How secure are password managers? A major password manager has been hacked for
the second time in three months. LastPass says it detected unusual activity in
a third-party cloud storage service Password managers are software for storing
a digital list of your passwords securely, in what’s called a password vault. Putting all your passwords into a single list and trusting software to secure it might
be a scary prospect for many people. What if it gets hacked? They’ll get
access to EVERY important account of mine! Using a password manager is actually one
of THE MOST IMPORTANT things you can do to SAFEGUARD your digital life. In this video
we’ll explain why computer security experts almost unanimously swear by them, and how
to keep your password vault super secure. It’s also really important that
you choose a good password manager, and they’re not all created equally. So we’ll also compare 5 popular password managers
to see how they stack up against each other, so that you can find one that best suits
your needs. We’ll give options that will suit most people, but also look at options
for those who have higher security needs. Let’s recap why password managers are an
essential part of your privacy toolbox: Your passwords need to be way
stronger than you probably realize, and without a password manager this
would be completely unfeasible. First, you may not realize how trivial
it is to brute force passwords. Most people’s passwords are way too simple, and can be cracked immediately. Even longer
ones sometimes just take a few minutes. As a general rule, the longer your password,
the harder it is to crack. Your password should be longer than 16 characters.
That’s a lot of characters to remember, so a password manager will remember it for you. Next, every password you use needs to
be unique, meaning that you don’t reuse it on multiple accounts. This is because
account passwords are leaked all the time. 3.2 billion email and password combos
have been posted to the dark web, It is likely that your login details for various
accounts are already available on the darkweb. If an attacker obtains the password for
one of your accounts, they will then try it on others. Even if you slightly modify
your passwords for different websites, it’s still easier for a hacker to get into
your account than if you’d used a completely unique password. You’re not going to
be able to remember hundreds of long, unique passwords for every account, so again,
a password manager will remember them for you. Finally, your passwords also need
to be randomly generated. This is important. When passwords are leaked,
they’re not usually in plain text. It’s a terrible security practice for a
company to store your password in plain text, so most reasonable companies will store a
“hashed” version of your password instead. Basically they have some mathematical function
that they plug your original password into, that spits out a scrambled version
of that password called a hash. The website doesn’t need to know your
original password, they only store the hash, and whenever you enter your password it will
perform this mathematical function on it, and see if the hash value that’s outputted
matches the hashed value that they have stored. One important characteristic of these hash
functions is that they’re one-way operations, meaning that it is easy to put in your password
and generate a hash value from it, but if you only have the hash value, it’s incredibly difficult
to recreate the original password from it. And changing one tiny detail
of the original password spits out a completely different hash output. If a hacker got access to just a
hash value, it wouldn’t help them, because they need the original password to access an account. And it’s incredibly difficult to
recreate the original password from a hash. But hackers being hackers find sneaky workarounds. They started creating entire databases
of common passwords, and have precomputed what the hashed value of these passwords would be
according to the most popular hashing algorithms. These databases are called “rainbow tables”. Now if a hacker gets access to someone’s
hashed password, they can search in their database for that value, and see what
the corresponding original password is. So you don’t want to use common words
for your password that might make it into such a database. Instead you
want a string of random digits. One of the uses of Password
managers is they generate random passwords for you with the click
of a button, and then save it for you. Having a long, random, unique password for every
account, that you never reuse on other accounts, is one of the most effective ways to protect
your online accounts from being hacked. And password managers make this far
easier. They’re actually an amazing tool, a unicorn in the security world, because
almost every single thing that you do to make yourself more secure will also make your life more
inconvenient. Password managers are an exception: they will simultaneously make you more secure
and also make your life easier. You only need to remember a single master password
to access all of your stored passwords. Now let’s address the elephant in the room. What if someone gets access
to your master password? First step is to you have to make sure
that master password is REALLY strong, so that it can’t be bruteforced.
Remember our password rules: Your master password to your vault
must be long, unique, and random I recommend using a passphrase to secure
your vault, because a string of words is easier to memorize than a string of digits.
But you must choose these words randomly. A good way to randomly choose words is to use a
word list like the one EFF has on their website, where you roll dice and the numbers
correspond to different words. You need at least 6 words from a list like
this, and that will have 77 bits of entropy. "Bits of entropy" is a common metric for measuring
the strength of a password or passphrase. Adding one bit of entropy doubles
the number of guesses required, which makes it twice as difficult to brute force. 6 words is long enough to take
thousands of years, maybe more, for current password cracking software to break. Following these password rules is ESSENTIAL
for securing your password vault, but it’s not sufficient. If someone puts a keylogger on
your computer, they can steal that password. So you must also secure your password
vault with two-factor authentication. We have videos explaining 2fa if you want to dive
into details, but the tldr is that a security key like a yubikey is the most secure form of 2fa.
