UNCLASSIFIED

Password managers: Security tips

February 2024 ITSAP.30.025

Trying to use different and complex

passwords for every website, account, Types of password managers
and application can be challenging. If
you are experiencing password There are 2 main types of password managers: browser-
overload, you may become careless. based and stand-alone.
Maybe you keep all your passwords Browser-based password managers
written down or reuse the same, easy to remember Browser-based password managers are convenient. They are
password. Both of these password habits put you and built into your web browser and do not require you to
your accounts at risk. For more information on best remember a long primary password. They use the “remember
practices for passwords see Rethink your password me” feature when you log-in to a website. This creates
habits to protect your accounts from hackers vulnerabilities when another user has access to that same
(ITSAP.30.036) and Best practices for passphrases device. Browser-based password managers don’t always
and passwords (ITSAP.30.032). sync to other devices. This forces you to remember your
You can use a password manager to help you create, passwords when logging in on other devices. For optimal
store, and remember your passwords. By using a security, you must keep your browser up to date.
password manager, you don’t need to remember Stand-alone password managers
dozens of passwords. They promote the use of Stand-alone password managers require local or cloud-based
complex passwords and discourage password reuse. installation of software and account creation to access the
Even though password managers provide a number of service. They tend to be more secure than browser-based,
advantages, these tools present some risks to users’ and they allow for a complex primary password and typically
information which we will outline in this document. offer two-factor authentication. They also have more
advanced features such as alerts if a website is
compromised and flagging weak passwords. You can also
sync the passwords stored across your devices.

A password manager exists as a password vault and

stores a user’s usernames and passwords for Regardless of which type you choose to use, we recommend
different websites, applications, and services. you activate multi-factor authentication (MFA) whenever
Password managers have unique features, design, possible. For more information on multi-factor authentication
and vulnerabilities. If you decide to use a password see Secure your accounts and devices with multi-factor
manager, you should research different vendors in authentication (ITSAP.30.030).
order to make an informed choice about which is right
for you.

Cat. No. D97-1/30-025-2023E-PDF

AWARENESS SERIES ISBN 978-0-660-68382-9
 UNCLASSIFIED

Tips for using password managers

Use fpassword managers that:
 Tips

• support multi‑factor authentication

Security considerations
• encrypt passwords so only you see them,
Password managers are an attractive target, a one-stop shop making the passwords unreadable even to the
if you will. Although password managers have many benefits, vendor (known as zero knowledge architecture)
such as helping you cope with password overload, they also • prompt you to change old passwords
present some risks. The greatest risk being the compromise
• flag weak or reused passwords
of all your accounts at once. If a password manager is
compromised, through your account or through a vendor • disclose how they protect your passwords
compromise, all the stored account passwords will be • store legitimate web links and notify you about
exposed. If you choose to store passwords for sensitive compromised websites
accounts (like your online banking account), then your level of
risk increases accordingly. We recommend that you evaluate
• notify you if your password appears within a
known data breach
the value of the accounts you are storing in the password
manager and take every precaution you can if you decide to • integrate with your phone,
use a password manager. computer, tablet, and other
devices
Many security considerations need to be evaluated before
using a password manager. Several attacks from threat actors  Use a strong primary passphrase or
can affect your passwords stored in a password manager. password:
Using brute force, a threat actor can attempt to gain access to
• passphrases are memorized phrases of at least
your primary password. If you must write down your primary
4 words (with or without spaces) and are a
password, ensure it is properly stored (such as in a locked
minimum of 15 characters in length
safe), and limit the number of people with access to it.
• passwords are at least 12 characters in length
and includes upper and lower case letters,
Multi-factor authentication numbers and special characters
 Install updates regularly for password managers
For an extra layer of security, we recommend  Use the password manager to generate passwords for
using password managers that require you
multi‑factor authentication.
 Avoid using the same password for multiple sites
With threats becoming more sophisticated (like keylogging
and phishing attacks), your main password can be hacked  Do not store passwords for sensitive accounts (such
easily. That’s why using MFA authentication is better than a as banking and email accounts)
single password where the factors can include something
 Do not share your primary password
you know, something you are, or something you have. For
example, you can combine a password with a token, a  Have a plan to recover your passwords when your
fingerprint, or an additional code to access your password computer fails and you lose access to your password
manager
manager.

] Need help or have questions? Want to stay up to date and find out more on all things cyber security?
Come visit us at Canadian Centre for Cyber Security (CCCS) at cyber.gc.ca