Do password managers keep you secure — or give you a false sense of security?

A password manager is an app, device, or cloud service that stores your passwords in an encrypted vault that can only be unlocked with your single master password. Most password managers can also create complex random passwords for the sites you visit and apps you use, and you don’t even need to know these passwords to be able to use them. Popular password managers include 1Password, KeePass, OneLogin, LastPass, Dashlane, RoboForm, and many others.

But how secure are these password managers? In June 2018, ZDNet reported that the password manager OneLogin was hacked, exposing sensitive customer data. A few months prior to this another popular password manager, LastPass, also suffered from a troublesome security issue as this article from the UK Independent describes (LastPass had previously been hacked two years earlier .)

Are we idiots then to use password managers? I think we need to keep this in perspective because the reality seems to be that anything may get hacked nowadays. Security has always had to be balanced against manageability and usability, so it’s not like we’re facing some kind of strange new issue when it comes to the potential vulnerability of password managers. So to get a broader and more realistic view of the value and danger of using password managers, I gathered some feedback from readers of our popular WServerNews newsletter to find out how they feel about using password managers and which ones they use themselves and recommend. Below is some of the feedback I received.

LastPass

password managers
LastPass

A number of our readers recommended LastPass. For example, a reader named Eric, who is an IT administrator working for a virtual call center in Georgia, says, “We have been using the Enterprise version for over a year and are quite pleased. I have been using it personally for a number of years (five or six?) and am the primary reason we are using it here.” Another reader named Rich responded by saying, “I’ve found and used LastPass for several years now and LOVE it. It’s not ‘portable,’ meaning you can’t plug in a USB drive and have it work. However, you CAN log into the LastPass website with your credentials and have access to all your sites and passwords. I also use the form-fill ability as well. Very handy for many things.” And Jim, who works in IT for a cruise ship company, says, “We have an enterprise license for LastPass. It’s absolutely essential for IT and some upper-level people. Without it, I would have to record passwords somewhere that is presumably less secure, like the Word doc I used to use (and still occasionally refer to for an old entry).”

KeePass

Several of our newsletter readers voted the open source tool KeePass as useful for keeping track of their passwords. For example, Ricardo, a systems and network administrator for a group of companies based in British Columbia, Canada, says, “I’ve been using KeePass for the last two years; there are versions for Android (KeePassDroid) and iOS (MiniKeePass). The Android version integrates with Dropbox and Google Drive. This means that everywhere you go the password database goes with you. The PC program has tons of features such as auto typing on websites login pages, password categories, password generators, database search, etc. Never had a single problem and the security is really good.” And Alan, who works for the U.S. Department of Veterans Affairs, says, “I am a big fan of KeePass, which I run from an encrypted USB drive. It is cross-platform (including mobile), has robust plugin support, and great security features.”

RoboForm

password managers
RoboForm

Another password manager popular with some of our readers is RoboForm which comes in both personal and business versions. For example, Jim, an application architect based in Texas, says, “I’ve been using RoboForm for about eight years, now, and have been very pleased. I’m currently running RoboForm Everywhere, which allows me to install RoboForm on multiple computers and have access to all my logins on each one. They also offer a web-based login that gives you access to your logins without leaving traces on the computer you have used, and also a portable format that can be loaded and run from a USB key.” Another reader named Charlie qualifies this by saying, “I like RoboForm, but I don’t trust the feature to store passwords on a cloud server but want my master password in order to use the feature. I don’t understand why they need this password so I don’t use it.” And another reader named Kirk had even more to say about RoboForm: “RoboForm with the Everywhere option ($20/year for nearly unlimited passwords and PC usage) has a local password and a server password. The local password should be something that you can easily remember and type. The server password should be very long and random so that it can’t be guessed, even by yourself. You only need to generate it once and enter it once when you set up the Everywhere account. Thereafter RoboForm saves that password in your local account data and uses it to validate and synchronize each PC with the server version on a periodic basis. Sure, there is a risk if their server gets hacked, but the passwords on the server are encrypted with your local password so the hackers would have to guess that too to get access to your links, passwords, and other information saved in the database. To my knowledge, the RoboForm server and their staff do not have access to your local password. It would take about 10 seconds and a re-synchronization with the server if you think your local password has been compromised and decide to change it. I’m sold on them and have been almost since they started up.”

1Password

1Password also got voted up by a couple of our readers, particularly those who use Macs. For example, a reader named James says, “I used LastPass when I was a Windows user. I am now primarily a Mac user and I use 1Password. I would not think of using any device without a password manager.” 1Password also just received major upgrades for both Mac and Windows.

Password managers: Voices from the resistance

But not everyone who reads our WServerNews newsletter subscribes to the view that password managers are a good thing. For example John, who works for a graphic design company in Massachusetts, believes that “The best security is your own memory since having a password manager on the computer(s) is a better chance of getting hacked by someone gaining physical access to one of your computers or through malware. This is also why I don’t have browsers remember my passwords for websites other than simple forums, and these passwords get cleared periodically when I flush cookies anyway.”

