Many cybersecurity experts insist that using a password manager is the best way to make sure you have a strong, unique password for every online account. But others are less sure about the value these tools provide.
For naysayers, password managers represent a single point of failure — a treasure trove of highly sensitive information guarded by one master password that could itself be lost, stolen or hacked.
- The best password managers to keep your online accounts safe
- LastPass, 1Password and other password managers can be hacked: What to do
So who's right? Tom's Guide spoke with a number of digital-security experts, picking their brains about the pros and cons of today's password-management solutions.
Here's what they have to say about these contentious tech tools, along with some tips on how to mitigate the risks associated with keeping all your passwords in one place.
Praise for password managers
Not all security experts like to use password managers, but those who do can't seem to imagine a world without them. Case in point: Robert Siciliano, Boston-based security analyst and CEO of Safr.me, who said that with more than 650 passwords in active use, he simply couldn't function without a password manager.
"Without a password manager, consumers revert to poor passwords with no management," Siciliano said in an email message. "They will use the same password for all their critical accounts and will inevitably get hacked."
But even Siciliano — who said that there isn't a single legitimate argument against using a password manager — takes steps to mitigate the risk of having all his passwords in one place.
He said he memorizes the login information for his most critical accounts (such as online bank accounts), but stores the rest of his passwords in a web-based password manager.
'Nobody can remember every password'
Morris Tabush, who runs his own IT consultancy, the Tabush Group, in New York, also noted the vulnerabilities inherent in having an online identity protected only by passwords. But in his opinion, people need to make the best of this imperfect reality by protecting passwords as best they can.
For Tabush, that means using a password manager.
"Having a universal username and password is impossible, as every site or service has its own password requirements," Tabush said via email. "Nobody can remember every user-name-and-password combination."
Tabush said he swears by password managers for himself and for his clients, all of which are small and medium-size business owners with dozens of online accounts. His tool of choice is RoboForm by Siber Systems, a password-management app for Windows and Mac that's also available for iOS and Android mobile devices.
Tabush likes RoboForm because it works across all his devices, including his desktop, laptop, iPhone and iPad. Because this web-based password manager stores passwords as encrypted files, even if one of Tabush's devices were to be stolen, the thief wouldn't have access to his login information.
Of course, for every expert who says he can't live without a password manager, there's another who says he'd gladly go the rest of his life without ever using one.
That's the case for Terry Cutler, co-founder and chief technology officer of Montreal-based cybersecurity consultancy Digital Locksmiths.
"I'm not a fan of password-management tools at all," Cutler said in an email interview. "If the tool got hacked, then all of your codes would be taken."
Tyler Reguly, manager of security research and development at Portland, Oregon cybersecurity firm Tripwire, agreed with Cutler. He argued that password managers may do more harm than good, especially for home users.
“Password managers are society's method of moving bad habits to the computer," Reguly said. "It's bad form to 'write down' passwords, so instead we 'store' them on our computer. 'Store' is simply the digital equivalent to 'write down.'"
'I don't trust online password managers'
Figuring out which tools are secure, and which ones aren't, isn't necessarily an easy task. As Ken Westin, director of security strategy at ReliaQuest, pointed out, it's hard to know just how secure password managers really are.
"Personally, I don't trust online password managers," Westin said in an email message. "This isn't because I think they're insecure; it's because I don't know how secure they are, how they store my information and if my data is properly encrypted."
Because of this uncertainty, Westin said he wouldn't store his most sensitive information in web-based password managers. For managing passwords to financial accounts and email accounts, Westin recommended using a tool that isn't connected to the internet.
"For maximum safety, the passwords to these services [financial and email accounts] should be kept in an offline, encrypted password manager application, like KeePass, that requires authentication to open and is backed up regularly and securely," Westin said.
Christopher Burgess, CEO and president of Prevendra, a Seattle-area security and privacy company, suggested that anyone who doesn't trust password managers could instead keep track of passwords manually.
"A manual system is simple to implement [with] two notebooks," Burgess said. "In notebook one, put your account data — name of service, URL, user ID and a serial number. In book two, next to the serial number, write down the password and any authentication notes. Put book two in a safe place, and refer to it when you can't remember your password."
Playing it safe
While several of the experts we spoke to had strong opinions about password managers, many security experts seem to fall somewhere in the middle of this debate. For them, password managers are useful tools, but far from infallible.
As Chester Wisniewski, a principal research scientist with multinational antivirus firm Sophos, said in an email, individuals who don't choose their password management tools wisely could end up handing over "the one ring that rules them all."
"Look for well-known, vetted applications," Wisniewski said. "They must encrypt things locally and not rely on third parties to perform the encryption. I personally am fond of LastPass and KeePass."
Cedric Jeannot, founder and CEO of cybersecurity firm APrivacy in Waterloo, Ontario, also stressed the importance of reliable data encryption when determining which password manager to use.
Jeannot said that if your password manager of choice stores data in the cloud — rather than locally on your computer — you should pay close attention to which country your information is stored in and who, in addition to the password-management service, might have access to it.
Lamar Bailey, senior director of security at Tripwire, said individuals should look for password managers that have security features beyond encryption, features that might help secure users' online identities.
"Many password managers alert users to websites that have been breached, or those that are affected by serious security vulnerabilities like Heartbleed," Bailey said in an email.
Bailey went on to say that the most important thing to keep in mind regarding password managers is the master password that you use to secure this tool.
"Any password manager is only secure as your master password," Bailey said. "So users should always make sure the password to their password manager is very strong, and change it often."
KeePass does have two-step and three-step verification. You can use either password verification, file verification or windows login verification.
File verification being probably the best since you can create an arbitrarily large file of randomness and save it on a flash drive. At this point you can require KeePass to use two factor authentication (something you know and something you have).
A lot of them do use two-step verification. Dashlane uses Google Authenticator.
There's a big different between two-step verification and two factor verification. The former being nonsense. Simple google search answers this for ya: http://security.stackexchange.com/a/41965