10 things to look out for when buying a password manager

Wave after wave of new technology threatened to end years of passwords. But so far nothing has worked. That gets most users into trouble. Passwords are a potential security risk, which is bad news when you realize what they protect – from messaging and social media to your streaming and online transportation accounts. Add to that the fact that many people don’t use two-factor authentication on even their most valuable online accounts.

As a result, if hackers obtain these credentials, they can access private data and store payment cards. A sizable black market has spawned trading logins to people’s accounts.

The good news is that password managers offer best-practice ways to deal with the many password inadequacies, and insecure ways that so many of us use. But not all password managers are created equal. The key is finding a trusted vendor with the right combination of features.

Why strong passwords matter

Why are passwords a security risk? Because they can be compromised in many ways. They could be:

• Stolen from the company you do business with, in a large-scale data breach
• Phish individually from you by scammers posing as social media companies, banks, streaming providers, etc.
• Guessed by automated “brute force” software that tries commonly used credential combinations. Recent research reveals that “password” remains the most popular login, followed by “123456.” Most of the top 10 can be solved in one second.

Once stolen, passwords are traded on the dark web, where they are often purchased in bulk along with usernames. One report from 2022 it was revealed 24 billion of these combinations were circulating in the cybercrime market – an increase of 65 percent by 2020. Often, hackers will enter these stolen logins into a credentialing tool, to see if the same password has been reused on the site web and other applications. If they have, they may be able to open it too.

All of this makes it even more important for us to use unique and strong passwords across all of our websites, applications and online accounts. Password managers are a great way to do this.

What to look for in a password manager

A password manager is an application designed to keep all your passwords in a safe place. The idea is that the software will only ask you for one master password. That’s all you need to remember. Everything else will be handled automatically by the app – including the generation and autofilling of unique long passwords for each site.

However, there are different options on the market. Here are some features to look for to help narrow your search:

• The password vault is protected with strong encryption. That means even if the password management provider is hacked, the threat actor will not be able to swipe the credentials of its customers. 256-bit AES encryption is the industry standard.
• Strong password generator designed to suggest long, complex, random strings of numbers, letters, and symbols for each password. This means there is almost no chance that a hacker can brute force your password. To feel what’s in our minds, try it ESET own password generator.
• Multi-platform and multi-browser support. Password managers are only useful if they remember and recall your passwords on your favorite websites and apps. If they don’t endorse the site, then you’re probably back to square one – forced to use easy-to-remember credentials. Likewise, it would greatly aid usability if password managers could import credentials from browsers and other password managers.
• Autofill/autologin. One of the most important features of a password manager is the ability to automatically fill in the strong and complex passwords assigned to each account, after you enter the master password. Failing to provide this, the user experience will be greatly degraded.
• Remote logout. Improves security and privacy by allowing you to log out of your account remotely, delete browsing history and cookies, and close all open tabs remotely.
• Integration with two-factor authentication (2FA). While a password manager is important, the gold standard for identity and access management is 2FA, where a second “factor” is required in addition to the password, such as a face scan or a one-time passcode. A password manager it is integrates with popular third-party 2FA apps like Google Authenticator will help streamline the experience.
• Reset feature for master password. Having a master password is great. But what if you forget it? If there is no reset function, all your passwords will be locked in a digital vault which you cannot open.
• A trusted seller. This is not a feature to keep in mind when you are doing your research. If the password management company itself is compromised, it could expose all of your passwords, so make sure it has a good security record. One of the popular providers suffered recently major security incident that exposed a customer’s encrypted password – led to call for the user to switch.
• Security report can help you to continuously improve password security by showing all your weak passwords in one place.
• Local or cloud storage? This one may actually be a little difficult and may require you to consider your own circumstances. Local vault storage often gives you better control and security in most cases, but devices are stolen, lost, or hacked and hard drives fail. Cloud-based centralized options may be more convenient, but have their own potential downsides, including requiring you to trust your service provider. There is also a third option – a vault that uses a local database but is stored in your cloud account with a major cloud provider you trust. Ultimately, the security of your passwords depends on strong encryption (point 1) and a cybersecurity posture.

It’s important to remember the limitations of password managers – or, actually, the passwords themselves. Passwords represent one line of defense and may not be sufficient to ward off criminals. As a result (and we can’t stress this enough) – combine your passwords with 2FA so they have a much better chance of keeping hackers out.