Should I Trust Password Managers?
Leave your thoughts below!
1Password takes this very seriously and has gone to great lengths to document this:
I don't really have an experience with other cloud based password managers like KeePass or LastPass.
One of the things that makes something like 1Password so convenient for me is their reliance on Dropbox, which makes it easy to sync to all my devices (PC, Mac, iOS device or Android device). It's awesome, but this also provides a potential vector of attack.
Fortunately, my Dropbox account is secured with 2-factor authentication, but that doesn't necessarily make it immune to attacks. Just more difficult to get into.
Then there's the whole issue of whether or not someone gets direct access to my computer or hard drive while it's powered up, they have direct access to my 1Password data. (If it's off, it's probably much tougher since the hard drives are encrypted.) Fortunately, the 1Password value is secured by its own password and all the data is supposedly strongly encrypted.
On one hand, all these layers make me feel like I'm potentially vulnerable. But I guess when you start to break things down, each one is encrypted, or has a strong randomly hashed password, or even requires 2-factor authentication to get into.
I guess using one of the cloud based services like LastPass or KeePass gives me a bit more to worry about (though probably for the wrong reasons) -- seems like if someone were able to compromise their servers, they could get access to your (encrypted) data.
Then again, Dropbox can suffer the same problem.
Really, I guess I just close my eyes, cross my fingers, and hope I'm doing the best I can for password security.
I'd be reluctant to use chrome's built-in password manager, for instance. Not good enough for cross platform.
You get the source code for KeePass by downloading it at:
Review the source code and build it. If you find a backdoor or other problem, or a discrepancy between your build and the public download, you'll be an Internet legend.
I have developed software which is in use at several intelligence community agencies and security-conscious enterprises, so while I'm not an active member of the crypto community, I do know much more than the average person about cybersecurity and encryption.
(1) A password manager protected only by a master password is susceptible to exposure of that master password, including keylogging. So...
(2) To counter the weakness of a master password, use judicious multi-factor authentication. But even then in theory, a password manager I leave open still gives a rootful spy as much access to the whole list as I have. So...
(3a) The password manager could require multi-factor authentication for every login+password. That's no fun, and those individual items could be plucked from memory. But that is better than exposing the whole list.
(3b) There are reasonably secure ways to manage passwords with just paper, for example https://www.grc.com/offthegrid.htm. Again, individual passwords could still be keylogged, but the whole list is not exposed.
Me? I compromise. The bulk of stuff like my login here gets a unique password and goes into LastPass. That LastPass on any of several workstations opens only with multi-factor authentication and auto-closes if idle for more than 30 minutes.
For my banking and any service where password exposure would be very painful, I try first to get multi-factor authentication for that service. In any case I don't record those few critical passwords in an online password manager, and tend to remember them. However, anticipating that my memory can fail and I will someday die, I have encrypted that critical password list and physically protected it, then divided the master password and instructions among trusted friends.
As everyone has said in this thread, nothing is 100% safe. You can use it to keep credentials of sites you don't care about remembering. That's the best use case.
Confused? Well, there are some concept which don't save your passwords directly. They help you generating your password every time again. You just have to remember one master password and then they generate out of the domain name, the master password and some individual salt value every time the same password for eg. Facebook, Twitter and so on.
This way you don't have to worry if you loose you laptop with your password manager on it - even brute forcing this kind of password manager would reveal any "saved" passwords, because there is nothing save, it's all generated on the fly.
Oh and as someone above mentioned, make sure you secure your passwords with a very secure password. PBK-DF2 won't do much to protect you if your password is 'abc123'.
13 users following this discussion, including:
This discussion has been viewed 12413 times.
Last activity .