Question of the Day: Password Managers

Question of the day: “If Password Managers are so great, what happens when a hacker cracks/steals/guesses the password for your password manager?”

Short Answer: Not an issue if you enable and use a secure 2FA/MFA on the Password Manager (definitely NOT using SMS for 2FA/MFA)… Hackers can steal/guess/crack your password and get nowhere unless they steal your token too (soft or hard) or can find a way to bypass 2FA/MFA instead!

OK, maybe I need to explain this in more depth?

What is a Password Manager? It is a secured (encrypted) database for storing all your passwords, so that you don’t need to remember them all, only the (hopefully) strong password/passphrase to unlock the Password Manager that you should NEVER use anywhere else or tell anyone. But, I hear you cry:

“Why would I want lots of passwords, why can’t I just use the same password on all sites/systems?”

Now, where do I start?

Using the same password on multiple sites, etc. is, unfortunately, a recipe for disaster. This is due to the fact that  billions (yes you read that right) of user credentials (user IDs and Passwords) have been stolen, so if yours is one of them, the “bad guys and girls” already have your password. Guess what? They will try the password they have for one of your web accounts on all sites that you use (this is known as credential stuffing).

This means that they can now login as you and take over your accounts!

Now, that may be a slight annoyance on some sites, but let us say that they have gained access to your webmail (GMail, Live, Yahoo, etc.) account. If they have gained access to this, they can get any site that you’ve used (with a different password) to send a password reset link…can you see where this is going?

That is why a Password Manager is a “good thing” and why you should be using one and using it to generate and store unique passwords for every site you use.

Even better you can secure the Password Manager with Two or Multi-Factor authentication (password and a constantly changing code that only you have access to, generated by a unique software or hardware token), but that’s another story…

Some good password managers include:

Many anti-malware/end-point security solutions now include a password manager (also called a password safe) in the bundle, so there really is no excuse not to use one.