With this 2nd layer of protection, even if someone gets access to the master password
for your vault, they won’t be able to access any of the passwords saved in it, they will also need
to have physical access to your security key. With these steps, your password
manager will be very secure and you will dramatically improve the security
of your entire digital life. There are also ways to use your password manager
that can make it even more secure if you have a higher threat model, and
we’ll go over those later in the video. So what should you look for when
choosing a password manager? Most of the well-known password managers are
going to be fine for the average person. But, like all software, there is a fair amount
of trust that you need to place in them. You can mitigate some of this trust by
using a service that has publicly available, 3rd-party audits, and that
is ideally open sourced. For the more popular password managers, you can also look at whether or not
they’ve had security breaches in the past. Another thing to consider is whether you
want an online or an offline manager. Offline password managers store all of your
passwords locally on your computer or device, which is helpful if you’re concerned about
the security of storing your passwords online. However online password
managers are more convenient, and allow you to access your
passwords from multiple devices, and safely share certain
passwords with other people. I think an online manager is
perfectly fine for most people. A good password manager will claim ‘zero
knowledge’, meaning that passwords are encrypted on a user’s own device before
being sent to a platform’s server. This way the password manager
service can’t access your passwords. Nor can any hackers who might
compromise that company’s servers. But it’s worth mentioning some of the risks
of online managers so that you can decide for yourself your own comfort level. For
example some password managers may have good intentions but not have the necessary
expertise to keep your passwords safe. In 2019, Blur, a password manager, left a file
openly accessible on one of its servers that contained the names, emails, password hints
and IP addresses of 2.4 million accounts. I wouldn’t trust a password
manager to secure my passwords if they have a history of such security breaches. There’s also a risk that if an online password
manager is compromised in some way, it could be possible for a hacker to serve you malicious
versions of their software through the web. Online managers that store people’s
encrypted password vault for them also present a very tempting target for hackers. Even if the hacker doesn’t get your login details, other information like your login email
and password reminders can be leaked. If you’re concerned about these risks, an offline
password manager might be a better choice for you, and we’ll go over some options. But
I maintain that an online manager is a great choice for most people,
provided you choose a good service. So let’s look at some of the most
popular services, starting with LastPass. They have over 30 million users worldwide, and all the bells and whistles you would
expect from a premium password manager. But despite its popularity, Lastpass
is very hard to recommend. They have suffered data breaches and multiple
severe security vulnerabilities. In 2015, email addresses, password reminders, and authentication hashes of
LastPass users were compromised. There was also a string of discovered
vulnerabilities from 2016 to 2019. To Lastpass’s credit, being one of the
largest password managers does make them a huge target, and all disclosed
vulnerabilities were promptly patched. Then in 2022 Lastpass was hacked again. Digital
storage keys were stolen from a LastPass employee, allowing a hacker to gain access
to private customer information. They accessed the history of web-addresses the
users visited, email addresses, phone numbers, names, and billing information, and they
also copied customers’ entire Password vault. Keep in mind that these vaults are
encrypted, meaning that hackers are unable to access any data in the vaults,
and that includes the name and notes fields. If you had a strong master password on your vault, it would take a hacker millions of years to
crack it and access your list of passwords. But anyone who had a weaker password
on their vault should be concerned. Changing your master password now
to make it super strong won’t help, because the old master password is the one
tied to the hacker’s copy of your vault. If you feel like you had a weak master password,
you should go ahead and change every password inside this vault, starting with the critical
ones like email accounts and financial accounts. These multiple security breaches lead me
to not want to recommend LastPass to users. On top of that, their code is closed source, and
while the company claims to do regular security audits, these reports are not available publicly
unless you sign a non disclosure agreement. Their Android mobile app also contains a lot of embedded trackers that send
personal details including the device being used, the mobile
operator, and the type of password being saved. LastPass claims that no
personally identifiable data nor vault data is sent and that they only use
this data to improve their service. But according to a report from
security researcher Mike Kuketz, some of this data appears to go to
marketing companies such as Segment. This sharing can be opted out of, but I don’t particularly like the idea of
my password manager sharing data about me. Next let’s look at Bitwarden. It’s free, fully open source, and rich in features. I highly
