I won’t attempt to speak for other Password managers, but with 1Password, you control your data. We have no ability to acquire your secrets. That not only protects you from us, but it protects you from anyone who compromises us.
But let’s start with risks of not using a password manager:
- You reuse passwords across many sites and services. (This really is dangerous.)
- You use weak passwords for some important sites and services. (This is less of a risk unless it’s combined with password reuse, in which case it is catastrophic.)
- You can fall victim to phishing attacks because you can be tricked into entering your username and password into something other than the actual site you think it is for.
- You use some “system” for creating or remembering your passwords that allows someone who has discovered one or two of them to have a good guess at what the others are. (This is like the “reuse” case but here the passwords are related to each other instead of directly reused.)
On the other hand, let’s look at the biggest risk of using a password manager:
- You forget your Master Password. (This is the single biggest risk and why we encourage people to write down their Master Passwords in their Emergency Kit and store it in a safe location.)
That’s really the only meaningful risk. There are other, much smaller risks, but they’re not nearly as big as that one. Here’s how the smaller risks apply to 1Password:
- All your eggs in one basket. This is less of a risk than it might first appear because the alternative — password reuse — also puts multiple eggs in shared baskets (password reuse), and extremely weak baskets (weak passwords). When you reuse passwords, every site and service where you use the same password is vulnerable if that password is discovered.
- That 1Password gets hacked. This is less of a risk than it might first appear not because it’s impossible for 1Password to get hacked, but because 1Password is designed with full end-to-end encryption, so the consequences of 1Password getting hacked would not be a threat to our customers.
- That the folks at 1Password would turn evil. This isn’t something that we expect to happen, but again, we’ve designed 1Password so that we lack the capability to acquire your secrets. (This is really just a variant of the previous point.)
- That there’s something malicious hidden in the code. 1Password has an open security design, and security experts are continually auditing 1Password to confirm it has a solid foundation. We don’t rely on proprietary, untested encryption.
- That we’re abducted by aliens and you’re locked out of your data. Again, our overall design protects you from this. It’s always possible to export your data from 1Password, and we’ve documented our data format so that even if we were to disappear, your data is yours.
As you can see, the biggest risk is forgetting your Master Password (or losing your Secret Key), and you can mitigate this yourself by following our advice for the Emergency Kit we provide when you sign up for 1Password:
- Print a copy or store it on a USB flash drive. Don’t store it online or email it.
- Fill in your Master Password. In an emergency, you or your loved one will be glad to have all your account details in one place.
- Keep it somewhere safe, like with your passport or birth certificate.
- Give a copy to a trusted loved one, like your spouse or someone in your will.