Should you use a password manager? Is using a password manager comes with any risk? Is using a password manager riskier than not using it?
Those are the questions that people usually ask about a password manager. In this post, I will answer all those questions.
What is a password manager?
Before we tackle the questions at the beginning of the post, It would be better if we first understand what a Password Manager really is.
Password Manager is an application or software that can generate a new password, save login information, and manage them.
Using a strong password and different password on each site you register is recommended, but there is a limit on how many different passwords a human can remember, especially if the password is strong. Using a password manager can help you to generate a strong password and use a different password on each site, you will only need to remember one password that will log you into your password manager.
Why Should you use a Password Manager?
The risk of using the same password at many sites
The risk of using the same password at many sites is pretty high. If somehow a hacker got one of your passwords then he/she would be able to login to all of your accounts that have the same password. There are actually many ways how a hacker can get your password.
How someone can get your password
You never know how a site stores your password and whether the security on their server is good or not. These are some of the ways that a hacker can get your password:
- Man in the middle attack: This type of attack is like eavesdropping, a hacker can secretly get the data on the way from your PC to the target server. A good website would use https protocol which will encrypt your data before it leaves your PC, so even if there is a man in the middle they won’t be able to get your raw data or password. But the problem is, even though many sites already use https, some of them are still not, and your password is at risk if you register or log in at those sites.
- Sites that don’t have good security: Some sites have bad security, maybe the way they store your password is badly or not encrypted so when the site got breached, the hacker would be able to get your raw password easily, other than that, a site might be able to be attacked by brute force method, basically they will try many combinations of the password until they figure out the correct one by using a software. There is a site that let you know which site you’ve registered have been breached.
- Someone figuring out your password by looking at your screen: Someone can figure out your password by looking at your screen when you’re typing it.
- Keylogger: Someone putting keylogger software or hardware on your PC would be able to know everything that you type on your keyboard.
Using a password manager
The benefits of using Password Manager
By using a password manager, you can generate a strong unique password to be used by each site you registered on which will reduce most of the risk of using one password in many sites. Man in the middle attack might still able to get your password, but now that the password they get can’t be used to log in to every site that you’ve registered on. Your password will also be harder to be attacked by the brute force method because now it’s very strong.
The risks of using Password Manager
Sadly, even though using a password manager comes with many benefits, it introduces new risks too:
- Breach on password manager server: There is a chance that the password manager’s server gets breached, Even it’s very low, take Lasspass for the example, it got hacked in 2015. But even though it was hacked, according to Lastpass’ article no vault (place to store your login information) was compromised, which means that the hacker couldn’t get into your vault at all. The only thing that the hacker gets is the username of the Lastpass users, no password was taken. The password manager’s server usually has tighter security compared to other servers because they specialize in security. As long as you choose a password manager with a good track record, then you should be safe.
- Losing your master password: Losing your master password is another risk of using a password manager. Putting all of your passwords that you don’t remember in one place means that there is a chance that you’ll forget your master password and make you unable to access any of your passwords.
- Getting malware: Getting malware on your device is the riskiest and most dangerous thing when using a password manager. The hacker can suddenly get all of your passwords if you open your vault. There aren’t many malware that targets a password manager, and since every password manager has they own method to store your password after you open your vault, then the malware would need to be very specific to target that password manager, and even with that, the password manager would still able to patch the software as soon as they are aware of the malware.
Reducing the risks of using a password manager
If you decide to use a password manager, these are some tips I have to reduce the risk that the password manager has:
- Activate 2FA: you can activate 2FA (Multi-Factor Authentication) to reduce the risk of using one. 2FA is a system that asks you to verify that the one that has just logged in to your account is really you. The most common ways to verify are via a link sent by email, OTP(One time Password) sent via email/phone, Google Authenticator, and a hardware key. Using 2FA will decrease a chance of account takeover even if the one that plans to login into your account knows your password because they won’t be able to successfully login without you knowing.
- Plan your recovery master password method: There is a chance that you’ll lose your master password, so you should have a recovery method for your master password. A good password manager usually has a method for recovering a master password, so please choose one that you think is safe and suits you.
- Don’t save your high-risk password in a password manager: The simplest example of this is your email. Most sites will assume that if you can log in to your email, then you’re the real owner of the account, so there are many recovery methods and verification methods that are sent to your email. Using a unique password and remembering it by yourself for a high-risk password will further reduce the chance of your account getting hacked.
Is using a password manager riskier than not using one?
This is very depending on the person, for most people reading this article which I assume have at least some knowledge on using PC safely and have many accounts on many sites, then I’d recommend using one. Even though there is a risk of using a password manager, the risk of not using one far outweighs the risk of using one.
If you only have accounts in the sites that you only trusted and rarely register on new sites, then I’d recommend not using one. Just activating 2FA is already enough because other people won’t be able to login into your account without you knowing, there is no reason to use a password manager.
Recommended Password Manager
These are the password managers that I’ve tried and liked, I won’t write a detailed review for each one, but I will write a bit about the things I like and dislike about each one
- Encrypted text file: This is the simplest, one of the most secure ones and free, You don’t have to register in any site and there is a lot of chance that you already have the tools needed for it. It is secure because your encrypted password won’t need to leave your PC at all, so there is no risk of man in the middle and someone getting your password unless someone hacked your PC. Since you don’t register anywhere though, if you forgot your master password then there is really no way to recover it.
- KeePass: Free, open-sourced, and light-weight password manager. You use a local vault, so you don’t have to register for anything and your password also won’t leave your PC. It’s more secure than an encrypted text file because your password will be masked, so there is no chance that other people will know your password by looking at your screen. Same as Encrypted text file, since you don’t register anywhere, if you forgot your master password then you can’t access the password saved in the software.
- Lastpass: The most used cloud Password Manager as far as I know. It has 2FA, cloud sync, browser extension, Android, and iOS apps. It is free if you want to use it on 1 device, but if you want to use more then you have to buy a premium subscription. Your vault is stored in the cloud, so it’s not as secure as the Encrypted text file and KeePass, but it still can be considered very secure because everything is encrypted. The only weakness of Lastpass is that its UI is pretty outdated.
- Bitwarden: it is one of the most secure Password Manager too, it’s open-source and basically free unless you want extra features like encrypted storage or use a hardware key for 2FA. It’s a cloud vault that can be synced across multiple devices and can be used in most mainstream platforms. The unique feature that Bitwarden has is that you can host your own vault. For the most secure setup, you can host it on your localhost or your owned server if you know what you’re doing. The main weakness of this Password Manager is that it only has 1 developer, so the development of this Password Manager might be a bit slow and can stop if something happens to the developer. If you’re want to try using a password manager for the first time, then I recommend using this one first before jumping to another password manager.
- 1Password: This is the Password Manager that I personally use. It’s the most convenient and seamless one compared to the others on this list, especially in phone devices. The weakness of this Password Manager is that it’s not free and pretty expensive.
Conclusion
A password manager is a software that will help us generate a new password, save your login information, and manage them. There are risks of both not using and using a password manager, but for most people, the risk of not using one far outweighs the risk of using one.
If you decided to use a password manager, then you should reduce the risk of using it by activating 2FA, Plan your master password recovery method, and not saving a high-risk password in your password manager.
If you want to try using a password manager for the first time then I recommend using Bitwarden because it has many features and is free.
