browser during online access. The decryption process is always done locally, based on the user's master password, which is never shared with the service provider or sent over the Internet.

In this case, the company's servers are only used for storing encrypted copies of the password vaults and in the case of a server compromise attackers would not get keys to access the passwords stored inside. LastPass, Dashlane, 1Password and Mitro, the last of which recently went open-source after being acquired by Twitter, are some of the providers that claim to use such implementations.

Double down

However, this model does not protect against client-side attacks. For example, attackers could still obtain users' master passwords if they infect their computers with keylogging malware. That's why it is also important to choose a password manager application that offers two-factor authentication.

This form of authentication combines something you know -- the master password -- with something you have, like a mobile phone or a hardware token. The most common implementation of second authentication factors are one-time-use codes that are received via text messages or generated using special mobile applications like Google Authenticator. Fortunately, most of the popular cloud-based password management services currently offer some form of multi-factor authentication, but it's best to double-check before choosing one.

Two-factor authentication prevents attackers from accessing a user's password vault from a different computer or device by using a stolen master password. However, they could still use an existing malware infection to piggyback on a user's active password manager session and access their online accounts via the local browser, especially if the auto-login option is turned on. Auto-login features may be convenient, but can also be fraught with peril. Users should think carefully about whether they want to activate them.

It's also best to use password management applications that can automatically log off the user after some time of inactivity, especially if the browser is kept open for long periods of time or if someone else might have access to the computer while the user is away. This might not always protect against active malware on the computer, but it does add another layer of security.

Users may also be tempted to flag a device as trusted. Many password management applications offer an option of skipping the second authentication step in the future on a given device once they've completed a two-factor authentication with it. While convenient, this method assumes an attacker will never gain control over that device, which is not always the case, so users should carefully consider whether they can live with inputting the second factor every time.

Don't rely just on a password manager

One of the primary benefits of using a password management application is that it allows the use of different complex passwords for every account without having to remember them all. However, it's equally important for the user's master password to be strong so that it can resist brute-force attacks.

Users who find it hard to remember complex passwords that include digits, lower-case and upper-case letters and even special characters, should try using long pass phrases as their master passwords instead. These are sequences of random real words that make up hard-to-guess phrases and provide the same or even better level of protection against brute-force attacks as a strong password, but are easier to remember. Pass phrases can also be used for critical accounts that need to be accessible even if when the password management application or server is unavailable for some reason.

Finally, many of the largest online services, such as Facebook and Gmail, are now offering two-factor authentication themselves, so even if you're using a password manager and follow best security practices in general, turn on two-factor authentication whenever it's available. It can make a really big difference, especially if your password manager does get compromised.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityFacebookdata protectiononline safetyAccess control and authenticationLastPassMitroDashlane

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Bitdefender 2018

Roam freely in the digital world. Critically acclaimed performance and security at your fingertips.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?