Q: Are free password managers safe to use?
A: Everyone has heard the advice that you need to use long, complex passwords, unique to every account that you use. Unless you have just one or two online accounts, the only way to adhere to these security measures is to use some form of password manager.
The most common approach to password management is using one of the many programs that act as a secure password vault that requires a master password to access. Most of them operate on the 鈥榝reemium鈥 model, meaning the basic options are free and they profit when you opt for premium services.
100% Secure?
There鈥檚 no such thing as a 100% secure system for anything we do online, so you shouldn’t use that as the criteria for deciding whether or not to use a password manager. The real question should be, 鈥淚s it more secure then what I鈥檓 doing now?鈥
If you currently use short, easy to remember passwords on multiple accounts, then the answer would be a resounding YES!
Security researchers are constantly looking for vulnerabilities in all kinds of software. Because password managers are considered high value targets, they spend lots of time trying to exploit them.
Many of the “vulnerabilities” they discover are scenarios that are difficult to pull off in the real world, and generally are reported as “proof of concept” exploits. When the researchers discover these vulnerabilities, they contact companies and report the bug so it can be patched, even though the chances of it every becoming a real-world threat is very remote.
Most serious exploits of password managers I鈥檝e seen would require a remote hacker to have high-level access to your computer. This would mean they鈥檝e already compromised your computer as if they were sitting in front of it, so passwords would be the least of your worries.
How they work
Most password managers are designed to work across all your devices as an app or through your computer鈥檚 browser with an extension or add-on. Your collection of passwords is stored on their servers in an encrypted form, but they don鈥檛 store your master password. This is referred to as “zero-knowledge security.” It also makes it impossible for anyone that works at the company to gain access to any of the user accounts.
This also means that if you forget your master password, you can鈥檛 simply ask the company to reset your password. You鈥檒l have to jump through a bunch of hoops to regain access to your account. So if you decide to use a password manager, make sure to store a copy of your master password in a safe place offline.
Password managers can also generate long, complicated passwords for each of your online accounts, so you only need to create and remember one long complex password as your master password.
Additional security
Another layer of security to protect your password manager is achieved by turning on the two-factor authentication option available on all the popular free options, including LastPass, RoboForm, 1Password and Dashlane.
Once it鈥檚 setup, you鈥檒l get a text message with a special code if the system doesn鈥檛 recognize your computer, location or browser. This extra step would keep someone that steals your master password and tries to use it on another device from gaining access to your account.
Ken Colburn is founder and CEO of . Ask any tech question on or .
