Blog post

What does the NCSC think of password managers?

Created:  24 Jan 2017
Updated:  24 Jan 2017
Author:  Emma W
Android password screen

People keep asking the NCSC if it's OK for them to use password managers (sometimes called password vaults). If so, which ones? Who should use them - private citizens, small businesses, massive enterprises? And how should people use them? Is it safe to put all your crucial passwords into a password manager, and forget trying to remember any at all?

This is a big topic, so we're chunking it up. This blog explains what I think about password managers in general, and how I use them myself. This might be helpful if you're an individual deciding whether and how to use a password manager for your personal use. If you're looking for business use, this blog post won't hold all the answers you need (look out for more from the NCSC on this soon).

 

Should I use a password manager?

Yes. Password managers are a good thing.

They give you huge advantages in a world where there's far too many passwords for anyone to remember. For example:

  • they make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
  • they are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
  • they can generate new passwords when you need them and automatically paste them into the right places
  • they can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet

All these things are full of win. They reduce security friction - making security easier and more convenient.  If security is difficult, tedious, appears to add no value or gets in the way of the main task we're trying to do, then we tend to find (insecure) ways around it. And then we end up less protected.

 

Well, that all sounds great. Where's the catch?

You might be thinking "If password managers are this good, why haven't you recommended them before now?"

Well, they do have some drawbacks:

  • Password managers are attractive targets in themselves. They've been successfully attacked in the past, and realistically they will be again. So all your passwords could get stolen in one go.
  • If you forget the master password for your password manager, you will not be able to get back in. You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt.
  • You can't use them for everything. Some service providers (such as certain banks) don’t support the use of password managers. If you tell them you’ve put your banking passwords into one (or written them down in any way at all) they might not give you your money back if you are the victim of cyber crime. If your bank is one that takes this stance, you'll need to think about how you’re going to manage critical passwords without writing them down. On the brighter side, this is much easier to do once you've got most of your passwords out of your head and into the password manager.

 

Should I use a browser-based password manager?

Many web browsers now come with password managers built in, and they can be a very good choice. They are very convenient to use, as they are fully integrated with the web browser - so they know when you're on a website that needs a password, and they just pop up and do their thing. You don't even have to remember a separate master password. So feel free to use the built-in password manager, provided that:

  1. You keep your web browser up-to-date.
  2. You have some kind of access control on your device such as a PIN/password/biometric

    ...two things you should be doing anyway!

 

One drawback with browser-based password managers is that your passwords may not automatically sync between all your devices if these use different operating systems. So, if you have a Windows laptop, an iPad and an Android smartphone, your passwords may not follow you around everywhere - unless you use the same web-browser on all your devices and log into it. Also, if more than one person uses a device on the same user profile, they would all have access to the same password-protected content. You may not want that.

 

Should I use a standalone password manager?

Compared to browser-based managers, standalone password managers tend to do a better job of keeping your passwords available to you on all your different devices, no matter what platform they're on. They give you a little more control over when and where you use your passwords, as you get to press a button to say 'I want to use the password please', rather than the web page in the browser requesting one when it feels like it.

Importantly, with a standalone password manager you do have to create and remember a long master passphrase (unlike with a browser-based one). Standalone password managers may also include more advanced features, such as:

  • notifications about compromised websites
  • flagging up reused or weak passwords
  • prompting you to change old passwords*
  • helping you change passwords for some websites, by integrating with your browser
  • multi-factor authentication

 

How do I do this, then?

As with many things, there are lots of different ways of going about this. This is what I do myself:

