I read other posts, but none of them seemed to cover my main concern as password managers being a single point of failure.
What exactly is the difference of using **(A)** the same 25-long password for all my important logins (email, banks, personal documents), and **(B)**, a 25-long password as the master key to my password manager with different keys to my individual logins?
A malicious user would take the same amount of time to crack that 25-long password in my password manager and my bank account. In scenario A the attacker would crack the password and have access to my other logins (since they are all the same), and in scenario B the attacker would crack my password manager, therefore exposing all my other logins. So what exactly is the difference here?
I understand password managers help the general population in the sense of enforcing a stronger password. But if you already use a very strong password (i.e. 25 characters) for all your log-ins, I don’t really understand the difference to having a password manager, where I would use that same password as the master key, which technically leads to the same catastrophic scenario.
Help me understand.
In: 5
The idea is that the master key is only accessible to your password manager and therefore there is only one spot to try and attack. And if it’s stored in your computer they have to compromise your computer directly at which point they can probably just have a keylogger get all your info anyway.
Reusing a password for many sites runs the risk that a compromise of any one of those sites compromises your account on all of them. Say you use your strong password on a poorly coded niche gaming forum that saved your password as a plain md5 hash (which is easily reversed). And that site gets tagged by an automated scraper looking for old vulnerabilities that just DB dumps the whole thing.
Now that person has an e-mail and password they can try and log into your bank, or cell phone provider, or any number of other important things.
If you make sure to never use your important strong password on anything but well run sites like banks, the risk of reuse is mitigated of course. But people tend to reuse passwords between their bank and gaming forums if they are reusing them.
Alternatively say someone falls for an e-bay phishing e-mail. For one managers tend to really not like putting passwords into those. And even if you did the attacker at least doesn’t also have access to your bank directly.
Latest Answers