How secure are password manager like 1Password or lastpass

Do big companies use a password manager? If not how do they keep them safe and manage it to keep track of all the credentials and manage it among employees.

Comments

[DrBearhands]

Big companies make huge boo-boos all the time, so we should not look at them for guidance.

I can't comment about any specific password manager, but here's what I know:

Ideally, a password manager encrypts stored passwords using a master key. Neither the master key nor decrypted passwords are ever stored anywhere. This makes encrypted passwords safe to store remotely. I'm ignoring "managers" based on pure hashing functions.

We have to assume any decrypted passwords may leak due to data-breaches at the instance where you'd log in. We should also expect remote storage of encrypted passwords to leak.

What you can do wrong

• Weak master password: If your master password is weak, because it is short, because it is common, because it was leaked elsewhere or for some other reason, all your passwords are at risk, because an opponent with the encrypted list and any one decrypted password can just start guessing. Your master password needs to be complex/unlikely enough to require a seriously large amount of guesses.
• Keep passwords past their expiration dates: Encryption has expiration dates. Sometimes vulnerabilities are found in encryption methods. Even then, your password can be cracked given enough time, though that should take longer than the remaining life of the universe if your master password is strong enough.
• Have spyware on your system: Not much a password manager can do if a keylogger gets your master password.

What password managers can do wrong

• Poor or no encryption: Sadly many companies are shit and have shit encryption, which is why we need password managers in the first place.
• Leak data on purpose: It's going to be pretty hard to find out if a manager doesn't secretly send either the master key or unencrypted passwords to an unwanted recipient

What third parties can do wrong

• Not require passwords: if your bank lets you make payments with your phone and a fingerprint rather than a password, a mugger only needs to take your phone and your finger. Maybe not even the finger considering prints present on the phone. Similar story for "security" questions. The easier it is for you to log in, the easier it is for someone else too.