recommend this password manager. It’s easy to use, and also has various
security levels depending on your threat model. You can use it normally as
a desktop app, browser extension, and mobile app and sync it across multiple devices, or you could also choose to self-host
your own Bitwarden server, giving you full control of your data with all
the conveniences of online usage. There are free and paid tiers for this password manager. I highly recommend you pay –
a good password manager is worth it, and this will allow you to protect your
account with a security key 2fa option. Bitwarden also has audits of its code
that are freely available and transparent. Bitwarden does have trackers in their apps,
but because Bitwarden is open source you can actually analyze whether they’re being
used for the things Bitwarden says they are. Bitwarden uses Google’s Firebase
to send push notifications to help keep your vaults synced up, and Microsoft
Visual Studio for crash reporting. Having reliable syncs across
devices seems like a good tradeoff, and providing feedback when
crashes happen may be worth it, but at the very least
Bitwarden discloses this fully. But If you don’t like it, you can always opt-out or download the
F-Droid version which disables both. For most people, Bitwarden has
a good balance of convenience, offering a great out of the box experience
with minimal configuration required, while also giving users the option to take
full control of their data if they’d prefer. Next let’s look at Dashlane, another
popular option with an impressive user base of about 15 million people.
They too offer a polished experience with some great features.
It is closed source, and while they claim to do regular security audits, copies of
these reports are not available to the public. But on a positive note, there have been
no recorded security breaches of Dashlane. I like Dashlane, but they recently
stopped offering a desktop app version, which means it’s only available as a browser extension now for
computers, and a mobile app for phones. There are free and paid tiers. A unique feature of Dashlane is that it
utilizes machine learning to accurately do auto-fills across a wide variety of websites. However we actually recommend you disable
autofill functionality for any password manager you use, because it
can present security risks. Another cool feature unique to Dashlane is the
ability to change your key derivation function. You don’t really need to understand
what this means, and for most people, the default choice of Argon2d is fine. Perhaps the best feature of
Dashlane is its ability to bulk change passwords for many supported sites, meaning that you can change your
passwords for any of the supported sites all at once with the click
of a button, and auto save them. It’s worth noting that Dashlane too has also
been found to have trackers in their apps. Dashlane uses Sentry to track crashes and
Braze to communicate with their customers. It’s worth making a distinction between third party services that don’t really track
you and provide useful functionality, compared to actual trackers. Although sometimes
it can be hard to tell the difference. In Dashlane’s case, it’s a mixed bag. On the one
hand we can understand trackers that help report crashes and relevant information that would help
the developers improve their product and fix bugs. Notifications of updates or renewal plans are
also helpful. On the other hand, paid marketing attribution and usage details start going into the
territory of more information than required for a password manager even though it’s considered
part of improving the ‘customer experience’. In general Dashlane will be an
acceptable option for most people, but there are probably better options. 1password is another established
player in the password manager space that also has over 15 million users. They were recently in the news having
raised 620 million dollars with some celebrity investors such as Ryan Reynolds,
Justin Timberlake and Robert Downey Jr. How many of you have heard of 1password.com While 1password is also closed source, they are
much more transparent with their 3rd-party audits, and all the unedited reports are
freely available on their website: They have many good features like
multi factor authentication, password strength reports, and secure password sharing. Vulnerabilities found in 1password
have been quickly remedied and there have been no known data breaches.
There is no free option with 1password, but they do give you a 14 day
free trial before you commit. One thing that we found unique with 1password is
its Travel Mode which allows you to delete your stored passwords temporarily when you’re in other
countries or crossing borders. These passwords are completely removed from the local storage
in your device as long as Travel Mode is on. Immigration or border police in many
countries can require you to unlock your device so that they can search it, so
this option can be handy. It’s also useful for businesses who may want to control
which secrets employees travel with. 1password is also one of the few password
managers that do not use trackers in their Android app even for crash reporting
or syncing according to Exodus privacy. From what we’ve seen from its
customer interactions in forums, responsiveness to vulnerabilities, and also its transparency, 1password seems
like a high quality option for most people. Now let’s talk about keepassxc. It’s a free and open-source password manager that’s highly recommended by many people in the privacy
and security community, particularly as an offline password manager.
