I read other posts, but none of them seemed to cover my main concern as password managers being a single point of failure.
What exactly is the difference of using **(A)** the same 25-long password for all my important logins (email, banks, personal documents), and **(B)**, a 25-long password as the master key to my password manager with different keys to my individual logins?
A malicious user would take the same amount of time to crack that 25-long password in my password manager and my bank account. In scenario A the attacker would crack the password and have access to my other logins (since they are all the same), and in scenario B the attacker would crack my password manager, therefore exposing all my other logins. So what exactly is the difference here?
I understand password managers help the general population in the sense of enforcing a stronger password. But if you already use a very strong password (i.e. 25 characters) for all your log-ins, I don’t really understand the difference to having a password manager, where I would use that same password as the master key, which technically leads to the same catastrophic scenario.
Help me understand.
In: 5
You have the same password on all websites. Someone gets the password database from one of them. What’s in that database can range from plain text to modern password hashing algorithms, but a pretty significant portion (I don’t want to say *most*, since there’s no practical way to check, but I wouldn’t be surprised) will use inappropriate or outdated hashing algorithms. You’re on a clock to change all your passwords, and you don’t even know it yet. How quickly does the site notify users of the breach, if they ever do? Now go change your password on every website you’ve ever used. Hope you don’t forget anything.
Alternatively, you have a password manager. The user database is breached. They aren’t able to get the data records (that’s too much to download), but they can start cracking the master passwords. It’ll take a while — security is the whole point of a password manager, and unlike (for example) a bank, they don’t have any legacy requirements keeping them from using a good password hashing algorithm. By the time the hackers have broken any passwords (except the people who thought `P@55w0rd1` is a good master password), the admins can set all account passwords as expired. And he password manager supports MFA (and not just via SMS) so you’re not *totally* screwed even if they do crack your password.
In the worst-case scenario, maybe the data records *were* downloaded. This isn’t likely, but it could happen. You’re in a pretty similar position as you would have been if you used the same password everywhere and a site with good security got breached. It’s still better than if a poorly-secured site were breached, though. You also have a list of sites where you need to change your password, so while it’s still *annoying*, you won’t forget any of them. (If you still consider the password manager trustworthy, you might even be able to click links from it directly to the change password pages instead of having to find them yourself.)
The other common way passwords are stolen is phishing. Password managers can also help here, since they won’t autofill on phishing sites.
Latest Answers