Password Manager Software: How Safe Is It?
We’ve all heard the advice about using genuinely random and unique passwords for each of our logins. It’s now considered such received wisdom that most IT professionals follow to it the letter, often with the help of some form of password management software which requires only one ‘master’ password to access all the rest. But in the world of password management software, all things are certainly not created equal. The different options offer various levels of encryption and some provide much more of a challenge to digital criminals than others. We assess the security of the most popular offerings:
Storing logins in your browser
The most popular browsers (Chrome, Firefox, IE) have a built-in function that allows them to store your passwords and other basic information. While this might save you a few minutes when it comes to filling in a form, it’s far from the safest option out there.
They work by storing your passwords in encrypted databases or locally on your computer, but in Chrome, for example, these can be accessed (by you or anyone who hacks into your machine) simply by clicking on the ‘show’ button in the preferences tab. Even the stronger offerings can be circumnavigated using third-party utilities such as WebBrowserPassView.
The safest option in this bracket is currently Firefox – the only browser that allows you to use an encrypted master password (as long as you remember to set it up) that WebBrowserPassView and its ilk can’t access.
The difference in security between browser-based login storage and webapps is huge, with online password managers such as Roboform and LastPass encrypting your entire password database, using your computer as the only place where this encryption and decryption happens, and giving you the only master password. This means that even if the companies themselves get hacked (as potentially happened with the LastPass security breach that occurred last year) and you’re using a strong password, you’re protected.
LastPass also has more, enhanced options – from two-step authentication to restricted mobile access – if you want to make sure everything is particularly robustly protected.
Desktop password managers
If you’re still not happy with all your passwords being kept on the web, there’s the most impregnable option – using a manager that run through your computer rather than storing anything online. They operate in a very similar way to their online cousins, with password saving and auto form-filling functions, but save your password database in heavily encrypted form on your machine and nowhere else.
The big offerings include SplashID, 1Password and Roboform’s desktop version. The price you pay for this increased peace of mind, though, is reduced accessibility. Unless you implement a (potentially cumbersome) workaround, you won’t be able to get immediate access to all your logins from all your devices – something to consider if you’re a frequent password manager user.