Use a good one password manager (or password manager), or all those IT tools designed to generate, save and manage passwords in a safe and practical way, is a method for protecting your IT security. Using them not only means raising the bar for the security of your accounts, but also making it easier to access the increasingly numerous online services we use every day. In fact, to access all your passwords, you just need to remember the so-called master passwordthat is, a key that gives access to everything in your “virtual safe”. But how they actually work these tools and how safe they are? We deepen our knowledge by zooming in on both the advantages they offer and the challenges they present.
What is a password manager
A password manager it is, essentially, an application designed to securely store all your account login credentials – therefore usernames and passwords – for different sites and services. The main goal is to facilitate the creation of strong passwords and unique for each account, which significantly reduces the risk of cyber attacks, much more than adopting practices such as frequently changing credentials. Many cyber attacks exploit cross-platform password reuse: if one of your credentials is stolen, a hacker could access other services with the same username and password combination. There are at least three different types of password managers.
- Local password managers: in this case, through an application installed on the device, it stores and manages the credentials on the device in question and they also work offline. The passwords, in this case, are contained in an encrypted file or, what is even more secure, each password is stored in an ad hoc file, which is in turn encrypted. While this is an extremely secure solution, it can be challenging to use a local password manager on multiple devices; not to mention the possibility of not being able to access the password manager in the event of theft or damage to the device on which it is installed.
- Cloud-based password managers: it is the most widespread and used type of password manager, given that it offers the enormous advantage of being able to access your credentials from any device connected to the Internet, since these are stored in the cloud, usually the server of the provider that provides the service password management. Usually access is guaranteed by an application or client to be installed locally and/or by using a browser extension. The best online password managers use zero-knowledge technology, which means they encrypt the data on the device before sending it to the server.
- Browser password manager: now all the main applications for web browsing include a password management function, which are particularly convenient to use given that they integrate perfectly with the sites and web services to which you log in, automatically filling in the access fields and proposing the saving and changing passwords when necessary. Compared to the solutions mentioned in the previous points, however, they are potentially less secure.
- Hardware-based password managers: usually used in a corporate environment, this solution consists of the use of a hardware component (for example a token), which must be connected to the computer to finalize the unlocking of the vault or to verify the identity of the account owner.
How a password manager works
As for theirs operationthis differs based on the type of password manager you decide to use. Since online ones are among the most popular and simple to exploit, we will use it as an example.
The first thing we suggest you do is Determine which devices you intend to use it on. For example, if you want to install the password manager on your smartphone, make sure that no one else has access to the device or knows the unlock code and, if there is a secure biometric unlocking mode (such as fingerprint or 3D facial recognition) , opt for a password manager that supports it. The same goes for devices shared at home, such as tablets or smart TVs, or computers used at work. Careful planning helps you better organize your vault and keep it safe.
Once you have identified the devices, you must identify which password manager to use. There are free and paid options on the market: the latter provide extra functions which, although not essential, can be convenient. When evaluating everything, also check the compatibility with the operating system and browser of your devices and, if you already have an existing vault, make sure that it can be imported without problems.
Once you have chosen the service to rely on and you will have installed its application and/or yours official extensionyou will have to create the master password. This should be easy for you to remember, but hard for everyone else to guess (if you were planning on using “123456”, then forget it!). A good strategy might be to use a sentence made up of four or five random words. While some carriers offer master password recovery options, it’s helpful to share it with a trusted person to allow access to the vault should the need arise.
To increase security, it is advisable enable two-factor authentication or 2FA. This measure provides an additional layer of protection by requiring a second element of verification, such as a smartphone or a biometric system, such as fingerprint or facial recognition. In some cases, the biometric login system can even replace the master password, making it easier to log in on mobile devices.
Since many password managers offer the ability to store other sensitive informationhow credit card detailsit may be useful to take advantage of this feature as well, especially if the password manager supports auto-compilation of this data as well, which can save precious time when shopping online. AND, last but not leastif you usually use passwords that are relatively easy to guess, replace them with more complex options using the password generator integrated into the password manager.
How secure is a password manager
The use of a good password manager is a practice that undoubtedly makes the storage of login data for your online accounts safer. Of course, this is true if you use a password manager that meets high standards.
In particular, a good password manager should base its operation on 256-bit AES encryptionan advanced encryption system used to protect data, ensuring that only authorized users can access it. This method, adopted by NSA (National Security Agency) and by many companies as early as 2005, it quickly became a standard for technologies such as VPNs, firewalls and, indeed, password managers.
AES encryption uses a 256-bit key, which represents a random string of zeros and ones. This offers 2256 possible combinations, making it extremely difficult to guess the key via brute-force attacks.
AES 256-bit is a symmetric encryption algorithm, also known as private key, in which the same key is needed to both encrypt and decrypt data. This implies that both parties involved must know the key. Not all password managers use 256-bit AES encryption. Some use 128-bit AES, a less secure (but still resistant) option to brute-force attacks.