Why are password managers considered good security practice when they provide a single entry for an attacker to get all of your credentials?

1.61K viewsOtherTechnology

Why are password managers considered good security practice when they provide a single entry for an attacker to get all of your credentials?

In: Technology

38 Answers

Anonymous 0 Comments

The password for the vault is strong and exists nowhere other than in my own memory and is never disseminated anywhere. As such, the only attack vectors to gain access to the vault are brute force or compulsion. In the meantime, every account secured with a vault password uses a strong password which can be changed often, or incorporate 2FA, with minimal inconvenience.

Anonymous 0 Comments

# Password reuse and phishing.

Password reuse: If people are actually supposed to remember their password, they will reuse the same password across multiple sites. One of them gets hacked, and then the passwords get used to break into other sites.

Phishing: People make mistakes. If you’re used to constantly enter your password manually, you will, sooner or later, enter it on a fake page. Most people will not fall for it most of the time, but all it takes is one person falling for it one time. With a password manager, the password only gets autofilled on the real page, because computers are better than humans at *always* making sure the domain is *exactly* the same.

Also, if the attacker is in a position to copy the password manager off your computer, you’ve already lost. They have complete control over your computer, can steal your passwords as you type them, and even better, they can (and will!) just steal your login cookies after you logged in to bypass any fancy 2FA and most risk detection algorithms.

(On password reuse: Yes, sites are supposed to store passwords hashed, but just like the site can check if your password is correct when you visit the site, the attacker can try passwords against the stolen data until they find yours. This doesn’t work on strong passwords but few people use passwords strong enough to withstand such an offline brute-force attack.)

Anonymous 0 Comments

A vault with one nearly impenetrable lock is better than a vault with hundreds of locks but if you can manage to get even one open they all immediately unlock.

The strength of your password is irrelevant if you use the same login for everything. All you need is one of those hundreds of sites or services to have a data breach and they essentially have just hacked everything. Instead of putting faith in every site you make a login for. You only have to put your faith in one and make sure that one password is memorized and never used for anything else, minimizing its exposure.

Anonymous 0 Comments

Your password manager won’t get hacked. Microsoft is the one who gets hacked. Or Nord VPN, or facebook. And then they have all the passwords of millions of people. And when they have the username (that you always use) and the password (that you always use) they have your account for everything. Better that your have control of your password, and then one one password gets leaked when crunchy roll gets hacked.

Anonymous 0 Comments

Today, the average internet user will have accounts on *dozens* if not *hundreds* of websites. Everything from Google, Microsoft and Amazon, to more niche specialities like Reddit or Facebook, down to individual shopping websites, or that one book website they signed up to five years ago and haven’t used since.

Since your online presence is so large that most people won’t remember thousands of completely unique passwords, there are basically three options for password management.

**1. Use the same password.**

This is terrible practice. If that one cookbook website you signed up to five years ago is compromised by hackers (e.g. they didn’t update to fix the latest known vulnerability within a week or two), they could access your password from this less-secure site and then use it to gain access to all of your secure websites. Clearly, this is a terrible plan.

**2. Use variations on a Password.**

This way, you can remember most of it, but change it a little. Whether that’s adding a number on the end, or tweaking the capitalisation, or adding a bit of the website or your favourite food or… Whatever else. These aren’t quite as “free” as option 1 (so it is better), but they are still very easy to guess. Many nefarious actors might take your email address and password and try it on a few dozen websites, varying numbers etc. in it. If they can find just one that works, they can easily start to break your “formula”; but even easier than that – if two of the websites you’ve ever made passwords for break, suddenly the hacker has access to both passwords and can start to see what formula you use. Suddenly the range of probably passwords goes from the tens of thousands often down to the tens or the hundreds. Breaking into these websites then becomes trivial – so this isn’t actually much safer than option #1, since this will fail eventually.

**3. Use unique passwords for each website (and write them down).**

Given that we now know that we need completely unique passwords for every website, it suddenly becomes very difficult to keep track of them all. This basically requires writing them down – either physically on paper, or digitally. Physical paper can be lost or stolen and now opens an entirely new avenue of attack, but writing them in a plain, unencrypted text document may be even worse. Now if someone goes snooping on your computer, they immediately have access to all of your accounts. Ideally then, you’d encrypt the master password list with a password that only you know. Now finding it requires the password and providing it hasn’t been used elsewhere, that password should be safe.

A password manager is sort of like using an encrypted text document, only it’s maintained better in a much safer way. Without getting into too many technical details, opening most files on your computer leaves almost a “ghost image” in memory. Someone who knows what they are doing may be able to access documents you’ve had open, even if they were encrypted because your computer had to unenceypt them at some point so you can read them. Most password manager software tries to bypass most of these common risks while also giving you nice features like synchronising between devices and automatically generating more secure passwords than a human ever could.

Anonymous 0 Comments

Not really ELI5 but two main reasons. The first has to with the misconception of how of hackers actually hack accounts. Say Netflix gets hacked tomorrow and 1 million users have their login data stolen. The hacker now has a massive list where each line is someone’s email:pass, this is called a combo list. The hacker knowing people reuse logins can now use that combo list on any site or service of the hackers choosing, say Minecraft or Disney+. This is how 99% of large scale account hacking is done. Hackers use the shotgun method. If you use a different password for every single login like a manager does then this method would only get the Netflix login. Minecraft and Disney+ would be safe!

Secondly, good password managers are very secure if setup correctly. Memorizing one really good password, making sure to use it only to store all your unique logins is easier and more secure than having a few weak passwords you use for everything.

Anonymous 0 Comments

Imagine, if you would, a medieval town.

You have two options. You put a massive wall around it and have a single point of failure – the gate, heavily fortified and defensible – or you just don’t bother with a wall and have a dozen or more points of failure.

This is similar. A password manager allows you to have good passwords everywhere (that’s the wall), and you just need one really strong master password (that’s the gate).

Without a password manager, your passwords are either all going to be really weak so you can remember them, or written down in clear text somewhere.

Anonymous 0 Comments

My password manager generates all my passwords. They’re all random, upper and lower case, numerals and special characters and 16 characters long unless a website doesn’t allow that. This means that my passwords are very difficult to crack and I don’t need to worry about them being memorable to me. If somebody gets their hands on one password, they won’t be able to work out the rest.

My password manager has a fifty character password, all lower case so I can quickly type it on a phone keyboard. It’s very memorable to me but not to anybody else so it should be very difficult to crack. It’s easy enough for me to come up with one of these at a time but would be next to impossible for me to come up with enough to cover all my important logins (that and many websites would never allow a password that long or which only had lower case characters).

So you’re trading having to memorise lots of less secure passwords for not having to remember any or your very secure passwords apart from the one you use to get to the others

Anonymous 0 Comments

My wife & I use one. We have to remember the one pw to get into it so we are responsible for keeping they one secure.

Besides that, we share the database so either of us can get into any pw stored in the manager at any time. We don’t need that feature often, but when we do it much more convenient to look it up rather than search for her or call her.

When we setup a new pw we can generate up to 40 characters. We can select whether to use special characters and which types, passwords I could never remember.

It’s not absolutely secure, but it is exponentially more secure than we would be without it.

Anonymous 0 Comments

It’s just better than what most people do in practice. People see it, think they’ll practice good security and not trust the computer (lol, the one they’re using currently), and then do nothing online or offline to protect their security, just pick a similar password to their others, write it down, or save it in a file…

Its also a good single point of defence if you use it exclusively. You can also use much harder and longer, unique passwords and not need to memorize them.