Q: Are free password managers safe to use?
A: Everyone has heard the advice that you need to use long, complex passwords, unique to every account that you use. Unless you have just one or two online accounts, the only way to adhere to these security measures is to use some form of password manager.
The most common approach to password management is using one of the many programs that act as a secure password vault that requires a master password to access. Most of them operate on the ‘freemium’ model, meaning the basic options are free and they profit when you opt for premium services.
100% Secure?
There’s no such thing as a 100% secure system for anything we do online, so you shouldn’t use that as the criteria for deciding whether or not to use a password manager. The real question should be, “Is it more secure then what I’m doing now?”
If you currently use short, easy to remember passwords on multiple accounts, then the answer would be a resounding YES!
Security researchers are constantly looking for vulnerabilities in all kinds of software. Because password managers are considered high value targets, they spend lots of time trying to exploit them.
Many of the “vulnerabilities” they discover are scenarios that are difficult to pull off in the real world, and generally are reported as “proof of concept” exploits. When the researchers discover these vulnerabilities, they contact companies and report the bug so it can be patched, even though the chances of it every becoming a real-world threat is very remote.
Most serious exploits of password managers I’ve seen would require a remote hacker to have high-level access to your computer. This would mean they’ve already compromised your computer as if they were sitting in front of it, so passwords would be the least of your worries.
How they work
Most password managers are designed to work across all your devices as an app or through your computer’s browser with an extension or add-on. Your collection of passwords is stored on their servers in an encrypted form, but they don’t store your master password. This is referred to as “zero-knowledge security.” It also makes it impossible for anyone that works at the company to gain access to any of the user accounts.
This also means that if you forget your master password, you can’t simply ask the company to reset your password. You’ll have to jump through a bunch of hoops to regain access to your account. So if you decide to use a password manager, make sure to store a copy of your master password in a safe place offline.
Password managers can also generate long, complicated passwords for each of your online accounts, so you only need to create and remember one long complex password as your master password.
Additional security
Another layer of security to protect your password manager is achieved by turning on the two-factor authentication option available on all the popular free options, including LastPass, RoboForm, 1Password and Dashlane.
Once it’s setup, you’ll get a text message with a special code if the system doesn’t recognize your computer, location or browser. This extra step would keep someone that steals your master password and tries to use it on another device from gaining access to your account.
Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.