Authentication is one of the riskiest and most misunderstood things that non-experts have to manage day in, day out, and even though there are lots of companies out to “kill” passwords, they’re not dead yet. For the foreseeable future, experts or not, we’re all stuck with making the best out of what we have, and as security practitioners, we need to continue focusing on improving security outcomes to set humans up for success instead of password reuse and failure.
One of the most common questions I am asked in 1000 different ways when I talk about password managers as a way to remove credential management burdens from users is, “Are password managers safe? What if they get hacked?” As a self proclaimed password truther, I don’t mind this at all— once upon a time, I got into an argument with an extremely intelligent guy at a friendly meetup who wouldn’t leave me alone about mutual authentication with TLS when I worked at 1Password— and, well, spoiler alert… we’re getting married this year.
Sometimes, the proverbial “WHAT IF IT GETS HACKED?!” question isn’t a question at all, it’s a “Gotcha!” question/comment or attempt to get under my skin with a tired, washed out and predictable argument that I’ve heard about a million times before. Other times, though, especially with non-experts, it’s a legitimate, serious question that doesn’t have an easy “yes or no” answer. They just identified the inherent security flaw in their strategy to reuse a single password everywhere , and they’re extremely excited about letting their computers do a bit of the heavy lifting required to maintain unique passwords across the eleventy eight accounts they have on the internet. They understand that using unique passwords across all of those accounts improves their security, but haven’t figured out just yet that the best kept secret about a password manager is that it is a wonderful list of all of the places they might be exposed online, and that list can be turned into a personal incident response tool. (More on that in another post.)
No matter how the security question gets asked, I do as much as I can to tap into 3-4 of the issues that should ideally be under consideration when making decisions about using a piece of software like a password manager, and I try to avoid breaking into lecture mode by tossing in a few guiding questions. After trying to cover this in tweet-length snippets for long enough, though, here it is: my best answer to legitimate questions and concerns about that one piece of software that can set off arguments among security professionals like no other. (Except, perhaps…. antivirus?)
For the most part, people want a yes or no answer when they ask “Is this secure?” but with software, especially password managers… it’s not that simple. And as a security person, I can’t answer the question in those terms. Security is not binary, it exists on a scale from 1 to 99 that will never, ever be 100%. My first instinct when I get this question is to proactively acknowledge that there are risks to using any piece of software, but that there are many ways that the builders of password managers mitigate those risks so that they are ultimately outweighed by the benefits of using a password manager.
To put it simply: Every password manager (or security tool/piece of software you use pretty much ever and always) is built in a different way with different goals and approaches to development and security in mind. In terms of hacking, “security” will always depend on how a piece of software is attacked and if its builders considered a particular method of attack in their threat model. Some builders are tireless and they take many, many measures to ensure that they are protecting or mitigating very common risks or threats for users— any password manager worth its salt will talk about how it does that, and will do so in a transparent manner. Some don’t. And it isn’t always easy to tell one from another.
When it comes to password managers, most tend to employ multiple layers of defense against breaches. At the end of the day, breach is inevitable— but the best way to protect our user data is to design our systems so that if they are attacked and breached, the attacker gets nothing, no usable data out of them. In practice, this can play out in many different ways. Most password managers store your password data locally, on your machine: this means that in order for you to be “hacked”, someone has to have physical access to your computer and probably your master password— or the technical ability to log your keystrokes, fire off a few privilege escalation exploits, etc . Once your device is compromised— be it by physical possession, malware, keylogging software, etc— there’s little that any software could do to protect a user (first principle of security), but when there are predictable paths that an adversary may take that can be hardened, some do what we can wherever possible. (Future husband got his mutual TLS, if I remember correctly… ) If a password manager is syncing your keychain data between devices, it is most likely employing end-to-end encryption and a zero-knowledge system with a strong encryption protocol as a way to secure that data. If an attacker does get their hands on the data from the cloud, it’s going to be a blob of a bunch of numbers and letters and encrypted stuff that they absolutely cannot use or crack to get their hands on your personal information.
So what if it gets hacked? Restoring your passwords to a secure state will depend on how the attacker owned you— response and recovery depend on how the software gets compromised. If your computer or phone gets malware that might affect your password manager, you can “burn the device down” and reinstall your operating system, then change the passwords you might have used while the malicious software was on your phone. If someone compromises your computer or gets a copy of your keychain— remember, they have to have physical access— you can change your device password and your master password immediately. After that, you can go into your password manager (some have automatic changing mechanisms) and change the passwords for your most important accounts ASAP: this includes anything tied to your money, your identity and your reputation. (Think communication, email, school, social media and banks/credit cards/mortgages.) Basically, you do what you’d do in any case of phishing or credential theft: change the password, and turn on 2-factor authentication anywhere that you may not be using it.
At the end of the day, all software has a point of vulnerability, and it’s up to you to decide what you trust and what risks you’re comfortable accepting. In terms of password managers, for many people, the benefits do outweigh the risks, and there are simple things that users can do to prevent their password managers from being compromised. Using strong master passwords, practicing secure web browsing + email habits, downloading password managers from trusted sources, not jailbreaking mobile devices, and using extensions built by the developer of your chosen password manager will keep your passwords safe.
While that all might seem like quite a bit of work at the beginning, the vast majority of people can safely use a password manager without major cause for concern or threat of being hacked or compromised in a way that lays their entire digital existence to waste. And following the basic security rules and using a password manager means that it only takes a few minutes a day (at most) to be more secure online.