Blog post

What does the NCSC think of password managers?

Created:  24 Jan 2017
Updated:  24 Jan 2017
Author:  Emma W
Android password screen

People keep asking the NCSC if it's OK for them to use password managers (sometimes called password vaults). If so, which ones? Who should use them - private citizens, small businesses, massive enterprises? And how should people use them? Is it safe to put all your crucial passwords into a password manager, and forget trying to remember any at all?

This is a big topic, so we're chunking it up. This blog explains what I think about password managers in general, and how I use them myself. This might be helpful if you're an individual deciding whether and how to use a password manager for your personal use. If you're looking for business use, this blog post won't hold all the answers you need (look out for more from the NCSC on this soon).

 

Should I use a password manager?

Yes. Password managers are a good thing.

They give you huge advantages in a world where there's far too many passwords for anyone to remember. For example:

  • they make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
  • they are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
  • they can generate new passwords when you need them and automatically paste them into the right places
  • they can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet

All these things are full of win. They reduce security friction - making security easier and more convenient.  If security is difficult, tedious, appears to add no value or gets in the way of the main task we're trying to do, then we tend to find (insecure) ways around it. And then we end up less protected.

 

Well, that all sounds great. Where's the catch?

You might be thinking "If password managers are this good, why haven't you recommended them before now?"

Well, they do have some drawbacks:

  • Password managers are attractive targets in themselves. They've been successfully attacked in the past, and realistically they will be again. So all your passwords could get stolen in one go.
  • If you forget the master password for your password manager, you will not be able to get back in. You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt.
  • You can't use them for everything. Some service providers (such as certain banks) don’t support the use of password managers. If you tell them you’ve put your banking passwords into one (or written them down in any way at all) they might not give you your money back if you are the victim of cyber crime. If your bank is one that takes this stance, you'll need to think about how you’re going to manage critical passwords without writing them down. On the brighter side, this is much easier to do once you've got most of your passwords out of your head and into the password manager.

 

Should I use a browser-based password manager?

Many web browsers now come with password managers built in, and they can be a very good choice. They are very convenient to use, as they are fully integrated with the web browser - so they know when you're on a website that needs a password, and they just pop up and do their thing. You don't even have to remember a separate master password. So feel free to use the built-in password manager, provided that:

  1. You keep your web browser up-to-date.
  2. You have some kind of access control on your device such as a PIN/password/biometric

    ...two things you should be doing anyway!

 

One drawback with browser-based password managers is that your passwords may not automatically sync between all your devices if these use different operating systems. So, if you have a Windows laptop, an iPad and an Android smartphone, your passwords may not follow you around everywhere - unless you use the same web-browser on all your devices and log into it. Also, if more than one person uses a device on the same user profile, they would all have access to the same password-protected content. You may not want that.

 

Should I use a standalone password manager?

Compared to browser-based managers, standalone password managers tend to do a better job of keeping your passwords available to you on all your different devices, no matter what platform they're on. They give you a little more control over when and where you use your passwords, as you get to press a button to say 'I want to use the password please', rather than the web page in the browser requesting one when it feels like it.

Importantly, with a standalone password manager you do have to create and remember a long master passphrase (unlike with a browser-based one). Standalone password managers may also include more advanced features, such as:

  • notifications about compromised websites
  • flagging up reused or weak passwords
  • prompting you to change old passwords*
  • helping you change passwords for some websites, by integrating with your browser
  • multi-factor authentication

 

How do I do this, then?

As with many things, there are lots of different ways of going about this. This is what I do myself:

  1. First, try and cut down the number of passwords in your life, and reduce how much you rely on those passwords to prove who you are. Use multi-factor authentication or single sign-on where available. For infrequently-used passwords, use a password reset mechanism when you need to log in (instead of making any attempt to recall or store the password). But take really good care of the email account that the password reset emails are sent to.
  2. Consider biometrics. Fingerprint readers on smartphones are generally good enough to protect your phone and the data on it, and they are very usable. So feel free to use them. Turn on encryption (if it's not already on) for extra protection.
  3. Decide whether to use a browser-based or a standalone password manager. Personally, I use both, for different things.
  4. If you use a standalone password manager, make its master passphrase the best you possibly can. We suggest a passphrase rather than a password as it's much easier to make it really long, and adding length gives much more protection than adding complexity. Make it hard for someone who knows you to guess in 20 attempts, and make it totally different from any password or passphrase you’ve ever used anywhere else.
  5. Memorise your passphrase. Yes, you really do have to, sorry! If it helps, write it on a piece of paper until it’s firmly lodged in your memory. Keep the piece of paper very safe, and destroy it when you’ve memorised the password.
  6. Don’t put any work passwords into your personal password manager unless you’ve got permission from your employer.

