[ELI5] Why are online “password lockers” considered secure?

1.95K views

It seems to me (hence this question), that storing all your passwords online and accessing them with a single “unlock” password would be extremely dangerous. If the locker service is itself hacked, then the hackers will have ALL your passwords for the price of getting one password.

In: Technology

15 Answers

Anonymous 0 Comments

It is a tradeoff.

It is true that having them online in a centralised server isn’t optimal (as those services now have a target on their back), but those services (some of them, at least) use industry standards to protect the password database, and don’t have access to the main password you use for your own database, which is preferrable to say a text file in your computer, a post-it on it, or using the same password everywhere.

There’s other choices as well to increase your security (some of these aren’t mutually exclusive with using an online password manager):

1. Use second factor authentication, which is available on some services. This means that, together will your password, you’ll have to provide a one-time code (usually, they change every 30 seconds) to login (usually, only the first time you log in from a certain device), this makes getting into your account much harder. Make sure you know how to backup and/or synchronize your second factor as well! I can suggest using Authy or a similar service. You will usually be given some recovery codes when activating it (usually you can activate it from your account privacy or security settings), store these in a safe place as they’ll be the only way to getting back your account should you lose access to the security codes.
2. Use an offline password database, for example, KeePassX. This means you now are responsible for syncing this database file between devices, you could store it in your service of choice (if you use any) to sync files, like Dropbox, Google Drive, iCloud, etc. This means it’s far more unlikely that a **random** attacker would get a hold of your database, as they tend to target places where they can find more passwords at once. This doesn’t help you if the attacker is interested specifically in **your** passwords tho (don’t think of espionage movies, think of an angry and vindicative ex).

In my personal (and anecdotal) experience, I found 1password to be a very good service, should you choose to go for an online password manager.

For that one password, pick a strong one, that is easy to remember, this should help you choosing one [https://www.xkcd.com/936/](https://www.xkcd.com/936/) (a strong password isn’t necessarily something hard to remember).

Make sure you pick different passwords for different services!

Happy security, I hope this helps and informs you 🙂

Anonymous 0 Comments

Not a security specialist and not advertising, I use the 1password service and there are a bunch of extra security measures in place along with just the single super duper master password for the account. Things like 2fa, fingerprints, and a hard copy of specific information that is needed to access my account from new device logins or whatever.

Every lock CAN be picked if you have the time/tools/knowledge to do it. The same is true with cyber security. This just makes the lock much more of a pain in the ass to help discourage dicks from running off with my stuff.

Anonymous 0 Comments

Fair question.

The typical worry about a password manager is that you have **all your eggs in one basket**. There are a few ways to look at this, so I’ll do my best to look at it from different angles:

**First off and by far the most important: Password managers protect your from the most significant digital security risks which are Major Breaches, Password Stuffing, and Brute-Force-Style Attacks**.

Major breaches happen. When they do, the data leaked is hopefully encrypted, but in too many cases it turns out the company didn’t have *any* security at all and they leak plaintext passwords.

When leaked data is encrypted, depending on the method of encryption, a hacker can employ a form of brute force to solve for some or even *all* of the password combinations in the breach. Many breaches are happening specifically because companies are too lax with their security. More on that in a minute.

Once hackers have plaintext passwords and their corresponding usernames (often email addresses), they can start **Password Stuffing**. This is the practice of just trying the password everywhere. Have you ever found a key that’s not labelled in your home/office, and in order to learn what it’s for you just tried it in every lock around the house? Yep, that’s password stuffing.

If they get <email address> and password123 from the password breach at Armor Games, they can stuff that combination into 1000 different bank and investment sites, social media, email services etc. They can do this in seconds. If they do this with a list of 2000 passwords, they’ll get into at least 20 services somewhere, simply because *people reuse their passwords*. God forbid they get into an email account. Email accounts are how a vast majority of other accounts let you confirm your identity and reset passwords. Get into email, mine the email for “bank”, learn which banks they use, then go reset their passwords.

This makes breaches very scary for people who reuse passwords, because a single breach can cascade into many points of failure.

