Are password managers safe to use in 2024? Security is a concern whenever you’re dealing with sensitive data, especially when all of that data is going to one place, with one company. Sure, you could go crazy and split your passwords among different password manager apps or just write them all down by hand…but there is a better way. You can have confidence that password managers are safe, and this is how.
Key Takeaways
- No single piece of security software is completely foolproof, including password managers, but they’re still better than not using one.
- Password managers force you to create stronger, unique passwords and use 2-factor authentication, improving your overall security.
- A few password managers, like LastPass and OneLogin, have been hacked before, exposing user data.
- With proper precautions like 2FA, a strong master password, and the double-blind method, password managers are generally secure for most people.
As we become more digitally engaged, we all have a ton of passwords to remember.
And since it’s almost impossible to follow all the best practices for passwords, people have started utilizing good password manager apps to secure themselves.
Many password managers act as your digital gatekeepers. They are convenient little apps that help you get rid of weak passwords and then securely store them in an encrypted vault for you to use.
But isn’t that just putting all your eggs in one basket?
If one app stores all your important passwords, what if that app gets hacked? How can you trust the company?
These are valid concerns. So how can we confidently answer the question: Are password managers secure?
Let’s take a look.
Note: Some of the links in this article are affiliate links, which means that at no extra cost to you, I may be compensated if you choose to use one of the services listed.
Fact: No Security Measure is Foolproof
Let me be blunt: if you’re relying on a single piece of software or a single strategy to secure yourself online, you’re setting yourself up to be disappointed and possibly hacked.
No single security software is foolproof…and that includes safe password managers.
No single security software is foolproof.
But as security researcher Troy Hunt has noted, “Password managers don’t have to be perfect, they just have to be better than not having one“.
If you visit a construction site, you’re advised to wear a safety helmet. It won’t protect you from ALL accidents but it is still better than not wearing a safety helmet at all.
There are still hundreds of thousands of people online who secure their accounts with the word “password” as their password. Having a strong password, even if you’re using software that could potentially be exploited, is still better than nothing.
Password Managers Can and Have Been Hacked
A couple of years back, a security report by independent consulting firm ISE disclosed flaws in the security of a password manager app.
Alarming, right?
All the password manager apps studied by the researchers have the same basic functionality. They are meant to:
- Create strong passwords using the inbuilt password generator;
- Store all your passwords (often in the cloud in the case of cloud based password managers);
- Lock the passwords behind a vault that can only be opened by a master password; and
- Auto-complete online forms.
The report evaluated the working of Dashlane, 1Password, LastPass, and KeePass on Windows 10. The findings suggest that some passwords were left exposed even when the password manager safe vault was in locked mode.
In some cases, even the master password stayed in the computer’s memory – and that too in plaintext format.
The master password is the key to the password vault, which means if it’s hacked, all passwords are stolen.
Unfortunately, these haven’t been isolated incidents. Consider the following:
- In 2015, LastPass faced an attack that exposed email addresses and security information of users.
- In 2017, OneLogin was attacked and customer data was leaked. The user data stored in their US data centers was affected.
- That same year, a vulnerability in the Keeper browser plugin was exposed. This vulnerability allowed hackers to steal any password from the vault. Keeper sued the reporter for publishing the report. While they fixed the bug later before it affected any customer, the move of suing the reporter did not do good to their reputation.
- In 2022, LastPass was hacked (again) and had a lot of unencrypted meta data on their customers as well as stolen vaults.
I’m not going to sugarcoat it…
…this looks bad.
And it looks bad because when it comes to the question of “Are password managers safe”…it is bad.
But as I’ve mentioned earlier, the fact that password managers aren’t perfect is not a reason to stop using them altogether.
You Should Still Use a Manager App…Here’s Why
Even though time has exposed security flaws in some password managers, using them is often better than not using them. The same goes for most security technologies.
It’s good to ask are password managers safe, but it’s also good to understand their advantages.
Password Managers do several things to improve your secure password etiquette. For example, they:
- Force you to create new passwords: Instead of reusing all your old passwords, you have to create new ones. All good password manager users get alerts when they’ve used the same password too many times.
- Force you to create stronger passwords: This means long passwords (12+ characters) that include letters, numbers, symbols, etc. Usually, we don’t do this on our own and you can check your current passwords to see how strong they are.
- Remind you to use 2-factor authentication: Good password manager apps can tell you which online logins offer 2-factor authentication (2FA) and give gentle reminders to make use of the 2FA feature.
These reasons alone are often worth the price of a secure password manager (even though you can do them all for free). Plus, such software also allows you to take advantage of these advanced password manager tips
However, there is one method I use that allows me to use a password manager app with complete confidence. It’s one of my favorite security hacks that I’d like to share with you.
Still Having Trust Issues? Try This Hack
What I’m about to share with you is a hack known as the double-blind password method. You’ll find more details in that link, but I’ll quickly walk through it here.
Trust me – it’s worth sticking around and reading this, especially if you’re still uneasy about putting all of your passwords in a password manager app.
But first, as with any life hack, it only works if you’re already covered in the basics. What I mean is this:
- You’re already using a password manager: I use and have already published a review of 1Password, which has been my favorite among many browser based password managers. They offer a 14-day free trial, so you can try them risk-free yourself avoiding the uncertainty associated with unreliable free password managers.
- You already use 2-factor authentication: This is a no-brainer, but it bears repeating. If your password manager offers 2FA, use it. If any important online login (i.e. bank, social media, online accounts, etc.) offers 2FA, use it.
