Discussion about

June 16th 2014 10:58 am

Should I Trust Password Managers?

I'm sure you all have heard of Password Managers, That little icon that sits on your Browser add-on bar, and remembers all your passwords for you. But can we trust them? Are they really as secure as they calm them to be?

Leave your thoughts below!

sort by

17 replies

1Password takes this very seriously and has gone to great lengths to document this:

I don't really have an experience with other cloud based password managers like KeePass or LastPass.

One of the things that makes something like 1Password so convenient for me is their reliance on Dropbox, which makes it easy to sync to all my devices (PC, Mac, iOS device or Android device). It's awesome, but this also provides a potential vector of attack.

Fortunately, my Dropbox account is secured with 2-factor authentication, but that doesn't necessarily make it immune to attacks. Just more difficult to get into.

Then there's the whole issue of whether or not someone gets direct access to my computer or hard drive while it's powered up, they have direct access to my 1Password data. (If it's off, it's probably much tougher since the hard drives are encrypted.) Fortunately, the 1Password value is secured by its own password and all the data is supposedly strongly encrypted.

On one hand, all these layers make me feel like I'm potentially vulnerable. But I guess when you start to break things down, each one is encrypted, or has a strong randomly hashed password, or even requires 2-factor authentication to get into.

I guess using one of the cloud based services like LastPass or KeePass gives me a bit more to worry about (though probably for the wrong reasons) -- seems like if someone were able to compromise their servers, they could get access to your (encrypted) data.

Then again, Dropbox can suffer the same problem.

Really, I guess I just close my eyes, cross my fingers, and hope I'm doing the best I can for password security.
3 like dislike

Since when has KeePass been cloud-based?
1 like dislike

KeePass can rely on Dropbox as well. That's how I sync to across computers and devices. KeePass is 100% local software, even if you use KeePassHTTP (plugin) to integrate with chrome|pass.

I'd be reluctant to use chrome's built-in password manager, for instance. Not good enough for cross platform.
0 like dislike

I've been using 1Password for a couple of years. It's terrific! It's only vulnerability is that one password that you create to access your stuff. They break that code, and you're fried!
0 like dislike

Should I Trust Password Managers? No.

You get the source code for KeePass by downloading it at:


Review the source code and build it. If you find a backdoor or other problem, or a discrepancy between your build and the public download, you'll be an Internet legend.
2 like dislike

There was a recent discussion about this! Since that time, I have started using lastpass and really like it

1 like dislike

I was aware of that discussion. I am not asking if people are using password managers, I'm asking if i should trust them.
1 like dislike

I use LastPass. I trust it. I ran Wireshark and watched the traffic going back and forth between the client and server, and I have every reason to believe it works as advertised. They store your passwords in the cloud, but encrypt the data at the client and appear to decrypt it every time you login (there is a well-known crypto technique called PBK-DF2 which you can use to safely re-create the key based on data such as your username and password.

I have developed software which is in use at several intelligence community agencies and security-conscious enterprises, so while I'm not an active member of the crypto community, I do know much more than the average person about cybersecurity and encryption.
1 like dislike

I've been using 1Password for a few years now and I trust it 100%.
1 like dislike

A password manager technology might be faulted. However, I propose that a significant weakness with password managers will always be the workstation, phone, or other device where the password manager is deployed.

(1) A password manager protected only by a master password is susceptible to exposure of that master password, including keylogging. So...

(2) To counter the weakness of a master password, use judicious multi-factor authentication. But even then in theory, a password manager I leave open still gives a rootful spy as much access to the whole list as I have. So...

(3a) The password manager could require multi-factor authentication for every login+password. That's no fun, and those individual items could be plucked from memory. But that is better than exposing the whole list.

(3b) There are reasonably secure ways to manage passwords with just paper, for example https:­/­/www.grc.com­/offthegrid.htm. Again, individual passwords could still be keylogged, but the whole list is not exposed.

Me? I compromise. The bulk of stuff like my login here gets a unique password and goes into LastPass. That LastPass on any of several workstations opens only with multi-factor authentication and auto-closes if idle for more than 30 minutes.

For my banking and any service where password exposure would be very painful, I try first to get multi-factor authentication for that service. In any case I don't record those few critical passwords in an online password manager, and tend to remember them. However, anticipating that my memory can fail and I will someday die, I have encrypted that critical password list and physically protected it, then divided the master password and instructions among trusted friends.
1 like dislike

I use a password manager called Roboform. It's been great. It has it's own password generator where you can customize the length and characters it can use.

As everyone has said in this thread, nothing is 100% safe. You can use it to keep credentials of sites you don't care about remembering. That's the best use case.
1 like dislike

You can trust password managers - if they don't save your passwords!

Confused? Well, there are some concept which don't save your passwords directly. They help you generating your password every time again. You just have to remember one master password and then they generate out of the domain name, the master password and some individual salt value every time the same password for eg. Facebook, Twitter and so on.

This way you don't have to worry if you loose you laptop with your password manager on it - even brute forcing this kind of password manager would reveal any "saved" passwords, because there is nothing save, it's all generated on the fly.
1 like dislike

You can't trust any software or company. That said, if you want to play online, you're gonna have to make some concessions. Take all the recommended steps to being safe online, then choose the program you feel is the lesser of all evils.
0 like dislike

I use LastPass, but I only use it as a vault. I don't use the browser toolbar or any other integrated tools. I like the fact that I can access my passwords everywhere.
0 like dislike

What trustable Password Manager would you guys recommended I use? I'm very bad at remembering all my passwords!
0 like dislike

As I mentioned above, I've been very happy with LastPass. I looked at 1password and KeePass, and ended up liking the features and browser integration of LastPass better. For $12/year, I also chose to buy the pro version, which gives me a mobile app (otherwise you have to use the browser version on mobile) and a way to share some of my passwords with my wife. I think of those more popular products, any will do a fine job, and be worth your while. They're absolutely better than just using the same [probably inadequate] password everywhere.

Oh and as someone above mentioned, make sure you secure your passwords with a very secure password. PBK-DF2 won't do much to protect you if your password is 'abc123'.
0 like dislike

KeePass. Mostly because it's open source and devs have built apps for most platforms.
0 like dislike

13 users following this discussion, including:

  • Cynic13
  • TgD
  • dave
  • xVxM4tthewxVx
  • dutchcolonial
  • UncoolG
  • needmoretech
  • KevinM1
  • Met
  • SirProudNoob

This discussion has been viewed 13093 times.
Last activity .