How many passwords do you need to remember? The answer is probably a lot. A 2017 survey by LastPass and a 2020 survey by NordPass revealed that, on average, we need to remember up to 100 passwords for our personal accounts, and 190 passwords for our work accounts. A product of our digital age – if we want to use something online, we need to create an account. But this massive number of passwords each of us must remember encourages people to use weak, repetitive passwords.
Don’t worry, we’ve all been there. A 2019 report by Google showed that 52% of us use the same password for multiple accounts. This might seem harmless enough but doing so can make your information extremely vulnerable to being stolen. 81% of all data breaches are caused by weak passwords, and the situation can be made even worse if those passwords are used across multiple accounts. If an attacker can gain access to one account, they will often attempt the same password across all of the other accounts they know belong to that user.
But having to remember close to 300 unique, strong passwords is a feat bordering on superhuman. Luckily for us, password managers exist.
What is a Password Manager?
Password managers are applications that securely store your login information for websites and other services you use, and most can automatically provide this login information to the website/service when you attempt to sign in. When you use a password manager, your login information is encrypted and stored in a database. Based on the password manager used, this encrypted database may be protected by any number of authentication solutions, ranging from a master password to high-security multi-factor authentication incorporating biometrics, physical tokens, and cryptographic keys.
That sounds very complicated, so why not just write your passwords down on paper? Well, in 2009, the British National Health Service suffered a massive data breach that lead to thousands of patients’ medical records being stolen, all due to a single password being written on a post-it note.
Many password managers will also include a password generator, which can create passwords with different levels of complexity, meaning you don’t have to make up new, secure passwords for every account.
Are They Safe?
The short answer is yes, but they’re not perfect. Storing information anywhere but your brain comes with the risk of it being stolen, and the safety does vary between different password managers. The benefits do far outweigh the risks, and password manager companies will often go that extra mile to protect their user’s information. AES 256-bit is the industry standard – a cypher that is nearly impossible to crack using classical computers. This means that hackers can’t simply brute force their way into your system.
Password managers will also utilise ‘Zero-Knowledge Architecture’, a system that encrypts your passwords before they even leave your device to be stored by the password manager. What this means is, if the data from your password manager were to fall into the wrong hands, all they would find is a bunch of useless, encrypted data.
You can further mitigate any risks by making sure you’re practicing good password hygiene; updating your password manager software when patches are released, implementing multifactor authentication on your accounts, and using anti-virus software to keep your devices free from viruses and malware.
What Kinds of Password Managers Are Out There?
You may already be familiar with browser-based password managers. These are password managers hosted by your browser, such as Chrome, Firefox, or Safari. When your browser asks if you’d like to save your username and password for a site, this information is stored in the browser’s password manager. These password managers are relatively safe, free, and easy to use, and can be used across multiple devices using the same browser.
Browser-based password managers, however, don’t help you generate secure passwords like other password managers, nor do they communicate with other browsers, e.g. between Chrome and Firefox, meaning you have to manually update your information across your different browsers.
Cloud-based password managers, such as LastPass, and NordPass, are hosted on third-party servers, which allows you to access your password vault from any device, using any browser. These password managers are safe and convenient to use, as being cross-device, cross-browser means changes to your password list are updated everywhere.
Cloud-based password managers, however, require an internet connection to be accessed, which can limit their use, and the user has no control over the third-party server’s security.
Desktop-based password managers, such as KeePass, are by far the most secure of the password managers. They are hosted locally on your device, and not in a browser or third-party server outside of your control. To access a desktop-based password manager, a hacker would require access to your device itself.
The benefit of these password managers may also be their cost. Desktop-based password managers can be restrictive as they sacrifice convenience for simplicity and security. Backups and other copies of your password list need to be managed by you, the end-user.
Hybrid-based password managers, such as 1Password, Dashlane, and Bitwarden are hosted on a third-party server and can be synced to your device. These password managers provide the flexibility of a cloud-based password manager with the offline capabilities of a desktop-based password manager.
Should I start using one?
Password managers are handy tools to have, and the benefits far outweigh the risks when it comes to their security. Before you start using a password manager, make sure to consider what level of security you need – are you using it to store your social media login details, or are you a business in need of a higher security option with other features like user access control and self-hosting? Keeping your data protected can be difficult in the rapidly changing digital age, so perhaps consider using a password manager to keep on top of these threats.
Digital Identity and Security
Cogito Group is an award-winning cybersecurity company specialising in authentication, cloud security, identity management and data protection. Cogito Group protect the authentication methods used to access information through the use of Identity and other security technologies.