Like HowStuffWorks on Facebook!

How Password Management Software Works


Additional Risks

So far, the risks we've detailed affect all types of password management software uniformly. Each type we listed earlier, though, comes with some additional hazards.

One threat to any software that stores passwords locally is malware. Each application on your computer squirrels away its passwords in a specific format at a specific location in your file system. Malware can be designed to scan your computer for password data, targeting those locations and sending anything it finds to a hacker elsewhere on the Internet. You can stave off these and other malware attacks using reliable, frequently updated anti-virus software.

Web browsers' password managers are notoriously risky because of how they store and secure saved passwords. However, the measures you're already taking to prevent access to your system from the Internet and malware should prevent the dangers that such risks present. For example, Firefox has been known to encrypt and encode the passwords it saves but then writes the encoded password to a simple text file alongside its corresponding URL. Protecting access to your local files with physical security, user passwords, screen locks, anti-virus software and firewalls should be sufficient to safeguard that file and, thus, your Firefox passwords.

Some browsers are using an integrated security approach. For instance, Internet Explorer in Windows creates a Windows registry key to store the password, which incorporates/takes advantage of the system's Triple DES encryption. Administrator-level access to the Windows registry is required to display those saved passwords on the screen. If you're preventing access to your Windows account with some of the methods listed earlier, especially guarding against malware, you should have no trouble keeping these saved IE passwords safe.

Embedded security chips and other encryption hardware don't present a new risk as much as they amplify an existing one: losing your master password. These security systems include the added option of requiring a password to boot the operating system. If you set a boot password then forget it, you'll be unable to start your computer at all. Since today's computers can run for days or weeks without rebooting, there's plenty of time to forget your password. In addition, if you move the hard drive to another machine, you might get past the boot password, but accessing the hardware-encrypted data on your hard drive will be difficult, if not impossible. Check whether the hardware manufacturer has recovery steps in these situations if you think recalling your master password will be a problem.

The final risk consideration comes with the newest type of password management software, Web apps. Web apps present the same security and privacy concerns described in our article How Cloud Computing Works. You're relying on the company behind that Web app to keep your data safe. One particular concern is similar to that of banking and government sites: The company itself could become a target for hackers and identity thieves looking for a bigger score rather than picking on individual users. The only way to minimize that risk is to take special care when selecting which Web-based password management software to use. Research the companies behind the products, and read evaluations by security experts who have tested the software. You might just decide that the convenience you'll gain by using a specific Web app outweighs its potential risks.

Want to unlock lots more on password management software? Pass on over to the next page.