What are the Disadvantages of Password Managers?

You will no doubt have heard that one of the most important steps to take to improve security is to use a password manager. A password manager is a software solution to help people create and manage their passwords and follow password best practices.

Why People Need to Use a Password Manager

Passwords are a convenient way of preventing unauthorized account access, similar to a lock on a front door that requires a key to unlock. The problem is that in cyberspace, hackers are conducting brute force attacks to guess passwords, akin to almost simultaneously trying thousands of different keys to open that lock. Brute force attacks can see weak passwords guessed in a fraction of a second, and even a truly random password of 8 digits with upper- and lower-case letters, numbers, and symbols will only take a maximum of 39 minutes to crack, according to a study by Hive Systems.

Nowadays, passwords need to be at least 12 characters long and they should be truly random. Humans are not good at thinking of random passwords, so the best option is to use a password generator. These will generate completely random passwords that are very hard to guess, even using advanced hacking methods and the most powerful computer processors. Password generators are included in all password managers, so they solve the problem of creating complex passwords. For even greater security, some password managers – Bitwarden for example – even generate unique usernames, which makes brute force attacks on accounts harder still.

It is simply not possible to remember dozens of random passwords. Even remembering one can be a challenge! Password managers solve this by storing the passwords in an encrypted vault, so they do not need to be remembered. When the password needs to be entered, the password manager will fill it in automatically. If you land on a phishing website that asks for your credentials, it won’t be filled, as the site will not correspond with the site associated with the password in your password vault.

It is worth noting that the password management features of web browsers are not the same as standalone password managers. Browsers are convenient, and they will suggest, store, and autofill passwords, but they lack the security of a dedicated password manager.

Disadvantages of a Password Manager

Password managers can greatly improve password security, but there are disadvantages which we have listed below.

Cost – Some password managers have a free tier – e.g., Bitwarden & LastPass – but to get all the features there is a cost. That cost is low and worth it for the security and convenience – Bitwarden, for example, is less than $1 per month – but it is a cost nonetheless.

Setup required – Storing passwords in browsers does not require any effort. A password manager will need to be downloaded and installed, and you will need to learn how to use it. That is usually a quick process as they are intuitive, but it will take time to get set up and up to speed – a few minutes to an hour.

A target for hackers – Password managers are a target for hackers because they contain all the passwords a hacker could ever need. You should choose a password manager that operates under the zero-knowledge model, where even the password manager developer cannot access users’ password vaults.

All your eggs in one basket – If your account is hacked (the hacker obtains your password vault password) all of your passwords will be obtained. The risk can be lowered by using a complex passphrase for your password vault of at least 12 characters, but ideally more, and ensure you have 2FA or MAFA implemented.

While the single point of failure is a genuine concern, the benefits of password managers for password security are much greater, and the risk of storing all passwords in one place is low with MFA enabled and a strong password set. If you want to improve password security, investing some time and a little money into a password manager is certainly worth it and should significantly improve security.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news