 

Finally, think about how important each password is to you for each account. If someone discovered this password, would it result in

  • your life being ruined?
  • your bank refusing to refund any losses?

If the answer to either is 'yes', then I wouldn’t put it in a password manager. For these cases, a password shouldn't be the only thing that the security of your account rests on. So look at extra defences such as multi-factor authentication.

For other, less important accounts, having the password stolen might be massively inconvenient, but there would be no real permanent damage done. Passwords for these accounts should be OK to go into your password manager.

Some accounts have very low value. For instance, an online forum that requires a password, but doesn’t actually hold any personal information you care about. These passwords can be stored in a password manager without a second thought.

 

A future without passwords?

Long-term, I think the success of password managers shows  - yet again -  that password-based authentication has outstayed its welcome. Passwords are supposed to be 'something you know', but now we’re saying the best way to manage them is not to know them (because your password manager knows them all for you). Passwords have taken us a long way, but now it's really time to move on.

The NCSC is working to help us all reduce our reliance on passwords, and to move towards a future where we make greater use of better, more secure, more usable authentication mechanisms instead. In the meantime, we're also working on some guidance on how best to use password managers in organisations - look out for this soon. 

Password managers are a good thing - for now. But we hope not forever.

 

*  We normally recommend against regularly changing passwords where there is no indication or suspicion of compromise - if you are trying to memorise them. The costs are greater than the benefits. However, remembering new passwords that are very different from the previous one isn't a problem for a password manager.

228 comments

Andrew W - 23 Nov 2017
Emma – thanks for the thought provoking article and to others for a range of interesting comments.
There is, however, a glaring weakness in the overall conversation, which applies to myself also. That is that the majority of the participants in the discussion are pretty-to-very cyber-familiar and confident, whereas the huge majority of the population aren’t. And it’s almost certainly in the passwords of the “masses” that the greatest opportunities for malfeasance occur. Yes, the larger corporations or the richest SMEs are obviously good targets too but they are also more able to devote qualified and savvy resources to combatting the threats – and keep up to date with latest tools to do this.
I’m a fledgling business developer (not in the technical field, per se) and trying my darndest to both operate and keep my business secure – with not enough time or nous to spend on anything other than “layperson-friendly” advice.
I try to keep abreast with best practice – as participation here attests, courtesy of an article in the Telegraph – but what, I think, is needed is a constantly updated output from an authenticated source – ICSC seems the clear and obvious choice – of non-too-technical advice, including names of equally security-certified providers of the means for us in the “real world” to access and be able to understand and apply.
So, I earnestly ask that the government, through yourselves, addresses this ever-increasing problem from this standpoint, i.e. bearing in mind the likely level of competence – or should that read “incompetence” – of the average password holder.
Emma W - 29 Nov 2017
Hi, many thanks for your comment - it chimes with many of my own views. You’re right, we need to get better at producing common-sense cyber security advice that people can understand without needing advanced degrees or years of experience working with computers. In the past, our industry has too often told people to do things they don’t understand, with skills and tools they don’t have, in time they can’t spare - and then blamed those same people when they because victims of cyber crime, because they ‘failed’ to follow the advice that was actually the wrong advice for them all along.

As the NCSC, we’re busy working out how to do that better - and as you’d expect, we’re working with a variety of partners elsewhere in government and the wider public sector, industry and academia, to make sure we get it right. Hopefully the Small Business Guide https://www.ncsc.gov.uk/smallbusiness is providing some practical steps for SMEs to use.

