In today’s use of online tools and technology, people across the globe have various accounts for social media, email and other web tools they might need for work or personal use. All of these accounts have their own log in credentials, and each should have its own unique password. Keeping track of passwords can prove problematic when you have to remember so many, so people turn to password managers to help them keep track. The question then becomes, if you store all of your passwords in one place, how secure are they really?
It is common for people to question the security of password managers. As technology began to evolve and the internet became popular for consumer use, we were educated not to keep all of our passwords in one place. Don’t write them down, don’t put them on a note in your phone, don’t store them in a document on your computer. And some people have 40, 50 or even hundreds of user accounts out on the internet, each with their own password to keep track of.
Like anything in business, if you don’t know how to do something, you hire an expert. Using a password manager is the equivalent of hiring an expert to be your memory. When you have so many passwords to keep track of, you are likely to start re-using passwords. So let’s say you create an account on a new website that has weak security. That website gets popped and your password is exposed. This just happens to be the same password you use for email and banking, so now you have additional information that is exposed for theft. It’s a common vector for hackers to take stolen passwords and put them in on various common websites to see if they work.
You may initially think that password managers are just another way you can get hacked, but the reality is that they are safe. They are safe because they allow you to essentially disregard your passwords, meaning that the password manager will generate a long, heavy password that you yourself do not know. This means you are not repeating it on multiple sites, every site has it’s own unique password, so even if a website gets hacked, your password isn’t being used anywhere else so nothing else is exposed. Basically, the hacker gets a random 24 or 32 character string of scrambled nonsense that is meaningless because it was produced by random chance. So even if the hacker knows your email or can predict usernames, they can’t escalate further because the password is unique and random.
There are a few reputable brands out there as password managers. LastPass, DashLean and a few others are incredibly reputable, incredibly safe. There are some newer, free sites which have not yet been vetted so be wary of those. But what happens with most password managers is that there is an encryption certificate created when you log in on each of your devices. It uses your master password with that encryption certificate on your device to decrypt the passwords. So yes, the passwords are stored in the cloud, but they are stored in an encrypted fashion that would take eons to decrypt without your master password and the information local to your device.
Essentially, you are removing yourself from being an element of the password. Machines are really good at protecting machines. Machine certificates, SSL certificates are really long compared to what your password is. Many people think that 16-20 characters is a strong password (more is better), but a certificate that protects a website is the equivalent of over 2,000 characters long. Password managers can generate passwords that are hundreds of characters long, as long as the website accepts it, it can be used and is safe.
Your passwords being online becomes meaningless because they are stored as a massive jumble of encrypted data. This jumble represents your password, which cannot be decrypted without your personal cert (really long and unique – see above) and your master password which is the one hopefully very long (at least 20 character) password you have to remember. So, essentially, your passwords are stored nowhere. They haven’t been written down anywhere and where they are written is meaningless. So you only have to remember one password, the master. Once you’ve logged in to your password manager, you log in to your various accounts on websites with the click of a button and the password manager autofills the information for you. If you don’t have multiple accounts on a certain site, you can just go to your account and be automatically logged in, so it’s like you don’t even have a password anymore.
Using a password manager makes you far more secure than you could ever be on your own. You don’t have to remember passwords, you won’t re-use passwords and nothing is written down for someone to find. It’s encrypted in a way that hackers won’t be able to decrypt in their lifetime. So while putting all of your passwords in one place goes against everything you’ve ever been taught, using a password manager actually makes you more secure and safe.