{"id":8381,"date":"2023-04-11T12:00:00","date_gmt":"2023-04-11T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2023\/04\/11\/10-things-to-look-out-for-when-buying-a-password-manager\/"},"modified":"2023-04-11T12:00:00","modified_gmt":"2023-04-11T09:00:00","slug":"10-things-to-look-out-for-when-buying-a-password-manager","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2023\/04\/11\/10-things-to-look-out-for-when-buying-a-password-manager\/","title":{"rendered":"10 things to look out for when buying a password manager"},"content":{"rendered":"<p>Wave after wave of new technologies have threatened to bring about the end of the password over the years. But none so far have succeeded. That leaves most users with a problem. Passwords are a potential security risk, which is particularly bad news when you realize what they\u2019re protecting \u2013 everything from your messaging and social media to your streaming and ride hailing accounts. Add to that the fact that many people don\u2019t use <a href=\"https:\/\/www.welivesecurity.com\/2019\/12\/13\/2fa-double-down-your-security\/\">two-factor authentication<\/a> even on their most valuable online accounts.<\/p>\n<p>As a result, if <a href=\"https:\/\/www.welivesecurity.com\/2022\/01\/05\/5-ways-hackers-steal-passwords-how-stop-them\/\">hackers get hold of these credentials<\/a>, they could access a trove of personal data and stored payment cards. A <a href=\"https:\/\/www.welivesecurity.com\/2019\/01\/31\/cybercrime-black-markets-dark-web-services-and-prices\/\">sizeable black market<\/a> has emerged trading logins to people\u2019s accounts.<\/p>\n<p>The good news is that password managers offer a best practice way to overcome many of the inadequacies of passwords, and the <a href=\"https:\/\/www.welivesecurity.com\/2020\/05\/07\/5-common-password-mistakes-you-should-avoid\/\">insecure way many of us use them<\/a>. But not all password managers are created equal. The key is finding a trustworthy vendor with the right combination of features.<\/p>\n<h2>Why strong passwords matter<\/h2>\n<p>Why are passwords a security risk? Because they can be <a href=\"https:\/\/www.welivesecurity.com\/2022\/01\/05\/5-ways-hackers-steal-passwords-how-stop-them\/\">compromised in multiple ways<\/a>. They could be:<\/p>\n<ul>\n<li>Stolen from companies you do business with, in large-scale data breaches<\/li>\n<li><a href=\"https:\/\/www.eset.com\/uk\/types-of-cyber-threats\/phishing\/\">Phished<\/a> individually from you by scammers masquerading as your social media company, bank, streaming provider, etc.<\/li>\n<li>Guessed by automated \u201cbrute force\u201d software which tries combinations of commonly used credentials. <a href=\"https:\/\/www.welivesecurity.com\/2023\/01\/02\/most-common-passwords-what-do-if-yours-list\/\">Recent research revealed<\/a> that \u201cpassword\u201d remains the most popular log-in, followed by \u201c123456.\u201d Most of the top 10 can be cracked within a second.<\/li>\n<\/ul>\n<p>Once stolen, passwords are traded on the dark web, where they\u2019re often bought up in large troves together with usernames. <a href=\"https:\/\/www.digitalshadows.com\/press-releases\/24-billion-usernames-and-passwords-available-on-the-dark-web-an-increase-of-65-in-just-two-years\/\">One report<\/a> from 2022 revealed 24 billion of these combinations circulating in cybercrime marketplaces \u2013 an increase of 65 percent on 2020. Often, hackers will feed these stolen logins into credential stuffing tools, to see if the same passwords have been reused across other websites and apps. If they have, they may be able to unlock these too.<\/p>\n<p>All of this makes it more important than ever that we use unique, strong passwords across all our websites, apps and online accounts. A <a href=\"https:\/\/www.welivesecurity.com\/2020\/06\/26\/what-is-password-manager-why-is-it-useful\/\">password manager<\/a> is a great way to do this.<\/p>\n<h2>What to look for in a password manager<\/h2>\n<p>Password managers are applications designed to store all of your passwords in a secure place. The idea is that the software will only ask you for a single master password. That\u2019s all you need to remember. Everything else will be handled automatically by the app \u2013 including the generation and auto-filling of long unique passwords for every site.<\/p>\n<p>However, there are different options on the market. Here are a few features to look for to help narrow down your search:<\/p>\n<ul>\n<li><strong>Password vaults protected with strong encryption<\/strong>. That means even if the password management provider is hacked, the threat actors will not be able to swipe any of its customers\u2019 credentials. AES 256-bit encryption is the industry standard.