What is a password manager?
A password manager is a software application or hardware device that creates strong, complex passwords for online accounts. The program provides access to those passwords via a master code that you, the user, create. The password manager also saves and protects other sensitive data, like user IDs, personal identification numbers, credit card numbers, and answers to security questions. All you need to remember is the master code.
The various types of password managers differ1,2 mainly according to where your passwords and other log-in credentials are stored. Common locations for password managers to store your passwords are in your web browser, in the cloud, on your desktop, or on a portable device, such as your mobile device or a USB plug-in.
How much do password managers cost?
Prices for password managers vary widely, and there are even some high-quality free versions available. A PC Magazine3 review gave high rankings to 10 password manager products with prices ranging from $12 a year for Zoho Vault to $39.99 a year for Dashlane. The magazine also listed the best free4 password managers, with LastPass and LogMeOnce Password Management Suite Premium tying for first place.
What are the risks when using password managers?
No information security system is risk-free, but password managers have some built-in protections that lower their risks considerably. Of course, one of the biggest challenges they face is keeping up with hackers' ingenuity.
“One risk that I see is if there are vulnerabilities in the code for the password manager," says Rakesh Verma, professor of computer science and director of the ReDAS (Reasoning and Data Analytics for Security) Lab at the University of Houston. “It's possible that attackers can try to reverse-engineer the code."
In other words, a hacker could potentially figure out the source code for the password manager and use that info to break into the site. But Wright says the risk of someone breaching a password manager's site is only modest with a high-quality program, because they are built securely enough to block most such attacks.
Another risk is that someone might learn your personal master code. The good news is that most password managers use a multifactor authentication process5 that stores the authentication code only on your own device, so there's a lower chance of a cyber thief getting a hold of it.
To bolster your security, Wright says, pick a password management company with a good business reputation. If you're not familiar with a company or product, look for reviews5 from cybersecurity experts.
Are password managers safe for accounts that have financial information?
Considering the risks that stem from using weak passwords and the challenge of keeping track of multiple accounts, Wright sees password managers as useful and reasonably safe tools. But think very carefully before using one for your banking and other financial accounts.
“I would not recommend using a password manager for very high-value accounts if you can manage to remember one pretty-good password for each one," Wright says, referring to accounts containing large sums of money that a thief could potentially steal via direct transfer. “For everything else, a password manager is a fine solution."
What happens if someone gets my master password?
If someone obtains or steals your master password, then that person will have access to all passwords that are saved in the password manager — granting them carte blanche access to all of your accounts.
Besides someone stealing your master password, another risk is the chance you'll forget your code and be locked out. With LastPass, you can receive a hint about your forgotten master password6 and instructions on how to reset it, as long as you are using the same computer or mobile device on which you previously used the password manager. With other vendors, you'll be locked out permanently and will have to reset the passwords manually for all your online accounts at each site. That inconvenience still wouldn't be as bad as having your account information stolen.
Are there any good alternatives to password managers?
If you don't feel comfortable using a password manager, Verma has another idea for creating multiple strong passwords and making them easy to recall. While he thinks password managers are reasonably secure, he doesn't use one himself. Instead, he creates his own passwords using an algorithm.
You don't have to be a computer science or math whiz to do this, Verma insists. An algorithm is simply a step-by-step process.
“An algorithm is like a recipe, except that it's much more systematic and straightforward, so that even a computer can execute the steps," Verma says.
Here's how it would work: You design a password formula that includes both special elements you are likely to remember and parts that relate to each financial account. For example, you might pick some letters from the bank name, some digits from a family birth date, and a couple of symbols. The basic steps would be the same for each account password, but the specific characters would vary. You could memorize or store the formula – and maybe some hints to help you recall each password – without having to memorize dozens of codes.
Whether you decide to use an automated password manager for most of your passwords or go the DIY route, you need a system for creating passwords that are unique and hard to breach. And whatever you decide, be sure to keep those super-sensitive financial account passwords off your password manager.