Are Password Managers Safe

Posted November 2, 2021

The password has come a long way from its origins in the Roman military. In ancient times, Roman soldiers passed tablets inscribed with a watchword to identify allies from enemies. Thousands of years later, we are stuck with the dreaded password to access anything from financial information, mobile devices, and even our TV services. Knowing that passwords hold the key to our most important information, hackers have become ever more creative in their attempts to guess and extract our passwords. It is widely known that the way passwords are used today is not very secure. Our human tendency to use patterns works against us when trying to originate and remember unique strings of random characters. True Multi-factor Authentication (MFA) helps to limit the insecurities with passwords but many systems and resources don’t yet give us an MFA solution when signing in. Chances are you still have some of these systems that rely solely on passwords for authentication in your life. And if you aren’t very good at remembering dozens of unique case-sensitive 16-32 character long strings that include mixed numbers and symbols, you are left with only two options. You can take the incredibly insecure path of using easy-to-remember passwords through reuse or using common phrases or you can implement a password manager.

We’ve all probably used a password manager in its crudest form when we wrote our passwords down on a post-it note on our desk or monitor. If that technique helps you to use truly random and secure passwords, it’s probably far more secure the reusing passwords or relying on common phrases. However, there is a much better and very secure solution available so let’s leave the post-it notes behind.

A password manager is simply a digital form of that old post-it note on your desk. But by moving to the digital realm, your password doesn’t rest in easy-to-read plain text but is instead protected by strong encryption in a password vault. The best password managers even include the ability to generate truly random passwords across all of your accounts allowing you to save your creative juices for other tasks. After generating a new unique password for a system or site, the password manager encrypts the password using your unique key and stores it for later retrieval. The unique key utilized by the password manager is where they derive their enhanced security. This unique key can now be tied to biometric data, location data, and even device data so it can only be unlocked by you. Secure password manager implementations that utilized these additional safeguards for your encryption key essentially secure all your usernames and passwords with a strong MFA solution.

Web-based password managers store your password vault in the cloud so it is easily accessible across all your devices. Other password managers store your password vault locally on your device. In either case, the password vault should be encrypted using strong encryption such as Advanced Encryption Standard (AES). AES is the only publicly accessible cipher approved by the U.S. National Security Agency (NSA) for top secret information.

As with any technology, password managers do come with risks. The most common concern is creating a single source for all your passwords. Skeptical users point out that a hacker now only needs to hack the password manager and they gain access to everything. While that is a valid concern, we have to compare storing strong unique passwords with strong encryption in a password manager to the alternative of using easily guessed passwords. Since the reality is that humans can’t create or remember dozens of truly random passwords, the most secure option is to use the password manager. Many password managers have in fact been hacked; however, the hackings are often at the hands of those conducting penetration tests to help harden the systems. In the end, implementing a password manager is only one step in securing your systems and data. And while not a perfect solution, password managers are critical in today’s environment and the safest option for most environments.

Scott Anderson

Scott Anderson is Partner / CTO of Verus Corp. He works with mid- and large-sized companies to ensure that all of their managed IT service needs are met to their highest standards. Scott knows that giving customers exactly what they need requires flexibility and patience. He works with each department to carry out documentation and the processes of providing managed IT services. Every position that Scott has held has been largely focused on customer service. This expertise and experience means that you’ll be getting a holistic and customer-centered experience from Verus Corp, from installation to troubleshooting. Scott has provided services that have helped Verus Corp be named a Cisco Select Partner and WatchGuard Partner of the Year. Most recently, Verus Corp was named the second best place to work by the Minneapolis/St. Paul Business Journal. Scott has a Bachelor’s in Speech from St. Cloud State University.