The benefits and risks of using a password manager to protect your online identity – NBC Bay Area
- Internet users without password managers are three times more likely to experience identity theft than those who use them correctly.
- But not all password managers are created equal, from browser-based free options to multiple tiers of paid password security services.
- Even a password manager requires users to have one tightly guarded master password, and even password managers have been hacked, as in the recent case of LastPass.
Writing a password on a Post-it note or piece of paper is generally a bad idea. So is storing sensitive information online in a way that can be accessed by others.
Yet many people do this routinely, increasing the risk of losing or compromising sensitive information.
This is where a dedicated password manager can come in handy, helping you securely and efficiently keep track of passwords and other sensitive information. In particular, recent research from Security.org, which assesses technology, products and services, has found that online users without password managers are three times more likely to experience identity theft than those who use them correctly.
“Password managers are an important component of how we need to manage our personal security. They are designed to be used in a way that reduces our effort to be secure, but still helps us keep important information secure,” said Keri Pearlson, executive director of a cybersecurity research group at MIT Sloan.
But there are some important decisions to make when choosing and using a password manager. Here are six things you should know about what is becoming an online identity protection best practice.
Browser-based options are convenient but limited
Password managers come in different varieties. Most browsers have some type of password manager, which is convenient and user-friendly. However, there may be drawbacks, including limited security and functionality.
For more robust security and features, security experts say a dedicated password manager is a better choice. Such third-party apps allow users to enter multiple passwords in one central location that is protected by a single master password. This requires people to stick with this master password, but the benefits usually outweigh this slight drawback, according to security experts.
Dedicated password managers can also do things like generate strong passwords and allow users to copy and paste passwords into a website. They can also be used to securely store many types of information, including PINs, credit card numbers, CVV codes, photos, driver’s license information, medical data and more, said Marina Titova, vice president of consumer product marketing at cybersecurity company Kaspersky.
“This is a very secure, encrypted storage and all the big players are putting a lot of effort into making sure their customers’ vaults are secure,” she said.
Strong security, but hacks still happen
Stand-alone password managers provide strong encryption for a customer’s data, helping to ensure that no one else – not even the password manager provider – can access this information. This type of robust protection helps keep customers’ data safe, even in the event of a breach.
That’s not to say that there haven’t been security breaches, including at LastPass, one of the world’s largest password managers. As for LastPass, no customer data was accessed during the August 2022 incident, but the company disclosed just last week that source code and technical information was stolen and used to target an employee, obtain credentials and keys used to gain access to and decrypt any information stored in the cloud, including potentially accessing encrypted and unencrypted customer data – company names, end user names, billing addresses, email addresses, phone numbers and the IP addresses from which customers accessed the LastPass service – but not unencrypted credit card information; according to a blog post that described potential risks to customers.
While using a standalone password manager requires trusting a third party, despite the LastPass hack, password managers generally do a good job of protecting customer data, Justin Cappos, an associate professor at the NYU Tandon School of Engineering, said in a recent interview with CNBC.
Choosing between free and premium security services
Some standalone password managers are free, others offer free and premium versions, and some are only available for a fee. Premium features may include the ability to share vault items with multiple people and across multiple devices, dark web monitoring, and one-time access to a user’s vault.
Which password management provider to use, and whether to pay for premium services, depends in part on the user’s needs and preferences.
Most people should be able to start with a free version, and if they want more features, they can look for a paid option, said Rahul Telang, a professor of information systems and management at Carnegie Mellon University’s Heinz College. For paid services, consumers can generally expect to pay somewhere in the range of around $1 to around $7 per month.
The reputation of the cyber security provider is important
There are a number of well-known stand-alone password managers, including Bitwarden, LastPass, 1Password, Dashlane, KeePass and Keeper. Cyber security providers such as Kaspersky, McAfee and Norton also offer password managers.
Before choosing a provider, pay attention to the provider’s reputation, security expertise, track record with regard to data leaks and how the company behaves in independent reviews, Titova said.
Reputation can also become a matter of national security, with Kaspersky being a prime example. Because of its Russian founder’s roots in Russian intelligence, it has been caught up in the aftermath of the Russia-Ukraine war linked to the business world, and had even previously been subject to claims by Western authorities that it was too close to the Russian regime to trust.
As far back as 2017, the US government blocked the use of Kaspersky products for government systems. In March this year, the US government blacklisted the company. This does not prevent individual consumers from using and rating many of the company’s services highly, and Kaspersky has denied the allegations, saying in a statement in March: “This decision is not based on any technical assessment of Kaspersky products – that the company continuously takes advocated – but is instead made on a political basis.”
How to choose a strong master password
Make sure you have a strong master password, one that is not easily guessed. It’s a good idea to use a phrase instead of one or two words, as a longer password will be harder to crack than a shorter one. It’s also advisable to include uppercase and lowercase letters, numbers and special characters in the phrase, while still making the master password something easy to remember, said Daniel Kats, senior principal of Norton, a Gen Digital brand. As an example, “LionelMessi4WorldCup!” would be a strong password for a loyal football fan. Don’t use a common phrase or something that can be easily guessed by others, such as “masterpassword” or “admin” or “letmein,” he said.
What happens if you lose internet access
The master password is your entry to the password manager. If you lose your master password, you will usually lose access to your vault as well. Also, if you don’t keep track of your master password, anyone who has it can gain access to your vault. There are ways to reduce this risk by enabling features such as multi-factor or biometric authentication.
“If you have to write it down so you don’t forget, put it where you would put your most precious records,” Pearlson said. She advises people to keep their master password with their will or important papers. No one is going to break into your house looking for your master password, she said, but “you should treat this as a very important record.”