Password managers make it easy to use strong, unique passwords everywhere. That’s one significant benefit to using them, but there’s another: Your password manager helps protect you from imposter websites trying to “phish” your password.
What Is Phishing, and How Does It Work?
Phishing is designed to trick you into giving your password or other information to an imposter.
For example, let’s say you get an email claiming to be from your bank. The email says your account may be compromised, and you should click this link to take action. You click the link in the email and end up on a site that looks just like your bank’s real website. In a rush to secure your account, you type your password and possibly other details like your credit card number. Boom, you’ve been phished. The attacker now has your bank account’s username and password, as well as any other information you provided. That wasn’t your bank’s real website. You got an email from a scammer.
Security professionals recommend against clicking links in emails like this. Instead, go to your bank account’s website directly and sign in. Similarly, if someone claiming to be from your bank calls you on the phone, it’s a good idea to hang up and call your bank’s customer service number directly to see if the call is legitimate.
You could end up on a phishing site in many other ways. Maybe you click a link to buy something on the web and end up at what looks like Amazon.com or another legitimate store, for example. Perhaps you click a link to email someone and end up on what appears to be a Google login screen for your Gmail account.
It’s All in the URL
There’s one thing you can do to spot phishing sites: Examine the URL, which is the address of the web page. For example, if you bank with Chase, you’d look to verify you were on chase.com. But phishing sites could be clever—for example, a phishing site might use the domain “secure.chase.com.example.com/onlinebanking/login”.
If you understand URLs, you’ll realize that that particular URL is actually hosted on “example.com” and not “chase.com”.
Similarly, some phishing websites will use characters that look similar to other characters. It’s all part of making the URL look similar to the real one. After all, many people likely don’t examine the URL at all. Even people who do may just be trained to look for something like “chase.com.” Not everyone understands how to decode that line of text.
How a Password Manager Helps Protect You
If you use a password manager, you have additional protection. This is true as long as your password manager can automatically fill your credentials, whether it’s 1Password, LastPass, Dashlane, Bitwarden, or even the password-saving feature built right into your web browser.
If you save a login for a website like Chase.com or Amazon.com, your password manager will remember it and offer to automatically fill it in for you when you’re on Chase.com or Amazon.com. If you end up on a different website, your password manager won’t offer to enter your credentials—after all, you’re on a different website. Your password manager doesn’t fall for the disguised URL.
This protection isn’t fancy, and you won’t see a big red “warning” message pop up. But you will quickly notice that wait a minute; your password manager isn’t offering to sign you in on this website. Why is that? Once you’ve noticed something is amiss, you might quickly discover you’re not on the website you thought you were on.
Peace of Mind When Logging In
Your password manager doesn’t just make it faster to enter your credentials while browsing the web. It gives you peace of mind while it goes about its job.
If you’re signing into your email online, you don’t need to double-check the domain before typing your username and password. You know that, if your password manager is offering to fill your credentials automatically, it’s already checked that the domain is a match with the one saved in your database.
This Works on Smartphones, Too
Of course, the same features are available when you use a password manager on a mobile device like an iPhone, iPad, or Android phone. Use your password manager to enter credentials, and you’ll be protected from phishing on the mobile web, too.