What does the NCSC think of password managers?

Absolutely. Password managers offer significant advantages.

They greatly simplify managing the numerous passwords we need today. For instance:

• They allow you to create long, complex, unique passwords for various services without the mental strain of remembering them.
• They excel at identifying fraudulent websites, assisting in the prevention of phishing scams.
• They can generate new passwords on demand and automatically fill them into the appropriate fields.
• They synchronize your passwords across all your devices, ensuring access whether you are using a laptop, smartphone, or tablet.

All these benefits help to alleviate security friction, making security simpler and more convenient. If security measures are cumbersome, appear to provide no value, or obstruct our primary tasks, people tend to find (insecure) shortcuts, resulting in diminished protection.

You may be wondering, “If password managers are indeed this beneficial, why the previous hesitation?”

They do come with some disadvantages:

• Password managers themselves can be appealing targets for attackers. They have been breached before and will likely face threats again, potentially putting all your passwords at risk in one incident.
• If you forget the master password that grants access to your password manager, regaining entry could be impossible. You would need to individually access your accounts or reset them, which can be quite painful.
• Password managers may not be compatible with all services. Certain providers, including some banks, do not permit password managers. Disclosing that your banking passwords are stored in one (or even written down) may jeopardize your chances of recovering funds if you fall victim to cybercrime. If your bank adheres to this policy, consider how you will secure sensitive passwords without jotting them down. Luckily, it’s easier to manage these critical passwords once you move the majority into a password manager.

Many modern web browsers come equipped with built-in password managers, which can serve as a very convenient choice. They integrate seamlessly with your browsing experience—recognizing when you’re on a site that requires a password and automatically prompting you. There is no need to remember a separate master password. Use the built-in password manager provided you:

1. Keep your web browser up to date.
2. Implement some form of access control on your device, such as a PIN/password/biometric authentication—these are practices you should adopt regardless!

A potential downside of browser-based password managers is the absence of password syncing across devices that run different operating systems. Thus, if you use a Windows laptop, an iPad, and an Android smartphone, your passwords may not seamlessly transition across devices unless you use the same browser and are logged in everywhere. Additionally, if multiple users access a single device with the same profile, they will all have access to shared password-protected information—which might not be desirable.

Standalone password managers generally provide superior functionality compared to browser-based options, allowing for easy access to your passwords across all devices, regardless of the platform. They offer additional control over how and when you use your passwords, enabling you to decide when to retrieve them rather than relying on a browser to prompt you.

However, with a standalone password manager, you will need to create and remember a strong master passphrase, which is not the case with browser-based managers. They may also incorporate advanced features such as:

• Notifications about compromised websites
• Alerts for reused or weak passwords
• Suggestions to update old passwords*
• Facilitation of changing passwords for specific sites with browser integration
• Support for multi-factor authentication

As with many topics, there are various approaches to this. Here’s what I do:

1. First, minimize the number of passwords you manage, and reduce reliance on them for identity verification. Use multi-factor authentication or single sign-on whenever available. For infrequent logins, consider using password reset processes instead of trying to remember or store passwords. Ensure the email linked to password resets is secure.
2. Utilize biometrics. Fingerprint scanning technology on smartphones adequately protects your devices and data and is user-friendly. Enable device encryption (if it isn’t already active) for extra security.
3. Decide between a browser-based and a standalone password manager. Personally, I use both for different purposes.
4. If you opt for a standalone manager, create a strong master passphrase. A passphrase is generally more effective than a simple password as it can be longer and more complex, thus offering better protection. Ensure it is not easily guessable and remains distinct from any previous passwords you’ve used.
5. Memorize your passphrase. Yes, you truly need to! Writing it down temporarily can help you commit it to memory, but keep that written note secured and dispose of it once you have memorized your passphrase.
6. Avoid storing work-related passwords in your personal password manager unless you have your employer’s permission.

Lastly, consider the significance of each password for your various accounts. If the compromise of a password could lead to:

• Your life getting significantly impacted?
• Your bank denying refunds for losses incurred?

If the answer is ‘yes’ to either, I would not recommend putting it in a password manager. In such instances, consider additional security measures like multi-factor authentication.

For less critical accounts, the loss of a password may be considerably inconvenient but won’t result in lasting harm. Passwords for these accounts can typically be safely stored in a password manager.

Some accounts are of little value. For example, online forums requiring a password but lacking any personal data of importance to you can safely use a password manager.

In the long run, the proliferation of password managers indicates that password-based authentication may soon be outdated. While passwords have been a staple in digital security—representing ‘something you know’—the best practice now seems to be not retaining that knowledge (as password managers manage them for you). Passwords have served their purposes, but it’s time to move on.

The NCSC aims to assist everyone in decreasing their dependency on passwords and migrating toward more secure and user-friendly authentication systems. In the interim, we are developing guidelines on the optimal use of password managers in organizational contexts—stay tuned for these updates.

Password managers are beneficial, but we aspire for a time when they may not be necessary.

* We typically caution against frequently changing passwords unless there are reasons to suspect a compromise, as this can make memorization more challenging. However, distinguishing new passwords from previous ones poses no difficulty for a password manager.

Emma W
People-Centred Security Lead, Sociotechnical Security Group, NCSC