Password managers – do the benefits outweigh the risks?

One of the ironies of our modern, digital lifestyle is that we are continually being urged to use a strong and unique password for every account we have, while also continually being offered the option to have this password saved for us so that we do not actually have to go through the hassle of remembering it (and then entering it without typos). However, browsers store passwords in an insecure way that is not recommended.

The alternative is password managers, but to say that they divide opinion is putting it mildly. Some people see them as a pragmatic approach to dealing with fallible human memories. Others see them as an open invitation to hackers.

IT admins can force people to create passwords that adhere to certain criteria (e.g. in terms of length hand the use of special characters) and they can also generally stop people continually recycling passwords they’ve used before, but realistically that is all they can do. They cannot stand over people’s shoulders and force them to enter genuinely unique and strong passwords.

What’s more, the harder they try to enforce robust security policies by the use of automated criteria (such as minimum standards for passwords) the more they run the risk of people either finding increasingly creative ways to evade the rules or just resorting to unofficial password-management systems (such as the horrifying Word document with a list of every password somebody uses), which are inevitably going to have varying degrees of security.

As a result, some IT security experts believe that password managers are the only practical way to square this circle. In effect, password managers allow people to put all their eggs in one basket and then put all their focus into ensuring that the basket is both really strong and really well protected.

Password managers can suggest obscure passwords and store them in a highly secure fashion, ready to fill in the blanks when it comes to logging into your favourite websites. Because you don’t have to remember every password you use, you have the ability to choose really, really secure passwords that would otherwise be impossible to memorise.

In the 21st century, data may be the world’s most valuable commodity so protecting it needs to be something everyone takes seriously. Some IT security experts believe that password managers simply encourage bad habits.

Instead of using password managers, some people argue, it would be better to educate users as to good security practices and to force website owners to operate to the highest standards of security (hence GDPR standards).

In this way, hackers will be forced to attack a variety of websites in the hope of collecting data without being detected, rather than password managers, which give hackers clear and specific targets at which to aim.

However, overall, the obsessive degree of security that password managers adopt is widely accepted to be as good as it can be, and it is improving all the time. On balance, the threats from hackers pale into insignificance when compared to how easy it is to extract password information from Google Chrome, for instance, or the risks of needing passwords to be so memorable that users opt for 1234 or PASSW0RD.