  1. First, try and cut down the number of passwords in your life, and reduce how much you rely on those passwords to prove who you are. Use multi-factor authentication or single sign-on where available. For infrequently-used passwords, use a password reset mechanism when you need to log in (instead of making any attempt to recall or store the password). But take really good care of the email account that the password reset emails are sent to.
  2. Consider biometrics. Fingerprint readers on smartphones are generally good enough to protect your phone and the data on it, and they are very usable. So feel free to use them. Turn on encryption (if it's not already on) for extra protection.
  3. Decide whether to use a browser-based or a standalone password manager. Personally, I use both, for different things.
  4. If you use a standalone password manager, make its master passphrase the best you possibly can. We suggest a passphrase rather than a password as it's much easier to make it really long, and adding length gives much more protection than adding complexity. Make it hard for someone who knows you to guess in 20 attempts, and make it totally different from any password or passphrase you’ve ever used anywhere else.
  5. Memorise your passphrase. Yes, you really do have to, sorry! If it helps, write it on a piece of paper until it’s firmly lodged in your memory. Keep the piece of paper very safe, and destroy it when you’ve memorised the password.
  6. Don’t put any work passwords into your personal password manager unless you’ve got permission from your employer.

 

Finally, think about how important each password is to you for each account. If someone discovered this password, would it result in

  • your life being ruined?
  • your bank refusing to refund any losses?

If the answer to either is 'yes', then I wouldn’t put it in a password manager. For these cases, a password shouldn't be the only thing that the security of your account rests on. So look at extra defences such as multi-factor authentication.

For other, less important accounts, having the password stolen might be massively inconvenient, but there would be no real permanent damage done. Passwords for these accounts should be OK to go into your password manager.

Some accounts have very low value. For instance, an online forum that requires a password, but doesn’t actually hold any personal information you care about. These passwords can be stored in a password manager without a second thought.

 

A future without passwords?

Long-term, I think the success of password managers shows  - yet again -  that password-based authentication has outstayed its welcome. Passwords are supposed to be 'something you know', but now we’re saying the best way to manage them is not to know them (because your password manager knows them all for you). Passwords have taken us a long way, but now it's really time to move on.

The NCSC is working to help us all reduce our reliance on passwords, and to move towards a future where we make greater use of better, more secure, more usable authentication mechanisms instead. In the meantime, we're also working on some guidance on how best to use password managers in organisations - look out for this soon. 

Password managers are a good thing - for now. But we hope not forever.

 

*  We normally recommend against regularly changing passwords where there is no indication or suspicion of compromise - if you are trying to memorise them. The costs are greater than the benefits. However, remembering new passwords that are very different from the previous one isn't a problem for a password manager.

51 comments

Mark T - 25 Jan 2017
Great article. It follows the advice I have been providing to the members of my organisation, <145,000 globally.
Lennox M - 25 Jan 2017
Using password mangers is a bad idea. There is no such thing as 100% security and it will only be a matter of time before the services are comprised.
Matt - 14 Feb 2017
Utter rubbish - my password manager is stored on a encrypted drive and not pushed up to the "cloud (aka someone else's computers!)".

It secured by complex password. And because it's local crack all the services you like you're not getting near it. The volume it's on is mounted when I need it and unmounted when I don't.

Don't spread mis-information when you are ill informed
Ian F - 21 Mar 2017
Both of these comments make for sad reading.

No-one (least of all the author) said password managers were foolproof. The article states that they are useful in low risk scenarios, and help to make remembering your important passwords easier. They are also designed to be accessible - if your password manager is on a volume that needs to be mounted everytime it needs to be used then it doesn't fit the accessible check box.

