Are password managers really safe?

« Other questions
2
0

So I have read this site for a while, and I know that Graham is a big fan of password managers. I get that they remember passwords for you and thats helpful. But surely the danger is that you are protecting all your passwords with one master password. If the hackers crack that you’re doomed, right? Seems like a security risk which I don’t get from writing my passwords down and hiding them in my desk drawer.

  • You must to post comments
0
0

You must weigh the good against the bad; the reality is not everything is good in this world as I am sure you understand. It is risky to write down your passwords, too. There are some benefits to password managers, though. But remember this over everything else: If your computer is compromised you should assume also that your passwords are compromised – whether they are in a password manager or not. Therefore, where applicable, password managers do help (see below).


The thing to remember is this: there are always risks in this world. This goes for computer security and everything else. But as for security – computer and otherwise – it is something that really doesn’t work as a single layer; security is a many layered thing. Or that is how it should be. That makes many uses of passwords (to most people) rather unfortunately weak: notwithstanding two factor authentication (an old concept too), you only have the password to log in to the website; if they don’t encrypt (best salted) then you can’t really change how easy it is for the passwords to be discovered by a malicious actor. You also can’t change how they protect their systems. This makes it seem like password managers are more harmful, because indeed you only have one password (but remember my first point: if your computer is compromised you should assume your passwords are compromised).

Password managers have another benefit, though: you can have really long and really complex passwords (observe that a password ‘12345789abcdefghijklmnopqrstuvwxyz’ is long but is not complex; to be strictly technical, it is a terrible password) generated for you (probably also including non-alphanumerical characters). They would be hard(er) to type by hand and they would be next to impossible to remember for most people (and the more passwords you have the harder it becomes).

Lastly, there are occasions where password managers aren’t as useful (for one example of others – when you can’t copy and paste). That doesn’t mean they are worthless, though.

  • You must to post comments
0
0

The big problem is knowing exactly who is behind the password system program and the reputation and verification that it is them. It would not be beyond the realms of possibility for someone who had bad intentions to create a false company with the intention of harvesting passwords, spoofing or poisoning DNS or neither would it be impossible to hack a site to get the information. Sometimes “old school” may be the safest method. A trusty bit of paper or napkin in your top pocket with a few additional characters that only you know held in your mind and an original ( with a duplicated copy back at home) without the context of what it is for might even halt the fastest computer in its tracks!

  • coyote
    What you have on a piece of paper is irrelevant to the power of a computer. This is especially true if the password hashes have been stolen somehow. And one should never assume that someone won’t put together what your piece of paper is of. The fact you suggest two copies helps should you forget to take the paper out of your pocket before washing them, but it also means your passwords are listed more than once. The issue of who is responsible for the password manager is mostly immaterial; it is something to consider, yes, but it goes for all software – it is not specific to password managers. DNS poisoning and the like is irrelevant for local password managers so you should consider that before using it as a reason to write the passwords down. Lastly, you can’t easily have very long, very complex passwords, if you write them down.
  • You must to post comments
0
0

I agree with Robsblog when he said “It would not be beyond the realms of possibility for someone who had bad intentions to create a false company with the intention of harvesting passwords…”
I’ve been thinking of this risk for a while.

  • coyote
    …which is irrelevant to offline password managers. That is something to keep in mind. Nothing is perfect though. Writing passwords down is a serious risk and not only that, you won’t have nearly as complex passwords as a password manager can generate (it goes both ways). Even if you could create a really complex password (which is indeed possible) it would be harder to type. Of course, passphrases are another issue entirely…
  • You must to post comments
Showing 3 results
Your Answer

Please first to submit.