As our everyday lives become more digital, passwords are becoming essential—and as passwords become ever more important, more and more password management tools have appeared to help you keep track of them. But can online password management sites really keep all of your most important data safe or are they just one more way to expose yourself to identity theft and digital attacks?
Just about everyone has heard the tips for creating a good password. It should be fairly long; it shouldn’t be a dictionary word or a piece of your personal information; it should have a mix of numbers, lower case letters, upper case letters, and special characters; and it should be impossible to guess. And as if something like J8f3s)k0 doesn’t seem hard enough to memorize, the experts all agree that you should NEVER reuse a password from one site to the next. For maximum security, you should probably also change your passwords every few months.
Of course, nobody has that much time, energy, or mental capacity to expend on their login credentials. Some people compensate by reusing passwords or using simple ones even if they know they shouldn’t; others write down passwords or store them elsewhere on their computer. Online password managers are another solution; they store all of your passwords in a securely encrypted online location. Many offer extra features such as password generation or even form filling.
Some password managers take the form of offline software, while others are stored online in the cloud. Online managers are slightly more convenient, because they allow you to access the passwords from any machine in any location. Offline managers can only be used on the machine they’ve been installed on. Some people, however, might be worried about the wisdom of putting their passwords into online storage.
One of the biggest concerns about password managers is that by using a single service to store all of your passwords, you’re putting all of your eggs into one basket and creating a single point of failure. If a hacker is able to access your password manager, then they will also be able to access everything else you’ve stored a password for, whether it’s a bank account or an email inbox.
It’s important to remember, however, that there is no such thing as absolute security, and that a single point of failure is better than half a dozen. Using simple passwords makes it easier for criminals to access any one of your accounts, and reusing passwords creates the same issue as a manager—the breach of one account can lead to the breach of them all. When reusing passwords, however, this breach can occur with any one of your accounts with varying levels of security. With a manager, the breach must occur at a very specific point, and these managers are very carefully protected.
Encryption and Keys
Password management sites take great care to ensure your security, because to lose data in an attack would irreparably damage their credibility and put them out of business. Data encryption is the industry standard, ensuring that even if your data is somehow stolen the thieves won’t be able to use it. Most sites use 128 bit or 256 bit AES (Advanced Encryption Standard), offering military grade security.
You can also rest assured that in most cases the data is also protected from those who run the site. These services use your master password as the encryption key, meaning that the company is kept away from your information just as much as an attacker would be. You are the only person who can access your passwords.
Of course, this requires you to have a good master password. It should be as secure as possible to protect the rest of your information. You should, however, be absolutely certain that you do not forget it, because in many cases there is no way to retrieve it (offering password retrieval would compromise the security of the system). One downside of password managers is that if you forget the master password, you lose access.
Different sites, of course, offer different services, and results tend to vary. Let’s take a look at some of the most popular password management sites out there.
LastPass is probably the most prominent online password manager. Users can choose between a free basic version and a $12 per month premium version, which offers many of the same features in addition to mobile support and a wider variety of authentication options. It auto-fills your passwords whenever you log in, and allows you to import passwords from over 30 of its competitors. Of the major sites, however, it’s the only that may have suffered a security breach—in 2011, abnormal traffic patterns forced the service to take extra security measures. No data was known to be stolen, but many users were forced to change their master passwords.
RoboForm Everywhere is a $9.95 per year service that offers a high degree of flexibility for auto-filling forms. A single license can allow you to use RoboForm on multiple computers and all your mobile devices, and the system will automatically sync. There is a 20 MB limit on data that can be stored in RoboForm, but most users will never reach this limit.
Dashlane is a relative newcomer to the password manager industry, but it offers a slightly different way of handling your information. With Dashlane, you can selectively choose which passwords and synced and which are not. This makes it both an online and an offline manager, where some passwords have the extra security of being stored on your computer and some have the convenience of being stored online.