Chris, a product manager for a UK company that provides enterprise software, says “I use a local (not cloud-based) password manager. When you get to the point of having more than, say, five sets of credentials, it’s time for a password manager. I’m sure I have more than 100 sets of credentials for personal and business purposes. Every security implementation has a corresponding backdoor of some sort, so I don’t expect my password manager to be perfectly secure. Other security best practices must also be employed.”

And finally Jimme, from a university in New York, says, “In response to your query about password managers: No I do not use one. I use MS Excel with a protected worksheet passphrase of over 20 characters. This is stored on my private network share at the office. I can use VPN to gain access from home if I need to reference the spreadsheet when I am not in the office. I do not have enough faith in cloud-based services for this type of sensitive data. It would be difficult to steal the SAN that stores my data that is secured in a computer room previously owned by a bank. I’m up to about 30 different accounts with just about as many password/phrases. As I age, it becomes more important to have this information written down.”

So to each his own, I guess. What’s your opinion concerning password managers? Do you use one? Why or why not? And if you use one, which, and why? Use the comments feature at the bottom of this article to share your thoughts on this subject for the benefit of other TechGenix readers.

Featured image: Shutterstock

13 thoughts on “Do password managers keep you secure — or give you a false sense of security?”

  1. Robert Brooker

    I recently began using LastPass.

    A few years ago roboform was offered as an add on to my purchase of AVG internet security.

    I was a little too paranoid back then, and when I was unable to register the program using the supplied keys, I decided I would stick to writing them down.

    I now have too many password and accounts….and lastpass keeps track of them nicely.

    I used to enjoy creating passwords, but only I liked the ones I came up with…”it’s too hard to type in” said everyone else…

    And now I say to you good night.

  2. KeePass auto Sync to gdrive and using keepass2android on my phone is an awesome combination and completely independent if any cloud service.

    Furthermore, Pleasant Password Server is an excellent enterprise level password management system that also uses a customised edition of KeePass and fully supports multiple users. It’s extremely price competitive and is also completely independent of any cloud based service as you host wherever you wish.

  3. 1Password did not get a lot of details in this article. I use 1Password and they offer Windows, Mac, Android and iOS apps, as well as 1Password X which is similar to LastPass in that it uses a cloud store and browser and so it works on Chromebooks etc.
    For syncing passwords you can use: local vault on your PC which is encrypter with both an encryption key (that you must keep track of when you need to configure devices) as well as a master password (that you must keep track of) to login to your vault.
    The vault can also be synced through wifi, Dropbox or iCloud.
    1Password now offers cloud subscription services for individuals, families and businesses. The vault in the cloud is also encrypted with the master key that only you possess used to configure devices as well as a unique master password per member to access the vault.
    Finally, 1Password integrates with services like Watchtower (opt-in) to see if your passwords are “in the wild”, if your services offer MFA but you don’t take advantage and also your password age or if you use the same password many places.

    1. Great feedback Tom, thanks. I’m a bit leery though of services like Watchtower simply because the more cloud services I use to manage/protect my passwords, the greater the possibility of my passwords being compromised should one of these cloud services be hacked.

      1. @Mitch I’m glad I helped! I just spoke to my colleague at Secret Double Octopus — if you’re interested, she’d love to discuss or interview with you for your article. Send me an email and I’ll connect you two!

  4. What gives a false sense of security is the home-grown Excel spreadsheets. No matter what kind of security you employ, you are more vulnerable with something like this that isn’t scalable, doesn’t work on your mobile devices, and is more cumbersome to use than the password managers cited here.
    The first step with securing passwords is to use a second-factor authentication app (Google Authenticator and many others) that strengthens your ordinary password. Most logins now support this type of security, and users should take the time and effort to set this up wherever they can.

  5. Just another article that doesn’t answer the question it poses. Why bother to read or write an article that answers its title question by effectively saying, “Your call.” After reading the article you don’t know any more than you did before reading it. Click-bait and nothing more.

  6. RoseMarie Putnam

    Maybe I’m old and paranoid…but I just don’t trust anything on the internet to not be hacked. I never let anything “remember” my passwords when it comes to money. I have a nice little notebook that I write all of my passwords in along with the accounts/sites they open. It goes with me on vacation but otherwise lives at my desk. I’m very computer literate, having used one for many years. I simply would rather trust myself.

  7. I have been using Roboform since the early 2000s, have always loved it. Recently started paying for it, yet to find a better alternative to it.

  8. there is something that does not fit me ..- analyze .. why do companies offer so many free password manager programs? Is there anything behind? . you trust any of these applications to save your passwords for your business technology infrastructure?

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top