Password managers protect you from this by helping you set up a different password for every service you have and will ever use. Someone could hack my reddit account and no amount of password stuffing would get them anywhere. All I need to do is change my reddit password again to re-secure myself. I never have to worry that my other accounts have the same or similar passwords.

Brute force attacks are another method of getting into accounts, but are more focused on specific accounts. Password managers let you build *strong* passwords that are nearly impossible to brute force.

Imagine a company leaks 10M email+password combinations, and one of them is mine. A brute force attack will reveal all the weak passwords. My strong password is safe though. If they used poor security, then they might be able to crack the encryption itself and essentially reveal ALL the passwords. In this case, my password isn’t safe but it’s not really my fault. A password manager couldn’t have prevented that. However, if I learn about this quickly, I can just go change that password and I’m secure *everywhere* again.

If that company were my bank, I’d hope they don’t use outdated encryption, but that’s all I can hope. At the very least, my password is among the hardest to crack there.

**Companies get breached, it’s the way of the world. But a password manager is less likely to have a breach, and when they do it’s more likely to be sufficiently encrypted data**

A password manager’s business is security. It’s their specialty, and their number 1 priority. A security failure means a loss of business, because security is the only real product they offer. If a gas station suddenly lost their gas supply, they’re not staying afloat.

**It’s not that hard to make up a memorable, secure password.**

[Here is a great video by Computerphile](https://www.youtube.com/watch?v=3NjQ9b3pgIg) describing how to choose a password and a bit about how password managers work. Additionally, [here is the famously relevant XKCD comic](https://xkcd.com/936/).

*correcthorsebatterystaple* itself is not secure anymore since it’s popular, but XKCD’s method of building a password is going to be your BEST bet for making a highly secure password. Computerphile adds in an extra tidbit (I think in that video, but maybe in a previous one), that simply adding (not substituting) a special character *inside* one of the words makes it effectively uncrackable.

E.g. correcthorsebatt&erystaple *I would memorize this as correct horse batt-and-ery staple.*

If you’ve got a password that’s 20+ characters, 4+ distinct words not including words like and, the, is, etc., and you haven’t used it anywhere else ever, then it’s safe. A computer cannot brute-force it. It cannot employ a concatenating dictionary attack (combining random english words in brute force style), and it’ll *never* have a rule that adds in random special characters where they wouldn’t make sense to swap in.

While a password of 26 truly random characters would be better than a few words, you also just won’t remember it.

Your only real risk at this point is someone finding out your exact password somehow, which brings us to the next point.

**The real risk of a password manager is a targeted attack.**

If someone gets your master password, you could be in some trouble. There are ways to protect yourself here too though.
If you’re ever suspicious, change your master password. Doing this too often gets confusing, but don’t avoid it just because it’s tough.
Password managers can be used alongside an 2FA authenticator as well. That way the only way to get in on a new device is to authenticate. Which means they need to steal your phone too, or steal your key.

The real risk is someone spying over your shoulder or installing a keylogger on your device.
To be fair though, that’s a risk with any type of password/PIN login. Any time you punch in a password, you’re at risk. In fact, I’d argue that a password manager still helps here because you only need to protect yourself while typing one password. The rest you autofill without ever looking at.

Anonymous 0 Comments

Another supposed advantage of using password managers is that you don’t have to type your password into web pages (you can copy & paste from the password manager), which reduces your exposure to key loggers. Of course then the password is exposed on your clipboard, but most have a function to clear the clipboard after X seconds.

Anonymous 0 Comments

What if instead of trusting them 100% you only trusted a little bit?

When signing up for an account you have the password manager generate something random but before you submit it you add a word to the end of it that only you know.

***(Random password) + (salt) = real password***

***(7WFdzDPgA6W2zmo7NR) + (bacon) = 7WFdzDPgA6W2zmo7NRbacon***

Then when you store the password in your password manager you leave out the salt. Even if the password manager is hacked they only see (7WFdzDPgA6W2zmo7NR) which is not the real password. When you log in you let the password manager autofill what it has and you add the salt before pressing log in.

I wouldn’t do this for all the passwords, just the important ones. There is no excuse to not use a password manager if you [salt the important ones](https://passwordbits.com/salting-passwords/).