1

What security benefits are gained from having a password manager, versus having the passwords stored in plaintext on an encrypted volume?

Both would allow one "master" password, both would (potentially) allow external storage of encrypted data... what would be the benefit, from a security standpoint?

Of course, usability is not unrelated to security, so if there is a point to be made with usability it may relate to this as well.

This is not asking about a specific product (such as KeePass vs. OneNote), but instead is focused on a higer-level comparison of methods available to users of most modern OSes.

Aaron Thomas
  • 165
  • 1
  • 8
  • 1
    Possible duplicate of [KeePass Vs OneNote](https://security.stackexchange.com/questions/141706/keepass-vs-onenote) – Serge Ballesta May 31 '17 at 17:47
  • there isn't "a" "_point to be made with usability_", there's every point to be made about usability; that's the main diff given everything else is done correctly. – dandavis May 31 '17 at 21:58
  • Both use the same cryptographic algorithm (AES in most cases). But a password manager is optimized for this one purpose and thus offers for example search and self-managed database (which keeps the files small). – BlueWizard Jun 04 '17 at 22:33

3 Answers3

4

This may not completely answer your question, but I have tried both encrypted volumes (OS X) and password management systems (both KeePass and mSecure) and there are some security advantages to the latter, as you suggest: related to usability. They're minor, and one might even be viewed as a disadvantage.

  1. The password managers may permit you to not "show" passwords on the screen, but instead let you copy and paste them without having them be visible.

  2. In password managers, even when passwords are visible, only one is visible at a time.

  3. Password managers facilitate the sharing of the encrypted password database between devices (this might be viewed as a disadvantage, but it also might mean you don't have to read a password on one device to use it on another, and that you have backups of your password).

These things are mostly trivial, compared to more important questions:

  • Where are the passwords stored?
  • How are they encrypted?
  • How are the keys managed?

I haven't been able to find out good answers to these questions yet for the most recent version of mSecure, so I haven't upgraded yet.

EDIT: Another advantage is auto-lock on inactivity. mSecure will automatically lock itself after a configurable amount of time.

rambler
  • 64
  • 3
1

The main security advantage I see is against malware. While at use, your encrypted volume is unencrypted and it is easier for a malware to copy or damage your text file. In a password manager, even if your password database is leaked, it is useless without your master password.

The same is applicable if for example, you forget to lock your computer with your drive plugged in. It is trivial for someone to open the file or copy it elsewhere unencrypted.

Of course a keylogger could get the master password from your database... So i guess no implementation is perfect.

Kotzu
  • 944
  • 7
  • 10
-1

What security benefits are gained from having a password manager, versus having the passwords stored in plaintext on an encrypted volume?

Both are encrypted stores of sensitive data. So neither can claim to be fundamentally more secure than the other—they really just differ in implementation details.

But you're approaching this question from the wrong angle. Security is not the only factor here; it needs to be balanced with convenience. And here is where password managers outshine encrypted volumes—password managers have features like:

  1. Browser and application integration so you don't have to type your passwords
  2. Easy synchronization between multiple devices
  3. Integration between password database and security alerts (see, e.g., 1Password's Watchtower feature).
Luis Casillas
  • 10,181
  • 2
  • 27
  • 42