I think the article is spot on: Are they good? Yes. Should you exercise caution? Yes.
Peter o - 05 May 2017
The comment of Lenox appeared to me to be plain stupid, all the more because no practical alternative was suggested.
Then Matt suggests a complex approach that you can almost guarantee only he will ever use.
For heavens sake we need easy to implement procedures that ordinary people can use.
Personally although I have been "keyboarding" (can't call it typing) I have difficulty even typing in successfully "difficult" passwords. I frequently do copy paste especially when LastPass fails to make the necessary entries automatically. Even Password Managers don't function reliably!
I could go on but what's the point?
Chris B - 19 Aug 2017
I while heartedly disagree with you here. You are much more likely to reuse passwords, or at least have patterns in your passwords, if you aren't using a password manager. The security of all your other accounts could boil down to some forum that a kid made in their spare time.... not very secure. At least with a proper password management service their entire business is built around security so they will be investing heavily in it
Robin ottawa - 26 Jan 2017
Over the years of accumulating passwords I have changed phones and laptops many times. Many of these changes don't allow the migration of the passwords or the manager. But it sounds like you can do it now. Hourly we won't have to put up with this Micky mouse situation much longer.
Jorge - 28 Jan 2017
I was on board with this until it said "full of win", then you lost me.
Matthew Ravden - 01 Feb 2017
I'm looking forward to your interpretation of this subject for business. Businesses seem to think that password vaults prevent data breaches, but in fact (as you said) they simply become the target. If a hacker 'owns' a system adminstrator's workstation, then no password management system will prevent a breach. We need to look WAY beyond passwords when it comes to breach prevention in the corporate world.
Emma W - 07 Feb 2017
You're absolutely right - password managers will never be a one-shot solution to all password-related problems, but we do think they can help organisations manage some significant password-related risks. As always, we'll say what we think about the advantages and drawbacks and then it will be up to customers to decide the most appropriate solution for their particular circumstances.
Brian E - 14 Feb 2017
I wonder about browser storage of password information. I use Chrome and let it sync bookmarks between devices. But it also stores passwords and log-in details and, as this information is also synced between devices, it must be transmitted over the internet. Is that data safe? If not, does that mean that we should never let a browser store a password?
Bill - 14 Feb 2017
Good article thanks...

I'm thinking of changing my codes and a phrase is the way to go!

For companies, in my opinion, they need more security questions to choose from,
The answers should be able to ignore upper or lower case errors and spaces.... so many times I have to rest for that reason,
Matt - 14 Feb 2017
"If your bank is one that takes this stance, you'll need to think about how you’re going to manage critical passwords without writing them down"

Or change banks. It's also very annoying when organisations enforce poor password strength requirements limited to 12 characters max..... come on we can do better than this!
John A - 20 Feb 2017
It occurs to me that a useful service the NCSC could provide would be a certification process for password managers (and perhaps other security software). In the case of password managers, I suppose that would be a combination of approving their technical quality (i.e. they don't commit any known security boo-boos), and also ensuring that they are not themselves malware (e.g. secretly uploading all passwords to dodgy.org).
Emma W - 22 Feb 2017
Hi John. We are hoping to produce some more detailed guidance on things to look for when considering password managers, and depending on the feedback we get for this, we would definitely consider incorporating password management as a category into one of our assurance schemes in the future.
Richard Bartlett - 16 Mar 2017
It looks like Tavis has made your job just that little bit harder this morning! (He's publishing a vulnerability in LastPass Mozilla Addon current v3.3.2, which is for some reason the latest version available on addons.mozilla.org, despite the latest LastPass addon from their site being 4.1.35).
Jez - 23 Mar 2017
Good idea to use a password manager, simply because it allows you to use longer/stronger passwords. I keep my database offline; only loading it temporarily, as and when I need it.

I now use a PM for all of my passwords - After all, I want the strongest passwords possible for my most important (financial) accounts and do not want to have to memorise them.
Alex - 18 May 2017
Not all password managers are attractive targets for hackers. Bluink Key (bluink.ca) is an offline password manager that encrypts passwords on your smartphone and logs you in to anything automatically. Nothing is stored in the cloud (unlike other large password managers).
Emma W - 13 Jun 2017
It’s true that password managers that use cloud services to store/synchronise your credentials have additional attack surface. But a password manager is always an attractive target, regardless of which features it supports. Ones like Bluink Key that integrate with web browsers still have to accurately validate a website’s identity and ensure they don’t expose any unintended functionality- such as allowing a malicious or compromised website to extract credentials from the password store.

All in all, we believe password managers are a worthwhile addition to the cyber security toolbox – but like any other tool, they can’t be guaranteed risk-free.
Alex - 13 Jun 2017
You're right that no tool is guaranteed risk-free. However, online password managers are much more attractive for hackers to target than offline password managers.

Online password managers are attractive targets because they store the passwords of millions of people in one location in the cloud, which can be attacked remotely. In contrast, offline password managers locally store passwords on each individual user's device, which can only be attacked if the hacker has physical control over the device. Therefore, targeting online password managers is more feasible and profitable than hacking offline password managers, which I think makes online password managers attractive targets and offline password unattractive targets in comparison.

