Password managers are virtual vaults that allow the storage of access credentials to social network accounts, banking applications, and email services, among others. The software avoids the need for users to memorize all passwords, which are replaced by a master password for access to the vault, and thus also contributes to reducing the practice of reusing codes. The advanced encryption offered by the safes makes them the best alternative when it comes to password storage, but a recent hack on LastPass, one of the most famous managers on the market, has raised doubts about the security of these tools.
In a press release issued on November 30, the company said it detected atypical activity on its cloud storage service, but assured that customers’ passwords remain secure. In light of the LastPass hack – the second in three months – many have begun to question: are password managers as secure as we think they are? To answer this question, Techidence explains in the following lines how virtual safes work and the precautions you need to take when using these tools.
What are password managers and how do they work?
Password managers are software that allows you to securely manage and store several passwords in one place. Available in the web version and also for download on computers and Android and iOS phones, these tools work like virtual vaults: all the user needs to do is set a secure master password for the vault and store in it all his “assets” – in this case, the passwords to other accounts.
Once all the usernames and passwords for your online accounts have been stored in the vault, the master password is the only one you have to worry about memorizing. That’s because by entering it, you unlock the vault, and from there you can retrieve any other passwords you need.
According to research conducted by LastPass, 60% of people who reuse passwords do so because they are afraid of forgetting the codes. Password managers come precisely to solve this problem: with them, you don’t need to repeat the same password on different accounts or create weak and obvious passwords to be able to memorize them. By the way, many managers also offer the user the possibility to automatically generate strong passwords with eight or more characters and mix letters, numbers, and special characters.
Are Password Managers Secure?
Yes, most password managers protect the codes with the 256-bit Advanced Encryption Standards (AES). The system is so secure that it was the first encryption algorithm approved by the US National Security Agency (NSA) that was open to the general public. Virtual vaults also adopt the “Zero Trust” model of network security. This assumes that there can be intruders both inside and outside the company network, and therefore requires user verification and authentication.
But this does not mean that password managers are inviolable. LastPass, one of the most famous virtual safes on the market, suffered one break-in in 2015 and two in a row in the last three months. On the most recent occasion, in November of this year, the company said it detected “atypical activity” on its cloud storage service, contracted from another company. While LastPass did not say what customers’ personal information was exposed, it assured that customers’ passwords remain secure due to the service’s Zero Knowledge architecture.
According to ESET information security expert Daniel Barbosa, it is the structure of password vaults that makes them a more secure storage method than others. “Let’s imagine that criminals managed to gain access to the same environment where the safes are saved. They will still be protected with encryption. Neither the criminals nor the company that owns the manager will have the key to open them,” he explains.
Dangers and cautions when using password managers
The biggest danger when using password managers, warns the expert, is choosing a weak password to protect your virtual vault.
Therefore, the expert reinforces the importance of creating a unique, long, complex password and changing it periodically. He also recommends enabling two-factor authentication, if the feature is provided by the password manager. Requiring an extra layer to open the vault makes it more difficult for criminals to break in.
In the case of desktop-based services, the recommendation is to store the vault file on a device that is also encrypted. Properly managing passwords to access managers and periodically backing up services are also important best practices.
How to choose a good password manager
In Daniel Barbosa’s opinion, the main tip for choosing a good password manager is to make sure that the safe has a robust encryption algorithm to protect the codes. If you opt for online services, the specialist advises you to choose software that offers two-factor authentication. This way, even if a hacker finds out your account password, he won’t be able to access it, because he will need to go through extra identity verification.
Finally, it is worth researching the opinions of other users of the chosen service to ensure that the software meets your needs. You can check the company’s reputation, or the app’s reviews on Google Play Store and App Store, for example.