In the meantime, I encourage individuals to use password managers if they can (the ones that come built into browsers are the easiest kind for most people) and if not, use passphrases made of three or four random words (whatever you can manage, and in proportion to the importance of the information you’re protecting). Use two factor (often called two step or 2FA) verification wherever you can. If you do nothing else, just don’t use the same password everywhere - no matter how uncrackable you think it is! Check out my colleague Ian’s blog post for more on this https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0

Nikolay Nikolaev - 13 Mar 2018
Hi Emma,
I have an elegant solution to this problem.
If you are interested please contact me.
Mr Paranoia - 28 Apr 2018
Briefly what is your elegant solution?
Alison Lafferty - 23 Nov 2017
Interesting Read
Lu - 23 Nov 2017
great advice
Jill - 28 Nov 2017
Good information.
Ed - 01 Dec 2017
Ironically the future will probably be that you will video call your "bank manager" which will be a computer, he will ask you a few friendly questions while scanning your features, your word and reactions and decide on the basis of that whether or not you are really you. It will not involve a passwords, it will be scanning through all the data held, to make sure you really are you, and that you are not being forced to do this by others.
Exactly the same skills a bank manager would have used years ago....
Chris A - 13 Dec 2017
Ed - thanks for your comment.

Interestingly, this is describing what is often referred to as ‘behavioural biometrics’, an emerging biometric modality, which uses a combination of measurements of behaviour, directed actions and device diagnostics via a range of measurements from an individual’s device to verify identity during online transactions.

It is becoming increasingly popular, particularly in the finance and banking industry, and is likely to become more and more important in the next few years.

Chris A
Head of Identity in Government
Dave R - 05 Dec 2017
The entire - and only - reason to use a password manager is to hold passwords for online services.
Therefore, it naturally follows that the password manager is - or can be - online too.

Personally, I don't trust ANY password manager* not to pass my details to an unauthorised 3rd party - whether the authors/sellers intended it to or not...

*Unless I wrote it, but even then, how do I guarantee that it hasn't been modified without my knowledge?
Visual Artist - 24 May 2018
That's very true and sensible advice. So why aren't you working for this NCSC outfit!?
j garwell - 27 Dec 2017
very informative
Bud - 05 Jan 2018
I wish I’d have known about this site earlier! I’m simply an elderly consumer who started using a shredder before most people had heard of them, and continued to be extremely careful with all computer-related personal information. As others have commented, I think we need the NCSC to be able to relate in some way with ordinary consumers to reinforce personal security on computer-related uses. I think I will start to do this in my own small way by holding classes in my local Volunteer Centre, it will be a start!
brianball - 15 Jan 2018
this is very good work
len - 15 Jan 2018
Great information and useful
James - 18 Jan 2018
Great work! I wish I’d have read this article earlier! And I am very curious about the situation of password management in small and medium businesses. Will you share me some information about it maybe in the future?
stephen.miller - 20 Jan 2018
very helpful ,brings attention to risks highlighted will make working practice more safe.
mike C - 25 Jan 2018
An extremely useful--but panic-inducing--article; I wish I'd come across this website sooner. I thought I was doing OK with regard to security, but this blog and the replies it has generated has shown me that I still have a way to go to become secure.

I have a major problem, though. My wife and future widow--quite some time in the future, I hope, but one never knows--will need what amounts to a User Manual to guide her through the maze of passwords to access our joint bank accounts.

Does anyone have any thoughts on how to safely generate and store such a document?

Such a guide would break the "Don't-write-anything-down" rule--a rule I've managed to obey for decades--but I am increasingly of the opinion that the balance has shifted and a cyber-attack on my digitally held data (with or without a password manager) is now more likely to occur than is a house break-in. My wife is even less computer-savvy than I am, and how she will cope in the event of my death is a major source of anxiety for her.
Emma W - 31 Jan 2018
Hi Mike, thanks for getting in touch.

Password issues certainly can be tricky to navigate in practice. We do now recommend writing passwords down, as long as you safeguard them appropriately – as we recognise that this really helps people to use longer, stronger and more different passwords for their important accounts. So writing your login details down, on a piece of paper that you keep safe at home, can often be a good idea.

We suggest obfuscating the written usernames and passwords if you can, to make them a less recognisable/tempting target for theft. Personally, I’d favour a scruffy bit of paper in the back of a folder over one of those password books you sometimes see on sale! However, going to great lengths to hide your data from baddies might also mean hiding it from legitimate users, which has its own problems. So as always in security, it’s about striking the right balance for you.

