Please don’t ask me — I cannot tell you the “most secure password manager”

Last month I gave a talk to a group of small business owners on the fundamentals of cybersecurity. My slides focused on the simplest actions they should be taking to protect their digital identities and customers’ information. I made sure to sprinkle little tidbits of advice that seemed easy for someone with limited time and very low IT budget:

• Only process credit card numbers if you absolutely have to (use services like Venmo or PayPal instead).
• Password protect everything.
• Avoid conducting sensitive transactions on public WiFi networks.
• Never assume your emails are safe or confidential.
• Enroll in two-factor authentication for sensitive accounts.
• Don’t click links or download attachments from untrusted sources.
• Use a gosh darn password manager.

It’s this last one which always seems to keep folks engaged during the mandatory 10 minutes of Q&A. Everyone wants to ask me which password manager to use, if their current setup is “safe” and how each of them compare.

Every time I get questions like this I think of a quote I read from Spaff:

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards — and even then I have my doubts.”

As a risk professional, I learned this pretty quickly. Any business or transaction that takes place over the web comes with some amount of risk. Systems are designed to operate in a very specific way, but there are so many things that can go wrong — each of which could have a potential security vulnerability. When you’re using connected technology, there are always risks involved.

Our goal as users of technology is to understand which risks we’ve taken and try to reduce the overall risk to our digital lives. In addition to all the other ideas I mentioned in my talk, protecting your passwords is one of the best ways to reduce risk to your personal life or business.

To me, this means that:

1. You are better off using a password manager than not (even though it seems like you are trusting “one app with everything”)
2. By default, assume that all password managers carry the same risk - but Google it to confirm

I’ll explain.

1. You are better off using a password manager than not (even though it seems like you are trusting “one app with everything”)

Curiously, NIST does not seem to have a strong stance on whether to recommend password managers — but I think most security professionals are in strong favor. NIST admits (almost sheepishly) that password managers:

In many cases increase the likelihood that users will choose stronger memorized secrets

I’d argue that for anyone with more than one or two online logins, password mangers will always increase the likelihood that they will choose a stronger memorized secret. Password managers allow users to generate cryptographically strong unique passwords without having to remember them — and discourage us from passwords like ‘Yankees415!’ — even if “its only for my unimportant apps like the gym app and Starbucks”.

By opting to use a password manager, you are indeed trusting a single company, site or app to manage all your passwords. But each password will be stronger and therefore less susceptible to being guessed or re-used if discovered as part of a different breach.

So shouldn’t you be concerned that your password manager may get breached? Yes. So you’d better set it up correctly.

2. By default, assume that all password managers carry the same risk — but Google it to confirm

Most sites and companies will protect your credentials by using a combination of best practices — most importantly hashing the password securely before storing it. And as a user, you’re always trusting that the password will be protected as it is routed to its destination and will be unreadable forever once it gets there. The trust is implicit, as we assume companies are responsible or have legal obligations to protect your information. But you have no idea if the company is following all the expected practices to protect your password — but you use your spidey sense and assume that it’s alright on a well-known site. That’s just how it is. And unless you’ve personally tested the application (typically considered proprietary information) — there is a certain amount of trust you are putting in that company.

One can certainly try to reduce the amount of trust put in any company by reading their policies, reviewing their technical documentation and interacting with customer service, but not all companies will be very forthcoming. And let’s be honest, most people do not do this. We simply don’t have time to assess every single site we sign up for, and even then our efforts may be futile.

So we use our “spidey sense”. We check out what reviews are written online about the company and if there are any positive or negative articles about it, and then click “download”.

I think selecting a password manager is going to follow the same process. There may be some providers who have a unique feature that others don’t offer. There may be one that had a vulnerability reported recently. But I’m currently not aware of any of these differentiators between password managers. So yes, please do a few Google searches to understand if there is any major new reason to select one over another. Something may change.

But, until you hear otherwise — you should assume all mainstream, popular password managers carry the same risk.

And I think that’s a risk that most of us should be taking.