Bluink Key does not integrate with web browsers. It locally encrypts and stores login credentials offline in the smartphone app and sends them over an encrypted Bluetooth connection to the Bluink Key USB device, which uses keyboard automation to log in on the computer. It also includes FIDO Universal Second Factor authentication and one time passwords to increase security. While it isn't guaranteed risk-free, I do strongly believe that it has serious advantages over other password managers.
Ishaan P - 22 Aug 2017
Many online managers (such as Lastpass) send passwords to the cloud AFTER encrypting it locally, so I don't see any different risk level if it's the risk of password compromise we are talking about. Other than that the main app (extension, thick client etc.) still need to be hard enough to withstand different types of attacks - which we know is only a matter of time.
Peter H - 07 Sep 2017
Re: A future without passwords? Has the NCSC looked at the SQRL protocol at grc.com ~ sqrl ~ sqrl.htm yet?
John Hayes - 18 Oct 2017
hello Peter, that is pretty cool. thanks for sharing.
Carl Connor - 18 Sep 2017
Fantastic article. Password managers are great for applications and browsers, such as LastPass (Secured with my Iris scanner would be ideal). Those with a few more pennies can always invest in privileged access management tools such as C.A or CyberArk but they won't cover your browsers. Personally, I don't keep the crown jewels in my shed, if you catch my drift
Stuart Smiles - 20 Sep 2017
what about credentials/encryption recovery keys for windows and phones, and guides to make it easy to store such important details?

- lots of people don't know what they don't know till they're presented with "can't get in" and all your data is gone because the keys weren't kept from setup, or the phone isn't backed up automatically,
whilst probably less secure, at least there is a way to get to stuff, rather than being so secure you can't get info needed when you want it, or loose a device and everything is gone forever.

backup solutions for critical data, use of onedrive, google docs or other online services for mantaing access to information across devices.
Andrew A - 09 Nov 2017
Thanks for the comment Stuart. With Windows, you can only turn disk encryption on if you save the backup key somewhere. On consumer editions it backs up into your Microsoft account (symmetric cloud-managed encryption authenticated against password and optional MFA token). On Enterprise editions it either backs up to an encrypted database on a server (in your datacenter or in Azure in the cloud). If that’s not available then it offers you to print the recovery key or save it unencrypted in a text file.

I’d suggest that storing that recovery key in a password manager should be at least as secure as the best of those options, so go for it?

Another angle is that on a personal level, the cloud has more of my personal/sensitive data than my computer does. Therefore if I’m happy to use a password manager to protect those cloud accounts then I should be happy to use it to protect the storage on my device.
Dan Shephard - 20 Sep 2017
Password managers are great for most applications and are even more secure when two factor authentication is enabled. I'd rather have a simpler password/phrase and have to provide a code from a phone/usb 2FA key.
pj - 22 Sep 2017
I would rather create my own password. I fill more secure and sure and be sure I am the only one who knows it. It will be store in my head and not in the cloud or on the internet
Stephen Humphreys - 04 Oct 2017
you need passwords
stephen thorogood - 04 Oct 2017
thanks i found this information useful
graham - 09 Oct 2017
Looking forward to the business guidance and further discussion of web based vs standalone, and treatment of privileged accounts at reasonable cost.
sue shinton - 17 Oct 2017
yes very helpful
laura glazzard - 23 Oct 2017
yes this was useful
bhatia - 25 Oct 2017
good helpful article
Stephen Pearce - 25 Oct 2017
Thank you for such a comprehensive, sensible and well-written article. My colleague and I run LastPass workshops for members of our computer club in West Sussex and we will certainly incorporate your advice in future workshops. At a personal level, I have been storing all passwords in LastPass although I do use multi-factor authorisation for key services. I also store details of credit cards and passwords for telephone banking. Having read your advice I think I will remove those last two items items from the LastPass vault.

One other benefit of using a password manager is their role in providing a digital legacy. I am getting on in years and want to be sure my family can access key accounts should I become incapacitated or die. I have set up lasting power of attorneys for them but the password vault is an essential adjunct.
marie ashton - 27 Oct 2017
useful information
Duk - 27 Oct 2017
Never used sources of password generation. May use them in future
C.Sonley - 02 Nov 2017
Well written article
gordon mcnie - 03 Nov 2017
very interesting
carol - 07 Nov 2017
very useful information
Irena - 07 Nov 2017
I prefer use my own password.
Paul - 09 Nov 2017
Any thoughts on storing password hints in a password manager? Rather than storing work related or banking passwords.
Emma W - 09 Nov 2017
You could do this, but it means you’re left still needing to be able to recall/derive the password from the password hint – thus taking away part of the point of using a password manager to begin with (to lift that memory burden, so you can use better passwords). And if you can get the password from the password hint, an attacker who compromises your password manager probably can too.

I also suspect that if your bank has told you they don’t want you to put your banking passwords into a password manager, they are unlikely to look much more kindly on you storing the hint instead. So I’d say that on balance, the effort of storing hints versus passwords is probably not that worthwhile.

Put that effort into enabling two-step verification everywhere you can, instead! :).
ji - 21 Nov 2017
Good advice
Andrew W - 23 Nov 2017
Emma – thanks for the thought provoking article and to others for a range of interesting comments.
There is, however, a glaring weakness in the overall conversation, which applies to myself also. That is that the majority of the participants in the discussion are pretty-to-very cyber-familiar and confident, whereas the huge majority of the population aren’t. And it’s almost certainly in the passwords of the “masses” that the greatest opportunities for malfeasance occur. Yes, the larger corporations or the richest SMEs are obviously good targets too but they are also more able to devote qualified and savvy resources to combatting the threats – and keep up to date with latest tools to do this.
I’m a fledgling business developer (not in the technical field, per se) and trying my darndest to both operate and keep my business secure – with not enough time or nous to spend on anything other than “layperson-friendly” advice.
I try to keep abreast with best practice – as participation here attests, courtesy of an article in the Telegraph – but what, I think, is needed is a constantly updated output from an authenticated source – ICSC seems the clear and obvious choice – of non-too-technical advice, including names of equally security-certified providers of the means for us in the “real world” to access and be able to understand and apply.
So, I earnestly ask that the government, through yourselves, addresses this ever-increasing problem from this standpoint, i.e. bearing in mind the likely level of competence – or should that read “incompetence” – of the average password holder.
Emma W - 29 Nov 2017
Hi, many thanks for your comment - it chimes with many of my own views. You’re right, we need to get better at producing common-sense cyber security advice that people can understand without needing advanced degrees or years of experience working with computers. In the past, our industry has too often told people to do things they don’t understand, with skills and tools they don’t have, in time they can’t spare - and then blamed those same people when they because victims of cyber crime, because they ‘failed’ to follow the advice that was actually the wrong advice for them all along.

As the NCSC, we’re busy working out how to do that better - and as you’d expect, we’re working with a variety of partners elsewhere in government and the wider public sector, industry and academia, to make sure we get it right. Hopefully the Small Business Guide https://www.ncsc.gov.uk/smallbusiness is providing some practical steps for SMEs to use.

In the meantime, I encourage individuals to use password managers if they can (the ones that come built into browsers are the easiest kind for most people) and if not, use passphrases made of three or four random words (whatever you can manage, and in proportion to the importance of the information you’re protecting). Use two factor (often called two step or 2FA) verification wherever you can. If you do nothing else, just don’t use the same password everywhere - no matter how uncrackable you think it is! Check out my colleague Ian’s blog post for more on this https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0

Alison Lafferty - 23 Nov 2017
Interesting Read
Lu - 23 Nov 2017
great advice
Jill - 28 Nov 2017
Good information.
Ed - 01 Dec 2017
Ironically the future will probably be that you will video call your "bank manager" which will be a computer, he will ask you a few friendly questions while scanning your features, your word and reactions and decide on the basis of that whether or not you are really you. It will not involve a passwords, it will be scanning through all the data held, to make sure you really are you, and that you are not being forced to do this by others.
Exactly the same skills a bank manager would have used years ago....

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No