Are Password Managers a Good Idea?

What is a password manager?

A password manager is a software application or hardware device that creates strong, complex passwords for online accounts. The program provides access to those passwords via a master code that you, the user, create. The password manager also saves and protects other sensitive data, like user IDs, personal identification numbers, credit card numbers, and answers to security questions. All you need to remember is the master code.

The various types of password managers differ, mainly based on where your passwords and other log-in credentials are stored—most commonly in your web browser, in the cloud, on your desktop, or on a portable device, such as your mobile device or a USB plug-in.

How much do password managers cost?

Prices for password managers vary widely, and there are even some high-quality free versions available. A 2020 review in Wired magazine1 recommends password managers that range from free to $36/year ($60/year for families).

What are the risks when using a password manager?

No information security system is risk-free, but password managers have some built-in protections that lower their risks considerably. Of course, one of the biggest challenges they face is keeping up with hackers' ingenuity.

“One risk that I see is if there are vulnerabilities in the code for the password manager," says Rakesh Verma, professor of computer science and director of the ReDAS (Reasoning and Data Analytics for Security) Lab at the University of Houston. “It's possible that attackers can try to reverse-engineer the code."

In other words, a hacker could potentially figure out the source code for the password manager and use that info to break into the site. But Wright says the risk of someone breaching a password manager's site is only modest with a high-quality program, because they are built securely enough to block most such attacks.

Another risk is that someone might learn your personal master code. The good news is that most password managers use a multi-factor authentication process, which requires multiple steps to verify your identity, including both a password and an additional step, like entering a code sent to your smartphone or your personal email address. This greatly lowers your chance of getting hacked if a cyber thief does gain access to your password.

To bolster your security, Wright says, pick a password management company with a good business reputation.

The Wired review of password managers can help you decide which reputable password manager is right for your needs and budget.

Are password managers safe for accounts that have financial information?

Considering the risks that stem from using weak passwords and the challenge of keeping track of multiple accounts, Wright sees password managers as useful and reasonably safe tools. But think very carefully before using one for your banking and other financial accounts.

“I would not recommend using a password manager for very high-value accounts if you can manage to remember one pretty-good password for each one," Wright says, referring to accounts containing large sums of money that a thief could potentially steal via direct transfer. “For everything else, a password manager is a fine solution."

What happens if someone gets my master password?

If someone obtains or steals your master password, then that person will have access to all passwords that are saved in the password manager — granting them carte blanche access to all of your accounts.

A 2019 article in The Washington Post2 highlighted the security flaws in some of the common password managers. However, they concluded that there was no evidence of any actual security breaches, despite the flaws — and that the risks of easy-to-hack passwords and reusing passwords far exceeded the risk of having your password manager hacked. In addition, companies were generally quick to address security flaws once they were discovered.

Besides someone stealing your master password, another risk is the chance you'll forget your code and be locked out. With some password managers, you may be able to get a hint about your forgotten password — or even the ability to reset your password if you're still using the same computer or mobile device you were previously using the password manager on. With most password managers, however, you'll be locked out permanently if you forget your password and will have to reset the passwords you had stored on the password manager manually — that is, by visiting the online account pages for each of the sites. Of course, that inconvenience would still be minor compared to having your account information stolen.

Are there any good alternatives to password managers?

If you don't feel comfortable using a password manager, Verma has another idea for creating multiple strong passwords and making them easy to recall. While he thinks password managers are reasonably secure, he doesn't use one himself. Instead, he creates his own passwords using an algorithm.

You don't have to be a computer science or math whiz to do this, Verma insists. An algorithm is simply a step-by-step process.

“An algorithm is like a recipe, except that it's much more systematic and straightforward, so that even a computer can execute the steps," Verma says.

Here's how it would work: You design a password formula that includes both special elements you are likely to remember and parts that relate to each financial account. For example, you might pick some letters from the bank name, some digits from a family birth date, and a couple of symbols. The basic steps would be the same for each account password, but the specific characters would vary. You could memorize or store the formula – and maybe some hints to help you recall each password – without having to memorize dozens of codes.

Whether you decide to use an automated password manager for most of your passwords or go the DIY route, you need a system for creating passwords that are unique and hard to breach. And whatever you decide, be sure to keep those super-sensitive financial account passwords off your password manager.