Store Credit Card Information in Password Manager?












19















For convenience purposes I manage my passwords with the password manager Bitwarden on my personal computer and smartphone with autofill function (but with asking for the master password or fingerprint first every time).



I was just thinking about also adding my credit card information (which is used to log into the online banking stuff) to my vault, but since that seems like such important data, I'm not sure if it would be safe or if this even is a good idea. Any opinions?





I also saw this question on here, but it rather deals with whether that is reasonable from a law standpoint.










share|improve this question





























    19















    For convenience purposes I manage my passwords with the password manager Bitwarden on my personal computer and smartphone with autofill function (but with asking for the master password or fingerprint first every time).



    I was just thinking about also adding my credit card information (which is used to log into the online banking stuff) to my vault, but since that seems like such important data, I'm not sure if it would be safe or if this even is a good idea. Any opinions?





    I also saw this question on here, but it rather deals with whether that is reasonable from a law standpoint.










    share|improve this question



























      19












      19








      19


      2






      For convenience purposes I manage my passwords with the password manager Bitwarden on my personal computer and smartphone with autofill function (but with asking for the master password or fingerprint first every time).



      I was just thinking about also adding my credit card information (which is used to log into the online banking stuff) to my vault, but since that seems like such important data, I'm not sure if it would be safe or if this even is a good idea. Any opinions?





      I also saw this question on here, but it rather deals with whether that is reasonable from a law standpoint.










      share|improve this question
















      For convenience purposes I manage my passwords with the password manager Bitwarden on my personal computer and smartphone with autofill function (but with asking for the master password or fingerprint first every time).



      I was just thinking about also adding my credit card information (which is used to log into the online banking stuff) to my vault, but since that seems like such important data, I'm not sure if it would be safe or if this even is a good idea. Any opinions?





      I also saw this question on here, but it rather deals with whether that is reasonable from a law standpoint.







      passwords password-management password-cracking credit-card






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 22 at 16:58









      schroeder

      78.7k30175211




      78.7k30175211










      asked Mar 22 at 16:42









      SuimonSuimon

      2107




      2107






















          2 Answers
          2






          active

          oldest

          votes


















          37














          The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?



          Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.



          Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.



          One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.



          Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.



          So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.






          share|improve this answer


























          • That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.

            – Future Security
            Mar 22 at 17:28











          • @FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).

            – schroeder
            Mar 22 at 17:30











          • That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)

            – Future Security
            Mar 22 at 17:32













          • Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.

            – schroeder
            Mar 22 at 17:38






          • 1





            @JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.

            – schroeder
            Mar 24 at 9:14



















          5














          Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.



          A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)



          A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)



          If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.



          You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)



          It's not necessary to store the vault somewhere else if your password is strong enough.



          Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)






          share|improve this answer
























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "162"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205894%2fstore-credit-card-information-in-password-manager%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            37














            The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?



            Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.



            Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.



            One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.



            Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.



            So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.






            share|improve this answer


























            • That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.

              – Future Security
              Mar 22 at 17:28











            • @FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).

              – schroeder
              Mar 22 at 17:30











            • That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)

              – Future Security
              Mar 22 at 17:32













            • Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.

              – schroeder
              Mar 22 at 17:38






            • 1





              @JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.

              – schroeder
              Mar 24 at 9:14
















            37














            The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?



            Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.



            Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.



            One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.



            Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.



            So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.






            share|improve this answer


























            • That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.

              – Future Security
              Mar 22 at 17:28











            • @FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).

              – schroeder
              Mar 22 at 17:30











            • That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)

              – Future Security
              Mar 22 at 17:32













            • Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.

              – schroeder
              Mar 22 at 17:38






            • 1





              @JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.

              – schroeder
              Mar 24 at 9:14














            37












            37








            37







            The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?



            Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.



            Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.



            One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.



            Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.



            So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.






            share|improve this answer















            The question might come down to: which piece of data has a higher level of risk, your passwords or your credit card info?



            Your passwords can be used without you ever knowing about it. Passwords let someone into every aspect of your life with, potentially, every secret bit of information about you that you hold. So, it is possible for someone with your password to completely take over your life without you being aware until it is too late.



            Credit card use will be noticed on your next statement, or as soon as your card company posts its use. You also have several types of recourse to dispute charges and have them reversed.



            One might suggest that credit cards can be used to set up new cards or other lines of credit, but the same could be said with the information provided by passwords.



            Passwords are the higher risk. Credit card info has numerous mitigations in place to protect you.



