Store Credit Card Information in Password Manager?
For convenience purposes I manage my passwords with the password manager Bitwarden on my personal computer and smartphone with autofill function (but with asking for the master password or fingerprint first every time).
I was just thinking about also adding my credit card information (which is used to log into the online banking stuff) to my vault, but since that seems like such important data, I'm not sure if it would be safe or if this even is a good idea. Any opinions?
I also saw this question on here, but it rather deals with whether that is reasonable from a law standpoint.
passwords password-management password-cracking credit-card
add a comment |
For convenience purposes I manage my passwords with the password manager Bitwarden on my personal computer and smartphone with autofill function (but with asking for the master password or fingerprint first every time).
I was just thinking about also adding my credit card information (which is used to log into the online banking stuff) to my vault, but since that seems like such important data, I'm not sure if it would be safe or if this even is a good idea. Any opinions?
I also saw this question on here, but it rather deals with whether that is reasonable from a law standpoint.
passwords password-management password-cracking credit-card
add a comment |
For convenience purposes I manage my passwords with the password manager Bitwarden on my personal computer and smartphone with autofill function (but with asking for the master password or fingerprint first every time).
I was just thinking about also adding my credit card information (which is used to log into the online banking stuff) to my vault, but since that seems like such important data, I'm not sure if it would be safe or if this even is a good idea. Any opinions?
I also saw this question on here, but it rather deals with whether that is reasonable from a law standpoint.
passwords password-management password-cracking credit-card
For convenience purposes I manage my passwords with the password manager Bitwarden on my personal computer and smartphone with autofill function (but with asking for the master password or fingerprint first every time).
I was just thinking about also adding my credit card information (which is used to log into the online banking stuff) to my vault, but since that seems like such important data, I'm not sure if it would be safe or if this even is a good idea. Any opinions?
I also saw this question on here, but it rather deals with whether that is reasonable from a law standpoint.
passwords password-management password-cracking credit-card
passwords password-management password-cracking credit-card
edited Mar 22 at 16:58
schroeder♦
78.7k30175211
78.7k30175211
asked Mar 22 at 16:42
SuimonSuimon
2107
2107
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?
Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.
Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.
One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.
Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.
So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.
That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.
– Future Security
Mar 22 at 17:28
@FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).
– schroeder♦
Mar 22 at 17:30
That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)
– Future Security
Mar 22 at 17:32
Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.
– schroeder♦
Mar 22 at 17:38
1
@JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.
– schroeder♦
Mar 24 at 9:14
|
show 2 more comments
Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.
A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)
A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)
If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.
You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)
It's not necessary to store the vault somewhere else if your password is strong enough.
Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205894%2fstore-credit-card-information-in-password-manager%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?
Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.
Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.
One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.
Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.
So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.
That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.
– Future Security
Mar 22 at 17:28
@FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).
– schroeder♦
Mar 22 at 17:30
That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)
– Future Security
Mar 22 at 17:32
Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.
– schroeder♦
Mar 22 at 17:38
1
@JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.
– schroeder♦
Mar 24 at 9:14
|
show 2 more comments
The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?
Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.
Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.
One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.
Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.
So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.
That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.
– Future Security
Mar 22 at 17:28
@FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).
– schroeder♦
Mar 22 at 17:30
That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)
– Future Security
Mar 22 at 17:32
Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.
– schroeder♦
Mar 22 at 17:38
1
@JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.
– schroeder♦
Mar 24 at 9:14
|
show 2 more comments
The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?
Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.
Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.
One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.
Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.
So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.
The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?
Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.
Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.
One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.
Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.
So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.
edited Mar 23 at 14:13
answered Mar 22 at 17:04
schroeder♦schroeder
78.7k30175211
78.7k30175211
That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.
– Future Security
Mar 22 at 17:28
@FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).
– schroeder♦
Mar 22 at 17:30
That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)
– Future Security
Mar 22 at 17:32
Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.
– schroeder♦
Mar 22 at 17:38
1
@JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.
– schroeder♦
Mar 24 at 9:14
|
show 2 more comments
That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.
– Future Security
Mar 22 at 17:28
@FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).
– schroeder♦
Mar 22 at 17:30
That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)
– Future Security
Mar 22 at 17:32
Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.
– schroeder♦
Mar 22 at 17:38
1
@JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.
– schroeder♦
Mar 24 at 9:14
That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.
– Future Security
Mar 22 at 17:28
That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.
– Future Security
Mar 22 at 17:28
@FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).
– schroeder♦
Mar 22 at 17:30
@FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).
– schroeder♦
Mar 22 at 17:30
That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)
– Future Security
Mar 22 at 17:32
That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)
– Future Security
Mar 22 at 17:32
Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.
– schroeder♦
Mar 22 at 17:38
Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.
– schroeder♦
Mar 22 at 17:38
1
1
@JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.
– schroeder♦
Mar 24 at 9:14
@JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.
– schroeder♦
Mar 24 at 9:14
|
show 2 more comments
Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.
A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)
A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)
If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.
You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)
It's not necessary to store the vault somewhere else if your password is strong enough.
Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)
add a comment |
Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.
A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)
A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)
If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.
You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)
It's not necessary to store the vault somewhere else if your password is strong enough.
Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)
add a comment |
Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.
A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)
A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)
If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.
You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)
It's not necessary to store the vault somewhere else if your password is strong enough.
Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)
Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.
A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)
A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)
If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.
You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)
It's not necessary to store the vault somewhere else if your password is strong enough.
Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)
answered Mar 22 at 17:21
Future SecurityFuture Security
1,111212
1,111212
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205894%2fstore-credit-card-information-in-password-manager%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown