Are Password Managers Safe? Should You Use One?

By
Services for Real Estate Pros with IDTheftSecurity.com Inc

Do you think password managers are safe? You probably do, or at least hope they are if you are using them. Keep in mind, there is no such thing as 100% safe or 100% secure. Password managers, the companies that create host and deploy them, have one job and that is to keep your passwords secure.

From my experience, they’ve done a pretty good job of that thus far. To this day I am unaware of a password manager that has been breached in such a way where all of the user data was unencrypted and exposed. In general, these companies engage in full on application security and have bank level or military grade encryption. What is so bizzare to me is last I read, less than 10% of computer users use a password manager. I think a password manager is the best use of my time and money in regards to computer security.

If a password manager was to get hacked, the path of least resistance would be targeting an individual user, compromising their device, and logging into their password manager itself.

Although researchers had shown that they might not be as safe as you think they are. Before we go further, though, just know that I’m not too worried about this.

First, let’s take a look at this study. Generally, it looked at how often passwords were leaking from host computers, and then focused on if the password managers that were installed were leaving passwords on the memory of the computers.

What the study found was that all of the password managers did a good job at keeping passwords safe when it was “not running.” So, it means that a hacker wouldn’t be able to force the software into giving away a password. However, it also found that all of the password managers that were tested made an attempt to remove the password from the memory of the computer…but in a couple of cases, the passwords were still found.

Some of the software tested, left the master password and the secret key on the computer. What this means is that it could be possible now for a hacker to access information from the program. But, you have to realize that these programs are trying to remove the information…but due to situational incidents, it isn’t always possible.

Another software that was tested, caused some concerns with the researchers. Essentially, the program takes passwords when the user types them, and scrambles them, but they are decrypted when put into the computer’s memory.

Yet another password manager was examined. Here, the software removed the master password from the memory of the computer, and it was not able to be found.

Is this something to worry about? It depends. How a password manager behaves on a device and whether or not it stores entered password in memory etc. shouldn’t be that big of a deal. In reality, if the device has spyware on it, or a malware that allows for full recording of every keystroke, then that device in that user is essentially screwed.

Since researchers had pointed out these issues, all of the programs had been updated and changed. That’s why I’m not worried. Plus, the real issue doesn’t have much to do with the password managers’ security in regards to its memory or cloud access or its application security, but with the security of the devices that they are on.

In every security awareness training I do, I expound upon the benefits of using a password manager. Inevitably, in every discussion, the question comes up “what if the password manager gets hacked?” The pure naïveté of that question comes from most computer users belief that hacking or penetrating hardware software or networks etc. is as easy as snapping one’s fingers. It is not. There are generally a number of scenarios that need to come together in order for a device to be compromised.

But there is one single solitary scenario that makes data on a device vulnerable and that is “password re-use” leading to credential stuffing. Credential stuffing is such a weird term. Anyways, OWASP defines Credential stuffing as “the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts. Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.”

When you look at the danger of using one password over and over again, you are much safer when using a password manager. Meanwhile head over to my website homepage and scroll down until you see our Password Checker and click “Check if your password has been breached”. Don’t worry about entering your password on the site. We don’t store anything and what can we possibly do with the password? It’s just a password. How can we possibly track that back to any specific account? At a minimum we would need an additional user name. If you’re so concerned, do it from a private browser and or use VPN. It just doesn’t matter. Relax. Just get a password manager.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Comments (17)

Grant Schneider
Performance Development Strategies - Armonk, NY
Your Coach Helping You Create Successful Outcomes

Good morning Robert -  I know that this is the best defense--using a password manager.  Thanks for keeping us informed.

Mar 03, 2022 09:17 AM
Fred Griffin Florida Real Estate
Fred Griffin Real Estate - Tallahassee, FL
Licensed Florida Real Estate Broker

"The password has not been breached".   That's a welcome answer!

Mar 03, 2022 09:30 AM
Kathy Streib
Cypress, TX
Retired Home Stager/Redesign

Hi Robert Siciliano your presentation on Tuesday was, once again, excellent!!! We all love your enthusiasm. You have consistently urged us not to use the same password and to use a Password manager...thank you for that.  