            So, if you trust your password manager with your passwords, there is no increased risk with trusting it with your credit cards. There is always the inherent risk of recording any of this sensitive information, but if you have already accepted that risk for your passwords, then your credit card info does not materially increase your risks.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Mar 23 at 14:13

























            answered Mar 22 at 17:04









            schroederschroeder

            78.7k30175211




            78.7k30175211













            • That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.

              – Future Security
              Mar 22 at 17:28











            • @FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).

              – schroeder
              Mar 22 at 17:30











            • That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)

              – Future Security
              Mar 22 at 17:32













            • Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.

              – schroeder
              Mar 22 at 17:38






            • 1





              @JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.

              – schroeder
              Mar 24 at 9:14



















            • That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.

              – Future Security
              Mar 22 at 17:28











            • @FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).

              – schroeder
              Mar 22 at 17:30











            • That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)

              – Future Security
              Mar 22 at 17:32













            • Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.

              – schroeder
              Mar 22 at 17:38






            • 1





              @JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.

              – schroeder
              Mar 24 at 9:14

















            That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.

            – Future Security
            Mar 22 at 17:28





            That's what I believe. I think it's important to explain that but I'm not brave enough to tell other people it's okay. It might not be the same outside the US due to legal or economic reasons.

            – Future Security
            Mar 22 at 17:28













            @FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).

            – schroeder
            Mar 22 at 17:30





            @FutureSecurity What are you talking about? I mentioned several things that you could be referring to. (and I'm not in the US).

            – schroeder
            Mar 22 at 17:30













            That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)

            – Future Security
            Mar 22 at 17:32







            That stolen passwords can be more damaging than a stolen credit card number. (And I think that I read that UK law, compared to US law, put more responsibility on customers for the security of their own accounts including pins and passwords.)

            – Future Security
            Mar 22 at 17:32















            Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.

            – schroeder
            Mar 22 at 17:38





            Banks have been putting mitigations in place for decades to handle credit card fraud. It can be a hassle, and it can even cost a lot, but relatively very little in comparison to what can be done with access to the right password.

            – schroeder
            Mar 22 at 17:38




            1




            1





            @JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.

            – schroeder
            Mar 24 at 9:14





            @JohnWu your statements make no sense. I'm not talking about value but about risk. You assume the passwords stored are generated by the tool. There is nothing in the question to support that assumption. Credit card numbers are not exactly secret and the numbers themselves do not have "black market value". Family could use the numbers? Sure. they also have physical access to the credit cards. So, all of your statements make no sense at all.

            – schroeder
            Mar 24 at 9:14













            5














            Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.



            A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)



            A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)



            If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.



            You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)



            It's not necessary to store the vault somewhere else if your password is strong enough.



            Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)






            share|improve this answer




























              5














              Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.



              A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)



              A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)



              If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.



              You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)



              It's not necessary to store the vault somewhere else if your password is strong enough.



              Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)






              share|improve this answer


























                5












                5








                5







                Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.



                A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)



                A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)



                If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.



                You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)



                It's not necessary to store the vault somewhere else if your password is strong enough.



                Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)






                share|improve this answer













                Password managers can store any kind of secret. (Or at least short plaintext strings.) I have no idea how safe your specific password manager is.



                A closed vault should be as secure as your password is. If the vault is opened on some computer, then that machine needs to be trusted. (No key loggers, hardware trojans, snooping super users, etc.)



                A good password hashing algorithm allows no method of password cracking better than guess -and-check. The vault will be as difficult to decrypt without the password as it is difficult to guess your password. (That's not technically true because the encryption will likely have a maximum strength of 256 bits. However, that doesn't matter because your master password will be weaker than a 256-bit key and any more than 128-bit security is good enough.)



                If your master password is quite strong then it's probably fine, as long as the computer used and the password manager used is secure.



                You could also put information in a second vault protected by a stronger master password. That vault also could be put on a well guarded thumb drive. (Which could reduce a hacker's opportunity to break open the closed vault if the thumb drive isn't plugged in when you don't need it and the drive is well guarded.)



                It's not necessary to store the vault somewhere else if your password is strong enough.



                Make sure the password manager software is something you trust. (Proprietary software is automatically sketchy to me.)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Mar 22 at 17:21









                Future SecurityFuture Security

                1,111212




                1,111212






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205894%2fstore-credit-card-information-in-password-manager%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    How to change which sound is reproduced for terminal bell?

                    Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?