Many individuals inquire with the NCSC about the appropriateness of utilizing password managers (also referred to as password vaults). They wonder whether password managers are suitable for everyone – private citizens, small businesses, or large enterprises. Additionally, questions often arise regarding the safest methods to use these tools. Is it secure to store all essential passwords in a password manager, potentially relieving the need to memorize them?
This extensive topic will be broken down for clarity. This article reflects my views on password managers overall and includes how I personally utilize them. This information may be particularly useful for individuals who are contemplating the use of a password manager for personal purposes. However, if your focus is on business applications, this blog may not provide all the necessary insights (stay tuned for further guidance from the NCSC).
Is it advisable to use a password manager?
Absolutely. Password managers offer significant benefits.
They provide several advantages in a world that demands the management of numerous passwords. For instance:
- They facilitate the use of long, complex, unique passwords for various sites and services without the cognitive load.
- They are generally more adept than humans at recognizing fraudulent websites, thus helping to mitigate phishing attempts.
- They can generate new passwords as needed and automatically fill them in at the correct locations.
- They synchronize your passwords across all your devices, ensuring you have access whether you are on a computer, smartphone, or tablet.
These benefits significantly lower security friction, making security more accessible and convenient. If security measures are perceived as complex or burdensome, individuals may seek insecure alternatives, ultimately compromising their protection.
What are the downsides?
You may be pondering, “If password managers are so beneficial, why haven’t they been endorsed sooner?”
However, they do come with certain limitations:
- Password managers are appealing targets for cyber attacks. They have been compromised before, and it is likely to happen again. Therefore, all your passwords could be exposed in one breach.
- If you lose access to your master password, you will not be able to regain entry. You would have to reset each account individually, which can be quite laborious.
- They are not universal solutions. Some service providers (such as specific banking institutions) may not support password managers. If you inform them that you’ve stored your banking credentials in one, they might not reimburse you for any resulting losses in the event of a cyber incident. If your bank operates this way, you will need to devise a strategy for managing key passwords without recording them. However, this becomes simpler once you transfer the bulk of your passwords into the password manager.
Are browser-based password managers a good choice?
Many popular web browsers now feature built-in password managers, which can be highly effective. Their integration with the browser provides exceptional convenience, making them aware of when a password is required and automatically assisting you. There is no need to recall a separate master password. Feel free to utilize a built-in password manager, provided that:
- You regularly update your web browser.
- Your device is secured with access control such as a PIN, password, or biometric protection.
One consideration with browser-based password managers is that they may not automatically sync passwords across devices operating on different systems. For example, if you use a Windows laptop, an iPad, and an Android smartphone, your passwords might not seamlessly transfer unless you access the same web browser on all devices and log into it. Additionally, if multiple users share a device under the same profile, they would all have access to the same saved passwords, which may not be desirable.
What about standalone password managers?
Standalone password managers typically outperform browser-based ones in terms of making your passwords accessible across various devices, irrespective of their operating systems. They provide increased control over how and when you input passwords since you can manually select the password for use.
Importantly, with a standalone password manager, you must remember a strong master passphrase, unlike a browser-based password manager. Standalone options might also offer more sophisticated features, which could include:
- Alerts regarding compromised websites
- Identification of reused or weak passwords
- Notifications to update old passwords
- Assistance with changing passwords via browser integration
- Options for multi-factor authentication
How can I effectively utilize a password manager?
There are various methods to approach this. Here’s how I personally manage it:
- First, attempt to minimize the number of passwords you juggle and lessen your dependence on them for identity verification. Utilize multi-factor authentication or single sign-on whenever available. For infrequent passwords, leverage reset mechanisms instead of striving to remember or store the password. Ensure to protect the email provided for password resets.
- Consider the use of biometrics. Fingerprint scanners on smartphones are typically reliable in securing your device and data, thus feel free to enable them. Enable encryption for additional safety.
- Decide between a browser-based or standalone password manager. Personally, I utilize both for various purposes.
- If opting for a standalone password manager, create a strong master passphrase. A passphrase is preferable due to its extended length, which offers greater security. Choose one that is difficult for someone familiar with you to guess, and ensure its uniqueness compared to other passwords or passphrases you’ve used.
- Memorize your passphrase. Yes, this requires commitment! If necessary, jot it down on paper until it becomes ingrained in your memory. Secure the paper cautiously and dispose of it once the passphrase is memorized.
- Avoid storing work-related passwords in your personal password manager without your employer’s consent.
Additionally, assess the significance of each password for each account. Consider whether losing access to a particular account would result in:
- Your life facing major disruptions?
- Your bank denying refund claims?
If the answer to either question is ‘yes’, I urge you not to store such passwords within a password manager. In these scenarios, passwords should not represent the only security measure for your accounts—consider implementing additional safeguards like multi-factor authentication instead.
For accounts of lower importance, while losing associated passwords could be highly inconvenient, the overall impact might not be lasting. Passwords for such accounts are generally safe to include in your password manager.
Some accounts hold minimal risk. For instance, an online forum requiring a password but lacking any critical personal information is generally adequate for password management without hesitation.
What does the future hold for passwords?
In the long term, the effectiveness of password managers highlights the fact that password-based authentication is becoming outdated. Passwords are meant to be ‘something you know’, yet we are suggesting that the most viable strategy is to not remember them at all (as your password manager will handle that). Passwords have served us well, but it’s crucial to transition beyond them.
The NCSC is committed to fostering a reduction in our dependence on passwords, pushing towards innovative, more secure, and user-friendly authentication methods. In the interim, we are crafting guidelines on the best practices for employing password managers within organizations—stay tuned for updates on that front.
Password managers are beneficial now—but ideally, we hope they won’t be necessary forever.
* We typically advise against frequently changing passwords without suspicion or signs of compromise—as the detrimental impacts can outweigh potential benefits—especially when attempting to memorize them. However, utilizing a password manager allows for easy recollection of significantly different new passwords.
Emma W
People-Centred Security Lead, Sociotechnical Security Group, NCSC
Article has been taken from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers
