Skip to content

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

Shane DanielFebruary 06, 20237 min read

Are Password Managers Safe?

Are Password Managers Safe? How Secure Are Password Managers? | SBS

The LastPass breach reminds us there is no way to stay 100% safe online and highlights some of the risks associated with using a central vault to store passwords and other secrets. However, password managers (PMs) are still the most secure method available for managing and protecting passwords.


Password managers offer several crucial benefits that significantly enhance online security:

  • Automated Login: PMs store strong, unique passwords for potentially hundreds of websites, web applications, and services, allowing users to log in without manually typing their passwords each time. This not only saves time but also protects against keyloggers.
  • Enhanced Password Strength: Users can generate and manage complex passwords that are difficult to crack but don’t need to be remembered or written down, reducing the risk of physical theft or simple guesswork.
  • Password Uniqueness: By encouraging the use of a different password for each account, PMs minimize the damage of any single data breach spreading to other accounts.
  • Phishing Protection: Password managers provide a layer of defense against credential harvesting from phishing attempts, as they will not auto-fill passwords on websites that don’t match the stored credentials.

Despite the convenience and increased security, consolidating all passwords in a single location does introduce risks. However, the trade-offs are considered favorable given the advanced security measures employed by most PMs:

  • 256-bit Advanced Encryption Standard (AES): This encryption method is among the strongest available and is used to secure data against brute force attacks.
  • Zero Trust Security Model: Your master password, the key to your vault, is encrypted on your device before it ever reaches a server, ensuring that only you have access to unlock your passwords.
  • Two-Factor Authentication (2FA): An additional layer of security that requires not only the master password but also a second form of verification, significantly enhancing the vault’s security.

By integrating these robust security practices, password managers offer a resilient solution to the challenge of managing numerous complex passwords safely and efficiently.


Types of Password Managers

There are three types of PMs: device-based, cloud-based, and on-premise. Each type represents a different approach to balancing security and convenience.


Device-Based Solutions

Device-based password managers store your passwords locally on a single device. This approach enhances security by keeping your sensitive information physically isolated from the internet.


Reduces exposure to remote cyber threats.
Quick access without the need for internet connectivity.


Limits your ability to access passwords across multiple devices.
Lacks advanced features like password health checks, which detect weak or reused passwords.
Typically offers fewer security controls compared to commercial password managers.

Cloud-Based Solutions

Cloud-based password managers sync your passwords across multiple devices via the internet. They are hosted on the service provider’s servers.


Seamless access to your passwords from any device, anywhere.
Often includes features that alert you to security breaches or reused passwords.


Stores your sensitive data on external servers, which could be a potential vulnerability if the provider's security is compromised.

On-Premise Solutions

On-premise password managers allow organizations to host their password management system on their own IT infrastructure.


Greater control over the security measures and data storage.
Keeps sensitive data within the organization’s control, reducing reliance on third-party security practices.


Requires significant investment in secure IT infrastructure and regular maintenance.
Can be costly due to the need for continuous updates, backups, and security audits.

Important Note: Using your browser's “Save Password” feature is convenient but not recommended for secure password storage. Browsers often lack the more robust security measures found in dedicated password managers and are a frequent target for cyberattacks.


Assessing Risk and Managing Vendors

While each type of password manager carries inherent risks, these should be carefully evaluated during the due diligence and vendor management processes. It’s crucial to assess how well a password manager's security measures align with your organization's risk appetite. Any remaining risks after selecting a password management solution should be meticulously addressed in the IT risk assessment to ensure the solution’s risk score is acceptable and managed effectively.


How Secure Are Password Managers?

Password managers play a crucial role in digital security by encouraging the use of strong, unique passwords for each account. This is essential to protecting against unauthorized access and data breaches. Password managers generate complex passwords, store them securely, and autofill them across websites and applications, thus eliminating the need for users to remember each one.

Most password managers secure data using robust encryption standards such as 256-bit AES, which is the same level of encryption used by governments and financial institutions for top-secret information. For user access, they often employ advanced authentication methods like biometrics (fingerprint or facial recognition) and two-factor authentication, adding an extra layer of security.

In the event of data breaches or security vulnerabilities, reputable password managers respond swiftly with transparent communication and immediate action. They utilize technologies like zero-knowledge architecture, which ensures that even the service providers cannot access your passwords and automatic security alerts that notify users of potential threats. Protocols such as secure password sharing and emergency access for trusted contacts provide additional safety nets, ensuring that user data remains protected even under adverse circumstances. By continuously updating their security measures and protocols, password managers demonstrate their commitment to safeguarding user data against evolving cyber threats.

When considering a password management vendor, an organization should vet the vendor thoroughly, including reviewing financial information, SOC reports, disaster recovery, and business continuity plans. Then, the organization should ensure contracts include language regarding breach notifications.


Main Risks of Using a Password Manager

Password managers are essential tools for managing our digital lives, but they are not without risks. The main risks include:

  • Cloud-Based Hacks: Password managers that store data in the cloud can be vulnerable to breaches. For instance, LastPass experienced a security breach in which customer information was accessed as an unknown threat actor accessed its cloud-based storage environment and encrypted password vaults, compromising customer data, including passwords and usernames.
  • Local Device Vulnerabilities: If a user’s device is compromised, attackers could potentially access the password manager’s data.
  • Master Password Flaws: The master password is the key to all other passwords. If it’s weak or compromised, all stored passwords are at risk.

Recent incidents, such as the LastPass breach, highlight these risks. In January 2023, NortonLifeLock reported a credential stuffing attack, indicating the real-world implications of such vulnerabilities.

Experts suggest that while no system is 100% secure, using multi-factor authentication (MFA) can significantly reduce the risk of unauthorized access. It’s also advisable to choose password managers that offer zero-knowledge architecture and do not store passwords in the cloud. Regularly updating and changing master passwords can further enhance security. By following these best practices, users can mitigate the risks associated with password managers and maintain a higher level of digital security.


Things to Consider When Changing Password Managers

Changing your organization's password manager is a significant decision that should be approached with thorough analysis and careful planning. Here are several critical factors to consider before making a switch:

  1. Evaluate Current Solutions and Potential Alternatives
    If your organization is using a service like LastPass, it's crucial to assess the reasons for considering a switch. Are there security concerns, feature limitations, or cost issues? Understanding the motivation behind the change will help in evaluating alternatives. Additionally, investigate various password management vendors in the market. Consider features, security measures, user reviews, and expert opinions to compile a list of viable alternatives.

  2. Consider the Implications of Transition
    Evaluate the ease of transitioning from your current provider to a new one. Some questions to consider:
      - Does the new provider offer tools or support to facilitate the transfer of password databases?
      - Are there compatibility issues with formats or encryption standards between the old and new systems?

    Analyze the financial implications of switching providers, including any sunk costs with the current provider and the potential costs associated with migrating to a new platform.

  3. Assess the Impact on Users and Security
    Consider how a change will affect your users. If moving from a cloud-based to an on-premise solution, assess what functionalities might be lost and how this could affect daily operations. Conduct a comprehensive security assessment of potential new providers. This should include:
      - Vendor due diligence to scrutinize the security practices and track records of the vendors.
      - IT risk assessment to evaluate how the new solution aligns with your organization’s security policies and risk appetite.

  4. Strategic Decision-Making
    Ensure that any change in password management strategy aligns with your organization’s long-term IT and security strategies. The chosen solution should not only address current needs but also adapt to future security challenges and technological advancements. Only proceed with switching password managers after all factors have been thoroughly considered and you are confident that the new solution offers a clear advantage. This decision should be based on detailed research and a strategic evaluation of all relevant aspects.

    By methodically addressing these considerations, your organization can make an informed decision that balances security, usability, and cost, ensuring the best possible outcome for your password management strategy.


** SBS CyberSecurity does not partner with nor endorse any password management vendors or solutions.**



Shane Daniel

Shane Daniel is a Senior Information Security Consultant for SBS CyberSecurity, where he works to help organizations identify and understand cybersecurity risks to allow them to make better and more informed business decisions. As a former community bank internal auditor and compliance officer, Shane has over 27 years of experience helping financial institutions manage risk and profitability. He is driven to be an expert in his field by maintaining a variety of premier industry certifications, including Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), and a Certified Internal Auditor (CIA). Shane specializes in risk management, information technology audit, Bank Secrecy Act independent testing, compliance management, information security, and internal audit outsourcing. Shane performs speaking engagements, conducts trainings, has had multiple articles published, and hosts educational webinars.