- You already have a strong master password: Please don’t negate the power of a password manager by securing it with a dumb master password. If you need help, take a cue from my strategies for creating a super-secure password.
Ok, with that out of the way, here’s an explanation of the double-blind password strategy:
I’m going to use my bank as an example. When I set up the password for my online banking, I asked my password manager to create a complex password that was 12 digits long.
I copied that into the password creation box but I didn’t stop there. I added 4 more characters (my “unique key”) that only I know to the end of the password, making it a total of 16 digits long.
Password Manager (12 characters) + Personal Touch (4 characters) = True Password (16 characters)
Hopefully, I haven’t lost you here.
What I’m doing is adding a personal password that only I know to the end of the password my manager app gave me.
In the end, when I log in to my account I ask my password manager to auto-fill the stored password and then I add my 4 characters to the end.
Here’s why this strategy works:
It doesn’t matter if somebody hacks into my password manager app and steals all my passwords. Unless they know these extra four characters that I always type into the end of my stored passwords, the data in my password manager app is worthless!
In the end, I get the benefits of a password manager app as well as the confidence that I’m really secure. It doesn’t matter if you’re using Dashlane or 1Password or any other password manager, it works either way.
This takes a little time to implement, but if you’re truly worried about the security of your password manager, this hack is the way to go.
Be sure to subscribe to the All Things Secured YouTube channel!
Final Thoughts | Are Password Managers Safe?
Overall, I recommend using a password manager such as 1Password, even if you question are password managers safe.
For most people, it’s a huge improvement over their current password strategy and forces them to think harder about how they secure themselves online.
Are password manager providers hack-proof?
No.
Are most password managers safe in 2024?
The answer is invariably YES.
Better yet, if you use 2-factor Authentication on top of the double-blind password strategy I shared with you above, you’ll set yourself up to be more secure than probably 95% of the online population right now.
Trust me – hackers would rather grab the low-hanging fruit than to deal with someone like you.
I am someone who agrees with the importance of password managers, especially in companies that service multiple clients. That being said, it’s important to take precautions, as you detailed here. I believe the biggest is having multiple levels of verification; this way, it becomes less likely that security will be compromised.
i HAVE TRIED PASSWORD MANAGERS IN THE PASt. I gave up as someone was and still is hacking into all of my online accounts. Every password is different. Ive tried copy and paste methods yet, still it never fails that my accounts are hacked even with 2-step verification. One gmail account was recently hacked into a week after i changed my Password. I logged into my gmail account and when i entered the account, it showed an old phone nimber and it did not have A titan security key that i had established on the account in november of 2019.
I have been logging every incident since november 2019 and i have exhausted everythIng to Get this hacker (who i believe is a family member) from accessing my accounts. This has been going on since 2013.
I’m sorry to hear about the problems, C. Sounds like it goes deeper than just your password manager. If they can get past 2FA, they must have access to your key.
Chances are that a highly skilled family member has installed keylogger/screen Graber software on your computer, that or you suffer from a split personality disorder and you are the one making these changes to your own accounts.
the double-blind password strategy sounds brilliant.
Some anti-virus software has a password manager included in the paid-for package, eg norton security. how good is this, compared to a stand-alone password manager? is it easier to have it all in one package?
If your anti-virus software comes with a password manager, I say use it! It’s better than nothing and it’s cheaper than getting a separate service. The only reason you might want to pay for a separate service is if you don’t like their software.
Your hack idea is a GREAT idea. Thank you!!
I’m glad it’s been helpful, Chris!
Josh, your double blind idea is smart, very smart.
Thank you, Keith. I appreciate the kind words!
Brilliant idea! Thanks for this article. What are your thoughts on Keeper vs 1Password? I just have a few questions about how to use the double blind strategy.
1) So if I understood correctly, when you have the password manager create the new password, you never enter the additional 4 characters “in the app”, you always do that manually before logging into a site, right?
2) Do all password managers allow you to modify your password before logging in? I know in Chrome I often get a window that pops up showing me my login and password and asking me if I want to save/update it with Chrome or the password manager on my computer, so just wanted to be sure this was the case.
3) And since I’ve allowed my computer in the past to remember password, do I need to go in and turn that feature off or will it be okay if I just never say again to remember the passwords in Chrome/Windows, etc.?
Thank you for your time!
Hi Ashley! Great questions here. I’ll try to answer them the best I can here:
Hi,
How do pM’s reply when some logins require yOu to change your pAssword eveRy 30 days?
This is where PMs shine. They can help you create new, strong passwords and then easily replace the old password each month.
What Pm’s will allow double blind pass words. Could you comment on the safety of loadinG your passWords from Safari to a PM?
The double blind password strategy works for all password managers, but the reason I prefer 1Password is that you can set an exemption for URLs so that it will stop asking you “do you want to update this password”?
As for loading your passwords from Safari to a password manager, there’s vulnerability while you’re making the transition, but that’s true of any switch. I recommend that after you make the switch, you change the passwords of your most sensitive accounts with your new password manager.
Do you feel that 1Password is the easiest password manager of all password managers?
I do, but that’s a pretty subjective answer. You can give them a try for 30 days for free, I believe, if you want to test it out yourself.
I’m new to password managers and really appreciated your article and your 4-digit strategy for sensitive accounts.
My pleasure! Thanks for reading and leaving a comment, Madelpay.