What Is a Password Manager and Is It Safe to Use One?

A password manager is an application that stores and manages online credentials—think of it as a type of vault that keeps passwords safe. In addition, password managers make it easier to access apps and websites since they can automatically input login details.

Everyone who uses a computer or smartphone is likely familiar with switching between various applications and websites throughout the day. This can be frustrating if you don’t remember which login to use for which account, and is one of the reasons password managers have become popular. Instead of juggling multiple logins, a password manager requires that people only remember one password to gain access.

In theory, this encourages the use of more complex passwords. When users only need to remember a single login, they’re less likely to use simple, easy-to-guess passwords. That said, with password manager software, it’s easier to lose—or for a hacker to gain access to—all of your login credentials in one fell swoop. So even though many people and organizations find password managers helpful, it’s important to ask, “how safe are password managers, and what are the alternatives?”

Why do we need password managers?

People often worry about forgetting passwords—and as a result, have adopted some insecure practices for keeping track of them. Our Passwordless Future Report revealed that 34% of users use the same passwords for multiple accounts, 26% write them down on paper, and 17% save them on a phone or computer. We also found that people have to remember an average of 10 passwords every day—and forget an average of three passwords in a typical month.

This is not only a problem for individuals, but also the businesses they work for. According to Verizon’s Data Breach Investigations Report, 81% of hacking-related breaches in 2018 were a result of weak, stolen, or reused passwords. And the consequences of a breach can be catastrophic: the average cost of a single stolen record is $148, while the total cost of a data breach averages $3.86 million.

With all of this in mind, it’s clear that people and businesses alike need better ways to store their passwords, as well as a greater understanding of how to store passwords safely.

Types of password managers

There are two distinct types of password managers:

  • Desktop-based password managers offer secure password storage by keeping data locally on a single device. With an offline password manager like this, users can’t access credentials from any other device. If the device is lost, so are the passwords.
  • Cloud-based password managers store encrypted passwords safely in the cloud on the service provider’s network. These come in various forms, such as browser extensions, desktop apps, or mobile apps, and enable users to access their secure password vault from any device.

How do password managers work?

Users are most likely familiar with cloud-based password managers in their browsers that are available for Chrome, Edge, Firefox, Safari, and others. How you use a password manager will vary depending on the provider, but generally speaking, they all ask users to create a primary password before adding specific app and service logins.

Once set up, you only need to log in to your password manager to access all of your accounts. You’ll stay logged in for the duration of a computer session, with your chosen password manager filling in credentials automatically. However, your primary password will need to be re-entered every time you log in to your computer.

Some cloud-based mobile applications allow users to log in using a primary password or biometrics such as fingerprint or Face ID. These password managers can also input credentials automatically—so you don’t have to type in complex strings of letters and numbers.

Different types of password managers work in different ways. For example, some will encrypt data on a device before uploading it online—others don’t create any sort of record of your passwords. It’s important to know how your preferred password manager stores data, especially when using autofill for sensitive data, as well as the additional features they have (e.g., recovery services).

Pros and cons of password managers

There are positives and negatives to every password manager, which may leave you wondering about the safest way to store and secure passwords. To help ease your mind, we’ve laid out the pros and cons of password storage devices and protection software.

Pros

  • Just one password: Users don’t need to memorize logins for every application and service they use—just the one that unlocks their password vault.
  • Password generation: Many password managers can auto-generate highly secure passwords for individual applications, so losing one credential doesn’t mean losing them all.
  • Alerts: Some password manager software can warn users of potential phishing attempts, ensuring they stay clear of malicious spoofed emails and websites.
  • Easy access: By storing and auto-filling login details and personal information, password managers provide quick access to online accounts.
  • Device sync: Most good password managers can share login information across various operating systems and multiple devices.
  • Protection: Since password managers make it more difficult for bad actors to steal credentials, they ultimately protect a user’s identity.

Cons

  • Administration: Within corporate settings, password managers can be problematic for IT admins, who are unable to manage who has access to those credentials. Each password represents a potential entry point or weak spot in an organization’s security defenses and increases its attack surface.
  • Password protection: While using password managers is a step in the right direction, passwords by nature are vulnerable to phishing and brute-force attacks. Using passwords at all is an inherently insecure practice.

Safer alternatives to password managers

It’s important for users to assess whether a password manager is enough to keep their most sensitive data safe. If it doesn’t seem secure, there are some alternatives to consider:

Single sign-on (SSO)

Single sign-on relies on federated identity, which shares attributes across trusted, autonomous systems. Users that are trusted by one system are given access to all other systems that have a trusted relationship with it. This removes the need for transferring passwords between systems, and requires users only use one set of credentials to sign in to apps, firewalls, VPNs, wifi networks, and more. SSO also creates a convenient experience for users through strong authentication.

Furthermore, modern SSO provides IT teams with a clear view of the context of every login request. This ensures they know the identity of every user, the IP address, device, and browser they used, and when and where they last logged in. Using this context, IT can then create security policies that drive proper access decisions. For example, they can combine SSO with multi-factor authentication to flag suspicious login attempts, and prompt the user for another factor—preventing bad actors that have stolen a password from gaining access.

Going passwordless

Rather than entering a password, users can verify their identity using mobile authenticator apps, hardware tokens, one-time passcode, and biometric information. This reduces the likelihood of phishing as well as other password threats like man-in-the-middle, man-in-the-browser, and replay attacks—and eliminates the possibility of users losing or forgetting their password. It also ensures better user experiences and lifts the load from overworked IT teams by removing the high-maintenance task of managing passwords.

While using a password manager is a step in the right direction, passwords are inherently risky. Everyone—individual users and businesses alike—needs to look beyond how to safely store passwords and instead embrace MFA, SSO, and other identity verification and security techniques that allow them to get rid of passwords altogether.

Learn more about the differences between password managers and SSO:

 

 

Or find out what it takes to go passwordless: