Should you use a password manager? Is using a password manager comes with any risk? Is using a password manager riskier than not using it?

您应该使用密码管理器吗？ 使用密码管理器会带来任何风险吗？ 使用密码管理器比不使用密码管理器更具风险吗？

Those are the questions that people usually ask about a password manager. In this post, I will answer all those questions.

这些是人们通常会询问的有关密码管理器的问题。 在这篇文章中，我将回答所有这些问题。

什么是密码管理器？ (What is a password manager?)

Before we tackle the questions at the beginning of the post, It would be better if we first understand what a Password Manager really is.

在解决本文开头的问题之前，最好先了解一下密码管理器的真正含义。

Password Manager is an application or software that can generate a new password, save login information, and manage them.

密码管理器是可以生成新密码，保存登录信息并进行管理的应用程序或软件。

Using a strong password and different password on each site you register is recommended, but there is a limit on how many different passwords a human can remember, especially if the password is strong. Using a password manager can help you to generate a strong password and use a different password on each site, you will only need to remember one password that will log you into your password manager.

建议在您注册的每个站点上使用强密码和不同的密码，但是对于人类可以记住的不同密码有一定的限制，特别是如果密码强的话。 使用密码管理器可以帮助您生成强密码并在每个站点上使用不同的密码，您只需要记住一个密码即可登录到密码管理器。

为什么要使用密码管理器？ (Why Should you use a Password Manager?)

在许多站点使用相同密码的风险 (The risk of using the same password at many sites)

The risk of using the same password at many sites is pretty high. If somehow a hacker got one of your passwords then he/she would be able to login to all of your accounts that have the same password. There are actually many ways how a hacker can get your password.

在许多站点上使用相同密码的风险非常高。 如果黑客以某种方式获得了您的密码之一，那么他/她将能够登录到您所有具有相同密码的帐户。 实际上，黑客可以通过多种方式获取密码。

别人如何获得您的密码 (How someone can get your password)

You never know how a site stores your password and whether the security on their server is good or not. These are some of the ways that a hacker can get your password:

您永远不会知道站点如何存储密码以及服务器上的安全性是否良好。 以下是黑客获取密码的一些方式：

• Man in the middle attack: This type of attack is like eavesdropping, a hacker can secretly get the data on the way from your PC to the target server. A good website would use https protocol which will encrypt your data before it leaves your PC, so even if there is a man in the middle they won’t be able to get your raw data or password. But the problem is, even though many sites already use https, some of them are still not, and your password is at risk if you register or log in at those sites.

  中间人攻击 ：这种攻击就像窃听一样，黑客可以从PC到目标服务器的途中秘密获取数据。 一个好的网站会使用https协议，该协议会在您离开PC之前对您的数据进行加密，因此，即使中间有人，他们也将无法获取您的原始数据或密码。 但是问题是，即使许多站点已经使用https，但其中一些站点仍未使用https，如果您在这些站点上注册或登录，密码将会受到威胁。

• Sites that don’t have good security: Some sites have bad security, maybe the way they store your password is badly or not encrypted so when the site got breached, the hacker would be able to get your raw password easily, other than that, a site might be able to be attacked by brute force method, basically they will try many combinations of the password until they figure out the correct one by using a software. There is a site that let you know which site you’ve registered have been breached.

  安全性不强的网站：某些网站的安全性不佳，也许他们存储密码的方式不正确或未加密，因此当该网站遭到破坏时，黑客可以轻松地获取原始密码，除此之外，一个站点可能会受到蛮力攻击，基本上，他们将尝试使用多种密码组合，直到使用软件找出正确的密码为止。 有一个网站可让您知道您注册的网站已被破坏。

• Someone figuring out your password by looking at your screen: Someone can figure out your password by looking at your screen when you’re typing it.

  有人通过查看屏幕来确定密码：有人可以在输入时通过查看屏幕来确定密码。

• Keylogger: Someone putting keylogger software or hardware on your PC would be able to know everything that you type on your keyboard.

  键盘记录器：将键盘记录器软件或硬件安装到PC上的人将能够知道您在键盘上键入的所有内容。

使用密码管理器 (Using a password manager)

使用密码管理器的好处 (The benefits of using Password Manager)

By using a password manager, you can generate a strong unique password to be used by each site you registered on which will reduce most of the risk of using one password in many sites. Man in the middle attack might still able to get your password, but now that the password they get can’t be used to log in to every site that you’ve registered on. Your password will also be harder to be attacked by the brute force method because now it’s very strong.

通过使用密码管理器，您可以生成一个强大的唯一密码，供您在其上注册的每个网站使用，这将减少在许多网站中使用一个密码的大部分风险。 处于中间攻击状态的人也许仍然可以获取您的密码，但是现在他们获得的密码无法用于登录到您注册的每个站点。 您的密码也将更难以被暴力破解，因为现在它已经很强大了。

使用密码管理器的风险 (The risks of using Password Manager)

Sadly, even though using a password manager comes with many benefits, it introduces new risks too:

遗憾的是，即使使用密码管理器有很多好处，它也带来了新的风险：

• Breach on password manager server: There is a chance that the password manager’s server gets breached, Even it’s very low, take Lasspass for the example, it got hacked in 2015. But even though it was hacked, according to Lastpass’ article no vault (place to store your login information) was compromised, which means that the hacker couldn’t get into your vault at all. The only thing that the hacker gets is the username of the Lastpass users, no password was taken. The password manager’s server usually has tighter security compared to other servers because they specialize in security. As long as you choose a password manager with a good track record, then you should be safe.

  违反密码管理器服务器 ：密码管理器的服务器很有可能被破坏，即使它非常低，以Lasspass为例，它在2015年也遭到了黑客入侵。但是，尽管它被黑客入侵，但根据Lastpass的文章，没有保险库文件(存储您的登录信息的位置)已遭到入侵，这意味着黑客根本无法进入您的保管库。 黑客唯一获得的是Lastpass用户的用户名，没有密码。 与其他服务器相比，密码管理器的服务器通常具有更严格的安全性，因为它们专门研究安全性。 只要您选择一个具有良好记录的密码管理器，那么您就应该安全了。

• Losing your master password: Losing your master password is another risk of using a password manager. Putting all of your passwords that you don’t remember in one place means that there is a chance that you’ll forget your master password and make you unable to access any of your passwords.

  丢失主密码 ：丢失主密码是使用密码管理器的另一风险。 将您不记得的所有密码都放在一个地方，这意味着您有可能会忘记主密码，并使您无法访问任何密码。

• Getting malware: Getting malware on your device is the riskiest and most dangerous thing when using a password manager. The hacker can suddenly get all of your passwords if you open your vault. There aren’t many malware that targets a password manager, and since every password manager has they own method to store your password after you open your vault, then the malware would need to be very specific to target that password manager, and even with that, the password manager would still able to patch the software as soon as they are aware of the malware.

  感染恶意软件 ：使用密码管理器在设备上感染恶意软件是最危险，最危险的事情。 如果您打开保管库，黑客可能会突然获得您的所有密码。 以密码管理器为目标的恶意软件并不多，而且由于每个密码管理器都有自己的方法来打开您的库后存储密码，因此恶意软件将需要非常专门地针对该密码管理器，即使使用，密码管理器只要知道了恶意软件，便仍然能够修补该软件。

减少使用密码管理器的风险 (Reducing the risks of using a password manager)

If you decide to use a password manager, these are some tips I have to reduce the risk that the password manager has:

如果您决定使用密码管理器，这些是我必须减少密码管理器具有的风险的一些技巧：

• Activate 2FA: you can activate 2FA (Multi-Factor Authentication) to reduce the risk of using one. 2FA is a system that asks you to verify that the one that has just logged in to your account is really you. The most common ways to verify are via a link sent by email, OTP(One time Password) sent via email/phone, Google Authenticator, and a hardware key. Using 2FA will decrease a chance of account takeover even if the one that plans to login into your account knows your password because they won’t be able to successfully login without you knowing.

  激活2FA ：您可以激活2FA(多重身份验证)以减少使用一个的风险。 2FA是一个系统，要求您确认刚刚登录到您的帐户的人确实是您。 验证的最常用方法是通过电子邮件发送的链接，通过电子邮件/电话发送的OTP(一次性密码)，Google身份验证器和硬件密钥。 即使计划登录您的帐户的人知道您的密码，使用2FA也会减少帐户被接管的机会，因为他们将无法在您不知道的情况下成功登录。

• Plan your recovery master password method: There is a chance that you’ll lose your master password, so you should have a recovery method for your master password. A good password manager usually has a method for recovering a master password, so please choose one that you think is safe and suits you.

  规划您的恢复主密码方法 ：您有可能会丢失主密码，因此您应该有一种主密码恢复方法。 好的密码管理员通常可以使用一种方法来恢复主密码，因此请选择一个您认为安全且适合您的密码。

• Don’t save your high-risk password in a password manager: The simplest example of this is your email. Most sites will assume that if you can log in to your email, then you’re the real owner of the account, so there are many recovery methods and verification methods that are sent to your email. Using a unique password and remembering it by yourself for a high-risk password will further reduce the chance of your account getting hacked.

  不要将高风险密码保存在密码管理器中 ：最简单的示例是您的电子邮件。 大多数站点都假定如果您可以登录到电子邮件，那么您就是该帐户的真正所有者，因此，有很多恢复方法和验证方法都发送到您的电子邮件中。 使用唯一的密码并自己记住一个高风险密码将进一步减少您的帐户被黑客入侵的可能性。

使用密码管理器比不使用密码管理器更危险吗？ (Is using a password manager riskier than not using one?)

This is very depending on the person, for most people reading this article which I assume have at least some knowledge on using PC safely and have many accounts on many sites, then I’d recommend using one. Even though there is a risk of using a password manager, the risk of not using one far outweighs the risk of using one.

这在很大程度上取决于个人，对于大多数阅读本文的人，我认为我至少对安全使用PC有一定的了解，并且在许多站点上都有很多帐户，所以我建议您使用一个。 即使存在使用密码管理器的风险，不使用密码管理器的风险也远大于使用密码管理器的风险。

If you only have accounts in the sites that you only trusted and rarely register on new sites, then I’d recommend not using one. Just activating 2FA is already enough because other people won’t be able to login into your account without you knowing, there is no reason to use a password manager.

如果您仅在自己信任的站点中拥有帐户，并且很少在新站点上注册，则建议不要使用一个。 仅激活2FA就足够了，因为在您不知道的情况下其他人将无法登录您的帐户，没有理由使用密码管理器。

推荐的密码管理器 (Recommended Password Manager)

These are the password managers that I’ve tried and liked, I won’t write a detailed review for each one, but I will write a bit about the things I like and dislike about each one

这些是我尝试过并喜欢的密码管理器，我不会为每个密码写详细的评论，但是我会写一些关于我喜欢和不喜欢的东西的信息。

• Encrypted text file: This is the simplest, one of the most secure ones and free, You don’t have to register in any site and there is a lot of chance that you already have the tools needed for it. It is secure because your encrypted password won’t need to leave your PC at all, so there is no risk of man in the middle and someone getting your password unless someone hacked your PC. Since you don’t register anywhere though, if you forgot your master password then there is really no way to recover it.

  加密的文本文件 ：这是最简单，最安全的文本文件之一，并且是免费的，您无需在任何站点上进行注册，并且很有可能已经拥有了所需的工具。 这是安全的，因为您根本不需要离开计算机就可以使用加密的密码，因此，除非有人对您的PC进行了黑客攻击，否则不会有中间人和有人得到您的密码的风险。 由于您没有在任何地方注册，因此，如果您忘记了主密码，那么实际上就无法恢复它。

• KeePass: Free, open-sourced, and light-weight password manager. You use a local vault, so you don’t have to register for anything and your password also won’t leave your PC. It’s more secure than an encrypted text file because your password will be masked, so there is no chance that other people will know your password by looking at your screen. Same as Encrypted text file, since you don’t register anywhere, if you forgot your master password then you can’t access the password saved in the software.

