There are plenty of items that are too risky to save alongside your passwords. Nik Rawlinson reveals what you should keep safe elsewhere
If you aren’t using a password manager, you should. They make it easy to devise unique login details for every site, service and program you use, and save you the hassle of remembering them. We like 1Password (www.1password.com) and KeePass (https://keepass.info), but our favourite password manager is currently Bitwarden, which offers everything you need for free. Download it from www.bitwarden.com/download.
The trouble is that password managers make it almost too easy to store information. If it fell into the wrong hands, your identity could be compromised, with devastating results. It’s highly unlikely that your data would be stolen from the password manager’s server, but it’s risky to leave your phone or computer unattended while you’re logged in. You should therefore minimise the danger by being selective about what you store in your password vault.
THINGS YOU SHOULD NEVER STOREComplete passwords
When your password manager suggests a password, add your own word or PIN to the end, but don’t save it in the vault
Password managers are great at suggesting – and then saving – secure passwords. The trouble is, if anyone gains access to your password vault, they can read or copy all of your logins.
The next time your manager suggests a password for a new account you’re creating (see screenshot right), allow it to save it in the vault as usual but, when you paste it into your browser, add an extra PIN or word of your own, which isn’t saved in the password manager’s list.
Do this every time you create a new account, and use the same PIN or word on each occasion, so you only have one thing to remember. That way, every password in your manager will be incomplete, and therefore useless to anyone who gains access to it. Only you will know which extra few characters or digits make up the complete passwords and grant access to your online accounts.
Two-factor authentication recovery codes
Use Google Authenticator rather than your password manager for storing two-factor codes
You should always use two-factor authentication (2FA) when creating new accounts. This adds a second layer of security in the form of a unique code that is sent to your phone or generated on your device by an authenticator app. The next time you log in, you’ll need to type this into the site along with your automatically filled
FAQs
Password Managers Are Safe Because of Zero-Knowledge Architecture. Password managers are typically built on a zero-knowledge architecture, which means that your password manager provider can't see the information that is stored in your vault.
What is the main risk of using a password manager? ›
Password managers can be a security threat if they do not encrypt their data. Hackers know that compromising a password manager is like getting the keys to the castle. Because of this a strong encryption must be in place to prevent access to your saved passwords.
Why shouldn't you save passwords in the browser? ›
1. Password stealers. The core problem with storing passwords in browsers is that they sacrifice security for usability. This holds true for at least the three most popular browsers: Google Chrome, Mozilla Firefox, and Microsoft Edge, all of which store user passwords in a highly insecure way.
Are password managers still safe? ›
Are password managers secure? Yes, they are undeniably the safest way to store your passwords. They provide strong encryption to protect your passwords from cyber criminals. However, it's also important to note that they aren't 100% impenetrable.
Is it safe to store bank details in password manager? ›
Storing your bank passwords in a password manager is the safest way to store them without putting them at risk of becoming compromised. When targeting online accounts, cybercriminals often target those that are most valuable, which includes your bank accounts.
Where should you not store passwords? ›
Unencrypted files
Storing passwords in unencrypted files, such as documents, spreadsheets, or note-keeping apps, is almost as bad as writing them down on a sticky note.
What is the one catch with password managers? ›
Single point of failure - if someone gets hold of your master password, they have all your passwords. Password manager programs are a target for hackers.
Which password manager has never been hacked? ›
1Password is an option as it has never been breached, and NordPass is also known for its strong security features.
Have any password managers been hacked? ›
LastPass
Needless to say, 2022 was a rough year for password managers. LastPass experienced a data breach in August 2022 that resulted in hackers gaining access to sensitive data via an employee account. Adding insult to injury, another breach followed in November, targeting sensitive data stored in the Cloud.
Is it better to save password in browser or password manager? ›
Since no human can memorize unique passwords for dozens if not hundreds of accounts, security experts have long recommended the use of a password manager, a service that helps you generate and store long, unique passwords for all of your online accounts. Password managers operate across browsers and devices.
Because the encryption happens before Google's servers get the information, nobody, including Google, learns your username or password.
Is it safe to store passwords on your desktop? ›
The most significant risk is that if someone gains access to your computer or mobile device, they can easily access all your saved passwords. Even worse, if your browser is corrupted, cybercriminals can remotely access your passwords, compromising all your accounts.
Do security experts recommend password managers? ›
Recommended Password Managers
The ISO recommends four password managers that you can use in your daily life: 1Password, Apple's iCloud Keychain, BitWarden, KeePass, and LastPass (alphabetical order).
Do I really need a password manager? ›
A password manager (or a web browser) can store all your passwords securely, so you don't have to worry about remembering them. This allows you to use unique, strong passwords for all your important accounts (rather than using the same password for all of them, which you should never do).
Has RoboForm ever been hacked? ›
Has RoboForm ever been breached? RoboForm has never been hacked or suffered any data breaches. While it has a strong history of data protection, you should still take precautions by creating a unique master password for their RoboForm account and enabling 2FA as another layer of security.
Which of these is the safest place to store your passwords? ›
A password manager (or a web browser) can store all your passwords securely, so you don't have to worry about remembering them. This allows you to use unique, strong passwords for all your important accounts (rather than using the same password for all of them, which you should never do).
How do password managers store passwords securely? ›
Desktop-based password managers store your passwords locally on your device, like your laptop, in an encrypted vault. You can't access those passwords from any another device, and if you lose the device, then you lose all the passwords stored there.
Is it safe to save passwords in Google password manager? ›
How Safe Is Google Password Manager? Google Password Manager and the passwords it generates are considered safe compared to similar password managers. Google uses military-grade encryption to protect your usernames, passwords, and payment methods.
