KEY POINTS
- Internet users without password managers are three times more likely to experience identity theft than those who properly use them.
- But not all password managers are equal, from browser-based free options to multiple levels of paid password security services.
- Even a password manager requires users to have one closely guarded master password, and even password managers have been hacked, as in the recent case of LastPass.
By CNBC
Scribbling a password on a Post-it Note or piece of paper is generally a bad idea. So is storing sensitive information online in a way that could be accessible to others.
Yet many people do this routinely, increasing the risk they’ll lose or have their sensitive information compromised.
That’s where a dedicated password manager can come in handy, helping securely and efficiently keep track of passwords and other sensitive information. Notably, recent research from Security.org, which reviews technology, products and services, found that Web users without password managers are three times more likely to experience identity theft than those who properly use them.
“Password managers are an important component of how we need to manage our personal security. They are designed to be used in a way that reduces our efforts to be secure, but still helps us keep our important information secure,” said Keri Pearlson, executive director of a cybersecurity research group at MIT Sloan.
But there are some key decisions to make in choosing, and using, a password manager. Here are six things to know about what’s becoming a best practice way to protect online identity.
Browser-based options are convenient but limited
Password managers come in different varieties. Most web browsers have some type of password manager, which are convenient and user-friendly. There can be drawbacks, however, including limited security and functionality.
For more robust security and features, security professionals say a dedicated password manager is a better choice. Such third-party apps allow users to enter multiple passwords into one central place that’s protected with a single master password. This does require people to hold tight to this master password, but benefits typically outweigh this slight inconvenience, according to security professionals.
Dedicated password managers can also do things such as generate strong passwords and allow users to copy and paste passwords onto a website. They can also be used to safely store many types of information, including PINs, credit card numbers, CVV codes, photos, driver’s license information, medical data and more, said Marina Titova, vice president of consumer product marketing at cybersecurity company Kaspersky.
“This is a very secure, encrypted storage and all the major players put a lot of effort into making sure customer’s vaults are secure,” she said.
Strong security, but hacks still happen
Stand-alone password managers provide strong encryption for a customer’s data, helping to ensure no one else — even the password manager provider — can access this information. This type of robust protection helps keep customers’ data safe, even in the event of a breach.
That’s not to say there haven’t been security breaches, including at LastPass, one of the world’s largest password managers. In the case of LastPass, no customer data was accessed during the August 2022 incident, but the company just disclosed last week that source code and technical information were stolen and used to target an employee, obtaining credentials and keys which were used to access and decrypt some information stored within the cloud, including potential access to encrypted and unencrypted customer data — company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service — but not unencrypted credit card information, according to a blog post which laid out the potential risks to customers.
While using a stand-alone password manager requires placing trust in a third party, despite the LastPass hack, password managers generally do a good job of protecting customer data, said Justin Cappos, an associate professor at NYU Tandon School of Engineering, in a recent interview with CNBC.
Deciding between free and premium security services
Some stand-alone password managers are free, others offer free and premium versions, and some are only available for a fee. Premium features can include the ability to share vault items with multiple people and on multiple devices, dark web monitoring and emergency one-time access to a user’s vault.
Which password manager provider to use, and whether to pay for premium services, depends in part on the user’s needs and preferences.
Most people should be fine to start out with a free version, and if they want more features, they can look for a paid option, said Rahul Telang, professor of information systems and management at Carnegie Mellon University’s Heinz College. For paid services, consumers generally might expect to pay somewhere in the range of about $1 to around $7 per month.
Cybersecurity vendor reputation matters
There are a number of well-known, stand-alone password managers including Bitwarden, LastPass,1Password, Dashlane, KeePass, and Keeper. Cybersecurity providers such as Kaspersky, McAfee and Norton also offer password managers.
Before choosing a provider, pay attention to the vendor’s reputation, security expertise, track record with respect to data leaks and how the company stacks up in independent reviews, Titova said.
Reputation can also become a matter of national security concerns, with Kaspersky a prime example. Due to its Russian founder’s roots in Russian intelligence, it has been caught up in the Russia-Ukraine war repercussions related to the business world, and even previous to that, had been subject to claims by Western governments that it was too close to the Russian regime to be trusted.
As far back as 2017, the U.S. government barred use of Kaspersky products for government systems. In March of this year, the U.S. government blacklisted the firm. This doesn’t stop individual consumers from using and rating many of the company’s services highly, and Kaspersky has denied the allegations, saying in a statement in March, “This decision is not based on any technical assessment of Kaspersky products – that the company continuously advocates for – but instead is being made on political grounds.”
How to choose a strong master password
Make sure you have a strong master password, one that’s not easily guessable. It’s a good idea to use a phrase instead of one or two words, since a longer password will be tougher to crack than a shorter password. It’s also advisable to include upper and lowercase letters, numbers and special characters in the phrase, while still making the master password something that’s easy to remember, said Daniel Kats, senior principal researcher for Norton, a Gen Digital brand. As an example, “LionelMessi4WorldCup!” would be a strong password for a staunch soccer-fan. Don’t use a common phrase or something that could be easily guessed by others such as “masterpassword” or “admin” or “letmein,” he said.
What happens if you lose online access
The master password is your entry to the password manager. If you lose the master password, you’ll generally lose access to your vault as well. Also, if you don’t keep close tabs on your master password, anyone who has it could access your vault. There are ways to mitigate this risk by enabling features such as multi-factor or biometric authentication.
“If you have to write it down so you don’t forget it, put it in the place where you would put your most precious records,” Pearlson said. She recommends people keep their master password with their will or important papers. No one is going to break into your house looking for your master password, she said, but “you should treat this as a very important record.”