It’s World Password Day, and much like every other day of the year, the state of password security is terrible.
Despite repeated warnings from security experts and IT departments, “123456” is still the most common password for the last seven years, narrowly edging out “password.”
The problem isn’t limited to easily guessed passwords: a recent study of remote workers found that 42 percent of employees physically write passwords down, 34 percent digitally capture them on their smartphones, and at least 20 percent admit to using the same password across multiple work accounts.
Enter the password manager: an application or service that consolidates the credentials for all a user’s accounts. If you stop reading here: Password managers are not failsafe.
While password managers provide a convenience to users, they are hackable. So while it provides a convenient place to store your long and complex passwords, the whole collection of access data is protected by a single, hackable password.
If you’re in the habit of using the same or similar passwords across your universe of accounts, a password manager with a very strong password offers more security.
The issue with password managers from a security point of view is that they trade one of the biggest threats to account security–credential stuffing through the re-use of leaked or hacked passwords, for a potentially more serious one: The skeleton key for all of your accounts. Because password managers offer a one-for-all proposition, they make an appealing target for hackers who wouldn’t otherwise try to crack a unique password.
Additionally, password managers are not immune to the security issues that plague any other online service. A number of well-known password managers have either been breached or found to have severe vulnerabilities.
Take away: While password managers add a layer of protection for online accounts, they’re not a silver bullet, and have the potential to open the door to even greater online threats. Regardless of the method to keep track of passwords, any account should also be protected with other measures such as multi-factor authentication, up-to-date security software, and a close eye on account activity.
By Adam Levin