  KeePass ：免费，开源且轻量级的密码管理器。 您使用本地保管库，因此您无需注册任何内容，密码也不会离开您的PC。 它比加密的文本文件更安全，因为您的密码将被屏蔽，因此其他人没有机会通过看屏幕知道您的密码。 与加密文本文件相同，因为您未在任何地方注册，如果忘记了主密码，则无法访问软件中保存的密码。

• Lastpass: The most used cloud Password Manager as far as I know. It has 2FA, cloud sync, browser extension, Android, and iOS apps. It is free if you want to use it on 1 device, but if you want to use more then you have to buy a premium subscription. Your vault is stored in the cloud, so it’s not as secure as the Encrypted text file and KeePass, but it still can be considered very secure because everything is encrypted. The only weakness of Lastpass is that its UI is pretty outdated.

  Lastpass ：据我所知，最常用的云密码管理器。 它具有2FA，云同步，浏览器扩展，Android和iOS应用。 如果要在1台设备上使用它是免费的，但是如果要使用更多，则必须购买高级订阅。 您的保管库存储在云中，因此它不如加密的文本文件和KeePass安全，但由于所有内容都已加密，因此仍被认为非常安全。 Lastpass的唯一弱点是它的UI已经过时。

• Bitwarden: it is one of the most secure Password Manager too, it’s open-source and basically free unless you want extra features like encrypted storage or use a hardware key for 2FA. It’s a cloud vault that can be synced across multiple devices and can be used in most mainstream platforms. The unique feature that Bitwarden has is that you can host your own vault. For the most secure setup, you can host it on your localhost or your owned server if you know what you’re doing. The main weakness of this Password Manager is that it only has 1 developer, so the development of this Password Manager might be a bit slow and can stop if something happens to the developer. If you’re want to try using a password manager for the first time, then I recommend using this one first before jumping to another password manager.

  Bitwarden ：它也是最安全的密码管理器之一，它是开源的，并且基本上是免费的，除非您想要额外的功能，例如加密存储或使用2FA的硬件密钥。 这是一个可以在多个设备之间同步的云保管库，可以在大多数主流平台中使用。 Bitwarden的独特功能是您可以托管自己的保管库。 对于最安全的设置，如果您知道自己在做什么，则可以将其托管在本地主机或自己的服务器上。 该密码管理器的主要缺点是它只有1个开发人员，因此此密码管理器的开发可能会有点慢，并且如果开发人员遇到任何问题，它可能会停止。 如果您想首次尝试使用密码管理器，那么我建议您先使用此密码管理器，然后再跳转到另一个密码管理器。

• 1Password: This is the Password Manager that I personally use. It’s the most convenient and seamless one compared to the others on this list, especially in phone devices. The weakness of this Password Manager is that it’s not free and pretty expensive.

  1Password ：这是我个人使用的密码管理器。 与该列表中的其他列表相比，它是最方便，最无缝的一种，尤其是在电话设备中。 该密码管理器的缺点是它不是免费的，而且价格昂贵。

结论 (Conclusion)

A password manager is a software that will help us generate a new password, save your login information, and manage them. There are risks of both not using and using a password manager, but for most people, the risk of not using one far outweighs the risk of using one.

密码管理器是一款可以帮助我们生成新密码，保存您的登录信息并进行管理的软件。 不使用和使用密码管理器都有风险，但是对于大多数人而言，不使用密码管理器的风险远大于使用密码管理器的风险。

If you decided to use a password manager, then you should reduce the risk of using it by activating 2FA, Plan your master password recovery method, and not saving a high-risk password in your password manager.

如果决定使用密码管理器，则应通过激活2FA，计划主密码恢复方法以及不要在密码管理器中保存高风险密码来降低使用它的风险。

If you want to try using a password manager for the first time then I recommend using Bitwarden because it has many features and is free.

如果您想第一次尝试使用密码管理器，那么我建议您使用Bitwarden，因为它具有许多功能并且是免费的。