<\/li>\n<li><strong>A strong password generator<\/strong> designed to suggest long, complex and random strings of numbers, letters and symbols for each password. This means there\u2019s virtually no chance a hacker could brute force your password. To get a taste of what we have in mind, try out <a href=\"https:\/\/www.eset.com\/int\/password-generator\/\">ESET\u2019s very own password generator<\/a>.<\/li>\n<li><strong>Multi-platform and multi-browser support. <\/strong>Password managers are only useful if they remember and recall your passwords across your favorite websites and apps. If they don\u2019t support these sites, then you may be back to square one \u2013 forced to use ease-to-remember credentials. Similarly, it will help usability a great deal if the password manager can import credentials from browsers and other password managers.<\/li>\n<li><strong>Autofill\/auto-log-in. <\/strong>One of the most important features of a password manager is an ability to automatically fill in the strong, complex password assigned to each account, after you enter the master password. If it fails to provide this, the user experience will be greatly degraded.<\/li>\n<li><strong>Remote logout. <\/strong>Enhances security and privacy by enabling you to remotely log out of accounts, clear browsing history and cookies, and remotely close any open tabs.<\/li>\n<li><strong>Integration with two-factor authentication (2FA).<\/strong> While password managers are important, the gold standard for identity and access management is 2FA, whereby a second \u201cfactor\u201d is required in addition to a password, such as a facial scan or a one-time passcode. A password manager that <a href=\"https:\/\/help.eset.com\/password_manager\/3\/en-US\/2fa.html\">integrates with popular third-party 2FA apps<\/a> like Google Authenticator will help to streamline the experience.<\/li>\n<li><strong>Reset feature for master password. <\/strong>Having a master password is great. But what if you forget it? If there\u2019s no reset functionality, all of your passwords will be locked away in a digital safe you can\u2019t open.<\/li>\n<li><strong>A trustworthy vendor.<\/strong> This isn\u2019t so much a feature as something to bear in mind as you do your research. If the password management firm itself is breached, that could expose all of your passwords, so ensure it has a good track record on security. One popular provider <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/lastpass-customer-vault-data-was\/\">recently suffered<\/a> a major security incident which exposed customers\u2019 encrypted passwords \u2013 leading to <a href=\"https:\/\/www.cnet.com\/tech\/services-and-software\/if-you-use-lastpass-change-all-of-your-passwords-asap\/\">calls for users to switch.<\/a><\/li>\n<li><strong>Security reports <\/strong>can help you to continuously improve password security by displaying all your weak passwords in one place.<\/li>\n<li><strong>Local or cloud storage? <\/strong>This one may actually be a bit of a toughie and may require you consider your own circumstances. Local vault storage will often give you better control and security in many cases, but devices get stolen, lost or hacked and hard drives fail. A centralized, cloud-based option may then be more convenient, but it has its own potential downsides, including that it requires you to trust your service provider. There is also a third option \u2013 a vault that uses a local database but is stored in your cloud account with a major cloud provider you trust. Ultimately, the safety of your passwords is conditional on strong encryption (point 1) and cybersecurity posture.<\/li>\n<\/ul>\n<p>It\u2019s important to remember the limitations of password managers \u2013 or, in fact, passwords as such. A password represents a single line of defense and it may not be enough to ward off criminals. As a result (and we can\u2019t stress this enough) \u2013 combine your passwords with 2FA so that stand a much, much better chance of keeping the hackers at bay.<\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/2023\/04\/11\/10-things-look-buying-password-manager\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here&#8217;s how to choose the right password vault for you and what exactly to consider when weighing your options<\/p>\n","protected":false},"author":5,"featured_media":8382,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[155],"tags":[],"class_list":["post-8381","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8381"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8381\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8382"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}