It’s more technically complex though. Being an offline manager, it stores
your password database locally on your device and does not rely on
any external servers or services to function. All of the password
management features of KeepassXC, including storing, generating, and retrieving
passwords, are performed on your device. One of the advantages of using an offline
password manager like KeepassXC is that it can provide an additional layer of
security because the password database is not transmitted over the internet, so it is less
vulnerable to online attacks or data breaches. Not being reliant on any 3rd party to serve you
code can really boost your security and privacy, and we recommend this as an offline
tool if you have a higher threat model. KeePassXC does have extensions for browser
integration for Chrome, Brave, Edge and Firefox so that you can easily fill in passwords
from your vault to your favorite websites. Generally you’ll want to use Keepassxc if you plan
to use your vault entirely offline for increased security. It’s great for higher risk people
such as political dissidents or journalists who may be forced to open their vaults. You are
making things more complicated for yourself by using a password manager completely offline,
especially if you want to use the manager with multiple devices, but this tradeoff will
absolutely be worth it for some people. Keepassxc does offer the option to synchronize
your password database across multiple devices using cloud storage services like
Dropbox or Nextcloud. All that needs to be done is to save your KeepassXC
database inside your cloud folder. This is not as seamless as using an online
password manager. There are some quirks, for example if you have several devices
accessing the database at the same time, syncing conflicts can arise. You must be careful to properly log off your vaults when
you’re not using it on the device. KeePassXC hasn’t been audited yet, because it’s a community driven project,
and audits come at a considerable price. But the code is all open source, which
is helpful for community-driven audits. One thing to note, there are a couple of other
open source password managers with similar names: KeepassXC started as a fork of Keepassx, which
itself is a cross-platform port of keepass. They are separate products though with different
features, and keepassxc is what we’re focusing on. If you want to use a service online you
might be better off going with one of the previously mentioned online managers like
Bitwarden, but if you are looking for a password manager with the highest security,
and you don’t mind added inconvenience, using keepassxc entirely offline is a great
option, especially if your threat model is higher. Another kind of password manager that is important to mention is a browser’s
inbuilt password manager. They’re free, convenient, and most modern browsers have a way to keep
them synced across devices via the cloud. Some experts say that these are insecure,
while other experts say that for most people, these are more secure than
standalone password managers. Let’s start by talking about what they all
agree on: that using a password manager, whether in your browser or a standalone
app, is better than not using one at all! But There are a couple of reasons why I wouldn’t recommend you use the password
manager inbuilt to your browser. Most browsers will store your passwords
in a database on your computer and they rely on the device’s own OS security to
keep them safe. But the issue is that if the computer is already logged in, these
databases are unencrypted and unlocked. Some browsers such as Firefox and Safari provide
ways to additionally encrypt them, For example, Firefox allows you to set a master password
for them, but this is not prompted by default. Safari’s approach is better by
saving it in Apple’s keychain, and they prompt you to unlock
it when requesting a password. Any respectable standalone password manager, by comparison, will store your
passwords in an encrypted vault. Privacy experts like Michael Bazzel don’t
ever recommend using your browser’s inbuilt password manager, because if you get
hit with a virus that has a stealer log, hackers will be able to
grab all of your passwords. On the other side of the fence are people like
Tavis Ormandy, from Google’s Project Zero team, who advocates FOR inbuilt
browser password managers, because standalone password managers often
rely on browser extensions and these can introduce vulnerabilities, whereas browsers
can isolate their trusted UI from websites. I agree that extensions do have vulnerabilities
that people should absolutely be aware of, but I think that for the average person,
a browser extension password manager from a reputable company is low risk and a good
idea. If you’re not comfortable with that, I don’t think that your browser’s inbuilt
password manager is your solution, because stealer logs are a really serious concern.
Instead, if you have a higher threat model, I’d recommend you using something like
keepassxc entirely offline in a desktop app, and just copying and pasting your passwords. In general, using a password manager can
dramatically help you improve the security of your online accounts and make it easier to
manage your login information. Some passwords managers are more secure than others, but the
biggest risk to the average person is reusing passwords across websites. While there are
fringe vulnerabilities with password managers, if you choose a well-regarded one, and you
make sure you secure it with a really strong password and 2 factor authentication, you’re
going to really help your digital privacy and security. It’s an essential step in your
privacy journey that you should start today. NBTV is funded by community support. If
you’d like to help us keep making free, educational content visit NBTV.media/support.
Also just liking, sharing, subscribing, and commenting on our content really helps.
Thanks so much for watching through to the end!
