- What is a password manager - and how can a password manager help me?
- How do password managers work?
- Are there security risks in using a password manager?
- How can I protect my password manager?
- Should I use a password manager application?
- What are good password managers?
- Is a password manager a guarantee my accounts will be secure?
A password manager is an application running on your computer that stores passwords for you. Very simple password managers allow stored passwords to be copied and pasted into log-in boxes. More sophisticated managers let users launch and log in to an application or website by clicking on their entry in the manager itself, while some password managers include browser ‘plug-ins’ so that you can complete a log-in on a web page simply by pressing a button.
The majority of password managers also offer password generation facilities. Since computers can remember arbitrarily long pieces of nonsense text, say MHpKQCvpYoouTAaPiiWuFKjpNe7qnsbwkrvq3s3cX password managers have no problems with creating passwords that are highly resistant to both brute force and dictionary attacks.
Since a password manager contains a great deal of extremely valuable information it represents an attractive target for an attacker. Before choosing a manager you should check that:
- The password manager itself requires a password to use it. This prevents an attacker simply starting the password manager and accessing your passwords.
- The password manager should lock itself after a period of inactivity. This stops an attacker accessing the passwords if you have previously used the password manager and then left your machine unattended.
- The passwords themselves should be encrypted on your computer. This prevents an attacker reading your passwords without needing to open the password manager.
Most modern web browsers offer to remember passwords when you enter them into web forms, providing password management for websites you visit using the browser. This can be very convenient for frequently visited sites where you regularly have to enter details. The security of this password storage is strong and your data will not be visible to casual inspection, but you should be extremely careful using them on any computer that you do not own or have sole control of, since your data will be stored on the machine and could be misused by another user or an administrator.
You should only consider using a browser’s password storage on a machine that you are the sole user of, or one where you entirely trust the other users. Under no circumstances should you store passwords in the browsers of public machines in places such as cafes, libraries and workplaces.
When using a password manager check that the password manager’s security functionality has been evaluated by a reputable independent organisation. Additionally, make sure you select a very strong password for controlling access to the password store. This will minimise the risk of attackers having access to your passwords, even if they do manage to steal the encrypted password store, either from your machine or from online storage provided by the password manager software.
An alternative to a browser’s password management are dedicated password management applications - or apps.
Before choosing any product to manage your passwords, you should make sure that it meets your requirements – in particular:
- Is the software available for your computer?
- Does it manage passwords on one machine or more than one computer?
- Can it synchronise passwords between multiple machines?
- Does it have a good reputation?
Check that the password manager software has a good reputation by making sure that it has been evaluated by a reputable organisation. Don’t depend on anecdotal evidence.
Some examples of password manager applications are:
- LastPass is available for a range of operating systems, including mobile devices. It can generate and store passwords, and manage them across multiple devices.
- 1Password is available for Windows and Mac computers as well as mobile devices running iOS, Android and Windows Phone. As well as generating and storing passwords, 1Password can be used to hold other confidential documents. It offers password synchronisation through the free Dropbox cloud service where encrypted copies of all 1Password data are shared between your machines.
- KeePass is available for Windows, Mac and Linux operating systems. It is an open source password manager, which makes it easier for security experts to check its program code and identify potential security problems.
The protection offered by a password manager is only as good as the password you select to control access to it – the ‘master password’. Therefore, make sure to select a long, hard to guess password – ideally a phrase or combination of random words. This will prevent attackers from getting access to all of your passwords, even if they steal the password store from your machine or an online password system. For example, in June 2015 attackers were able to steal a large number of password stores from LastPass, putting those users with very weak master passwords at risk of having all their passwords used by hackers.