Mar 03, 2022 06:20 PM
Laura Cerrano
Feng Shui Manhattan Long Island - Locust Valley, NY
Certified Feng Shui Expert, Speaker & Researcher

There’s so many things to remember passwords for that I say whatever works for you is fine. Any kind of serious theft is usually pretty unlikely though it can happen

Mar 03, 2022 10:47 PM
Andrew Mooers | 207.532.6573
MOOERS REALTY - Houlton, ME
Northern Maine Real Estate-Aroostook County Broker

Like hidden keys in case you live where locked doors are the norm... pretty easy to figure out the most likely hiding place if you are a member of the "Wet Bandits" carry crowbars. Too many computer users have the password on a sticky on the side of the computer monitor or 12345 easy to break and enter. Like your security posts Robert Siciliano !

Mar 04, 2022 04:12 AM
Dorte Engel
RE/MAX Leading Edge - Bowie, MD
ABC - Annapolis, Bowie, Crofton & rest of Maryland

Dear Robert,

A notebook with pencil in cursive might work too. Did you see all the stuff that many apps collect? Why does a meeting or grocery store app need your bank info, pictures and all your contacts? I am starting to be suspicious of a lot of these little helpers.

Mar 04, 2022 04:51 AM
Nina Hollander, Broker
Coldwell Banker Realty - Charlotte, NC
Your Greater Charlotte Realtor

Hello Robert... I've used a password manager for more years than I can count... but always looking for a way to strengthen what I use.

Mar 04, 2022 06:51 AM
Dario Ferreira
Attleboro, MA
Internet Marketing

I've used an internet password manager for many years, but never for banks and investments. Those logins are never stored in the cloud.

I use a local program called Password Safe to store all passwords, including sensitive ones.
Password Safe does not connect to the internet.

Mar 04, 2022 07:37 AM
Margaret Goss
@Properties - Winnetka, IL
Chicago's North Shore & Winnetka Real Estate

I signed up for a password manager about 6 months ago. I mostly did it because I was tired of trying to find the right password every time (because I have dozens.)

If some of my passwords show they were breached (on your checker) does it matter since the override is a separate password generated by the password manager?

Mar 04, 2022 10:17 AM
Doug Dawes
Keller Williams Realty Evolution - Topsfield, MA - Georgetown, MA
Your Personal Realtor®

Robert Siciliano Maybe I missed it. Do you have any particular password manager you'd recommend

Mar 04, 2022 11:25 AM
Laura Cerrano
Feng Shui Manhattan Long Island - Locust Valley, NY
Certified Feng Shui Expert, Speaker & Researcher

I see a lot of those of us who are in the same boat in on the same page, to mix the metaphor lol.

Mar 04, 2022 03:37 PM
Peter Mohylsky. BRIX REALTY
Miramar Beach, Florida - Santa Rosa Beach, FL
BRIX REALTY -DESTIN

Thanks for sharing your knowledge on a subject I know little about. 

Mar 04, 2022 04:19 PM
Jeff Dowler, CRS
eXp Realty of California, Inc. - Carlsbad, CA
The Southern California Relocation Dude

Great information, Robert. The password issue is a big one! I've heard about a number of password managers being hacked - would seem like prime territory to hackers

 

Mar 04, 2022 07:48 PM
Grant Schneider
Performance Development Strategies - Armonk, NY
Your Coach Helping You Create Successful Outcomes

Hi Robert - this is good information.  Using one is better than not using one at all.

Mar 05, 2022 03:45 AM
Wayne Martin
Wayne M Martin - Chicago, IL
Real Estate Broker - Retired

Good morning Robert. You convinced me early on that one should not use the same password for multiple accounts. Enjoy your day.

Mar 05, 2022 04:45 AM
Carla Freund
Keller Williams Preferred Realty - Raleigh, NC
Carolina Life RealEstate & Relocation 919-602-8489

They are better than anything else at the moment. We have so many things to keep track of and remembering the number of passwords we have is challenging.

Mar 06, 2022 05:23 AM
Kristin Johnston - REALTOR®
RE/MAX Platinum - Waukesha, WI
Giving Back With Each Home Sold!

Great information.  Thanks for sharing and enjoy your week!

Mar 21, 2022 07:35 AM