10 things to look out for when buying a password manager
Here's how to choose the right password vault for you and what exactly to consider when weighing your options.
Wave after wave of new technologies have threatened to bring about the end of the password over the years. But none so far have succeeded. That leaves most users with a problem. Passwords are a potential security risk, which is particularly bad news when you realize what they’re protecting – everything from your messaging and social media to your streaming and ride hailing accounts. Add to that the fact that many people don’t use two-factor authentication even on their most valuable online accounts.
The good news is that password managers offer a best practice way to overcome many of the inadequacies of passwords, and the insecure way many of us use them. But not all password managers are created equal. The key is finding a trustworthy vendor with the right combination of features.
Why strong passwords matter
Why are passwords a security risk? Because they can be compromised in multiple ways. They could be:
Stolen from companies you do business with, in large-scale data breaches
Phished individually from you by scammers masquerading as your social media company, bank, streaming provider, etc.
Guessed by automated “brute force” software which tries combinations of commonly used credentials. Recent research revealed that “password” remains the most popular log-in, followed by “123456.” Most of the top 10 can be cracked within a second.
Once stolen, passwords are traded on the dark web, where they’re often bought up in large troves together with usernames. One report from 2022 revealed 24 billion of these combinations circulating in cybercrime marketplaces – an increase of 65 percent on 2020. Often, hackers will feed these stolen logins into credential stuffing tools, to see if the same passwords have been reused across other websites and apps. If they have, they may be able to unlock these too.
All of this makes it more important than ever that we use unique, strong passwords across all our websites, apps and online accounts. A password manager is a great way to do this.
What to look for in a password manager
Password managers are applications designed to store all of your passwords in a secure place. The idea is that the software will only ask you for a single master password. That’s all you need to remember. Everything else will be handled automatically by the app – including the generation and auto-filling of long unique passwords for every site.
However, there are different options on the market. Here are a few features to look for to help narrow down your search:
Password vaults protected with strong encryption. That means even if the password management provider is hacked, the threat actors will not be able to swipe any of its customers’ credentials. AES 256-bit encryption is the industry standard.
A strong password generator designed to suggest long, complex and random strings of numbers, letters and symbols for each password. This means there’s virtually no chance a hacker could brute force your password. To get a taste of what we have in mind, try out ESET’s very own password generator.
Multi-platform and multi-browser support. Password managers are only useful if they remember and recall your passwords across your favorite websites and apps. If they don’t support these sites, then you may be back to square one – forced to use ease-to-remember credentials. Similarly, it will help usability a great deal if the password manager can import credentials from browsers and other password managers.
Autofill/auto-log-in. One of the most important features of a password manager is an ability to automatically fill in the strong, complex password assigned to each account, after you enter the master password. If it fails to provide this, the user experience will be greatly degraded.
Remote logout. Enhances security and privacy by enabling you to remotely log out of accounts, clear browsing history and cookies, and remotely close any open tabs.
Integration with two-factor authentication (2FA). While password managers are important, the gold standard for identity and access management is 2FA, whereby a second “factor” is required in addition to a password, such as a facial scan or a one-time passcode. A password manager that integrates with popular third-party 2FA apps like Google Authenticator will help to streamline the experience.
Reset feature for master password. Having a master password is great. But what if you forget it? If there’s no reset functionality, all of your passwords will be locked away in a digital safe you can’t open.
A trustworthy vendor. This isn’t so much a feature as something to bear in mind as you do your research. If the password management firm itself is breached, that could expose all of your passwords, so ensure it has a good track record on security. One popular provider recently suffered a major security incident which exposed customers’ encrypted passwords – leading to calls for users to switch.
Security reports can help you to continuously improve password security by displaying all your weak passwords in one place.
Local or cloud storage? This one may actually be a bit of a toughie and may require you consider your own circumstances. Local vault storage will often give you better control and security in many cases, but devices get stolen, lost or hacked and hard drives fail. A centralized, cloud-based option may then be more convenient, but it has its own potential downsides, including that it requires you to trust your service provider. There is also a third option – a vault that uses a local database but is stored in your cloud account with a major cloud provider you trust. Ultimately, the safety of your passwords is conditional on strong encryption (point 1) and cybersecurity posture.
It’s important to remember the limitations of password managers – or, in fact, passwords as such. A password represents a single line of defense and it may not be enough to ward off criminals. As a result (and we can’t stress this enough) – combine your passwords with 2FA so that stand a much, much better chance of keeping the hackers at bay.