You also need to make sure you are following the terms and conditions set out by your account service providers. These sometimes prohibit writing down and sharing login details. In the case of bereavement, major financial service providers should have sensible ways of helping the surviving partner through these issues. However, in practice I know this doesn’t always work as smoothly as we might hope – and might not be available for ALL the different accounts you use.
gillian anderson - 11 May 2018
very helpful and useful information which I will share with my colleagues, h=thank you
christine grace - 26 Jan 2018
very useful information
Steve P - 29 Jan 2018
Very useful article, honest, balanced and pragmatic. Thank you.
P.Saunders - 31 Jan 2018
amazing how many different replies interesting how many vary from one person to another
rita edwards - 06 Feb 2018
very helpful
Dan H - 07 Feb 2018
Is there any official guidance on products to use within Government departments or should security leads within departments give guidance on such use of tools?

Specifically for use between suppliers and civil servants, I know that some departments use passwordstore .org which is a gpg based system.
Emma W - 26 Feb 2018
Hi Dan. There are a number of different types of password managers available, these can be: on-device (which store password data locally on a single device), browser-based (which are fully integrated with web browsers, and can sync data across all devices where that web browser is used), and cloud-sync (which store password data on a remote server and allow you to access it from any of your devices).

Regardless of the type used, people need to consider how the password manager: (1) protects credentials, (2) implements the ‘autofill’ browser extension, (3) generates passwords, and (4) secures data at rest. The NCSC will be publishing guidance on this soon.
sheela - 08 Feb 2018
Didn't know about password managers. Thanks for the enlightenment.
linda jane brown - 08 Feb 2018
the information is helpful but lengthy
Maria Dvison - 12 Feb 2018
very usful
Brian G - 15 Feb 2018
Interesting discussions here. I have three points to make. Firstly I would be reluctant to tell people on an open forum what password manager I use as it could be useful information for an attacker. Secondly, as you said in your article its easier to remember a long password if its actually a passphrase. Thirdly, I am not against initially writing down passwords on bits of paper, but I would write down either a hint at what the password is rather than the actual password itself. Alternatively, add a bit of salt. Add a few extra characters just to confuse any criminal types.
Lyn Buckingham - 16 Feb 2018
Helpful but needs condensing more
satish misal - 17 Feb 2018
useful
MK - 18 Feb 2018
I would rather use my own password as more secure to me.
Visual Artist - 24 May 2018
Yes, more secure than password generators.
MB - 21 Feb 2018
I use a browser password manager, protected with a master password for non-critical passwords. I tried a stand-alone password manager for more critical passwords for a few days, but just wasn't happy and scrapped the idea after a few sleepless nights. I just felt they make too tempting a target for hackers for *me* to feel safe storing anything critical in them. I stress the *me*, because I'm really only a security amateur, and can't be certain that there isn't a potential exploit lurking somewhere in our IT infrastructure, or the way we use it. I feel safest with 2fa, particularly when it's using something like a yubikey, (rather than SMS), and took advantage of that by moving our email (and office software) into g-suite and issuing everybody with yubikeys, as the implementation seems not too bad. Anyway, we are where we are, but it's pretty big mess at the moment IMO. I can see me getting absorbed into Internet2, as we are forced to retreat behind Googles ever expanding infrastructure for protection.
Joe - 22 Feb 2018
Good information
Antonio - 27 Feb 2018
excellent material
ANTONIO - 27 Feb 2018
that was a very helpful study material
kath - 28 Feb 2018
very informative
Dawn - 02 Mar 2018
Thank you I found this useful
Liz Lavin - 02 Mar 2018
ineresting and informative.
lgray - 04 Mar 2018
good advice
Andrea - 05 Mar 2018
Very informative,for sure.
Visual Artist - 24 May 2018
Indeed.
Lisa Kempton - 08 Mar 2018
Useful
wendi - 13 Mar 2018
got a few good tips from this
Belco - 13 Mar 2018
The subject was interesting and made me know more on the above topic
logmeonce - 15 Mar 2018
I Gain Great knowledge about Passwords Thanks for sharing this article with us.Keep in Up.
beverleyrose - 17 Mar 2018
good idea
Ann Halligan - 21 Mar 2018
Interesting information

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No