A password manager is an app, device, or cloud service that stores your passwords in an encrypted vault that can only be unlocked with your single master password. Most password managers can also create complex random passwords for the sites you visit and apps you use, and you don’t even need to know these passwords to be able to use them. Popular password managers include 1Password, KeePass, OneLogin, LastPass, Dashlane, RoboForm, and many others.
But how secure are these password managers? In June 2018, ZDNet reported that the password manager OneLogin was hacked, exposing sensitive customer data. A few months prior to this another popular password manager, LastPass, also suffered from a troublesome security issue as this article from the UK Independent describes (LastPass had previously been hacked two years earlier .)
Are we idiots then to use password managers? I think we need to keep this in perspective because the reality seems to be that anything may get hacked nowadays. Security has always had to be balanced against manageability and usability, so it’s not like we’re facing some kind of strange new issue when it comes to the potential vulnerability of password managers. So to get a broader and more realistic view of the value and danger of using password managers, I gathered some feedback from readers of our popular WServerNews newsletter to find out how they feel about using password managers and which ones they use themselves and recommend. Below is some of the feedback I received.
A number of our readers recommended LastPass. For example, a reader named Eric, who is an IT administrator working for a virtual call center in Georgia, says, “We have been using the Enterprise version for over a year and are quite pleased. I have been using it personally for a number of years (five or six?) and am the primary reason we are using it here.” Another reader named Rich responded by saying, “I’ve found and used LastPass for several years now and LOVE it. It’s not ‘portable,’ meaning you can’t plug in a USB drive and have it work. However, you CAN log into the LastPass website with your credentials and have access to all your sites and passwords. I also use the form-fill ability as well. Very handy for many things.” And Jim, who works in IT for a cruise ship company, says, “We have an enterprise license for LastPass. It’s absolutely essential for IT and some upper-level people. Without it, I would have to record passwords somewhere that is presumably less secure, like the Word doc I used to use (and still occasionally refer to for an old entry).”
Several of our newsletter readers voted the open source tool KeePass as useful for keeping track of their passwords. For example, Ricardo, a systems and network administrator for a group of companies based in British Columbia, Canada, says, “I’ve been using KeePass for the last two years; there are versions for Android (KeePassDroid) and iOS (MiniKeePass). The Android version integrates with Dropbox and Google Drive. This means that everywhere you go the password database goes with you. The PC program has tons of features such as auto typing on websites login pages, password categories, password generators, database search, etc. Never had a single problem and the security is really good.” And Alan, who works for the U.S. Department of Veterans Affairs, says, “I am a big fan of KeePass, which I run from an encrypted USB drive. It is cross-platform (including mobile), has robust plugin support, and great security features.”
Another password manager popular with some of our readers is RoboForm which comes in both personal and business versions. For example, Jim, an application architect based in Texas, says, “I’ve been using RoboForm for about eight years, now, and have been very pleased. I’m currently running RoboForm Everywhere, which allows me to install RoboForm on multiple computers and have access to all my logins on each one. They also offer a web-based login that gives you access to your logins without leaving traces on the computer you have used, and also a portable format that can be loaded and run from a USB key.” Another reader named Charlie qualifies this by saying, “I like RoboForm, but I don’t trust the feature to store passwords on a cloud server but want my master password in order to use the feature. I don’t understand why they need this password so I don’t use it.” And another reader named Kirk had even more to say about RoboForm: “RoboForm with the Everywhere option ($20/year for nearly unlimited passwords and PC usage) has a local password and a server password. The local password should be something that you can easily remember and type. The server password should be very long and random so that it can’t be guessed, even by yourself. You only need to generate it once and enter it once when you set up the Everywhere account. Thereafter RoboForm saves that password in your local account data and uses it to validate and synchronize each PC with the server version on a periodic basis. Sure, there is a risk if their server gets hacked, but the passwords on the server are encrypted with your local password so the hackers would have to guess that too to get access to your links, passwords, and other information saved in the database. To my knowledge, the RoboForm server and their staff do not have access to your local password. It would take about 10 seconds and a re-synchronization with the server if you think your local password has been compromised and decide to change it. I’m sold on them and have been almost since they started up.”
1Password also got voted up by a couple of our readers, particularly those who use Macs. For example, a reader named James says, “I used LastPass when I was a Windows user. I am now primarily a Mac user and I use 1Password. I would not think of using any device without a password manager.” 1Password also just received major upgrades for both Mac and Windows.
Password managers: Voices from the resistance
But not everyone who reads our WServerNews newsletter subscribes to the view that password managers are a good thing. For example John, who works for a graphic design company in Massachusetts, believes that “The best security is your own memory since having a password manager on the computer(s) is a better chance of getting hacked by someone gaining physical access to one of your computers or through malware. This is also why I don’t have browsers remember my passwords for websites other than simple forums, and these passwords get cleared periodically when I flush cookies anyway.”
Chris, a product manager for a UK company that provides enterprise software, says “I use a local (not cloud-based) password manager. When you get to the point of having more than, say, five sets of credentials, it’s time for a password manager. I’m sure I have more than 100 sets of credentials for personal and business purposes. Every security implementation has a corresponding backdoor of some sort, so I don’t expect my password manager to be perfectly secure. Other security best practices must also be employed.”
And finally Jimme, from a university in New York, says, “In response to your query about password managers: No I do not use one. I use MS Excel with a protected worksheet passphrase of over 20 characters. This is stored on my private network share at the office. I can use VPN to gain access from home if I need to reference the spreadsheet when I am not in the office. I do not have enough faith in cloud-based services for this type of sensitive data. It would be difficult to steal the SAN that stores my data that is secured in a computer room previously owned by a bank. I’m up to about 30 different accounts with just about as many password/phrases. As I age, it becomes more important to have this information written down.”
So to each his own, I guess. What’s your opinion concerning password managers? Do you use one? Why or why not? And if you use one, which, and why? Use the comments feature at the bottom of this article to share your thoughts on this subject for the benefit of other TechGenix readers.
Featured image: Shutterstock