2

I've always wanted to try some sort of Password Manager. There are many paid options for private/closed-source software.

Realistically speaking, is it possible for me to actually trust those services/software? The simplest conclusion I have come to is, no of course not: you can't tell how the app works, you don't know what data is sent to their servers (some services sync among multiple computers), and just because they have plenty of customers doesn't mean that they are trustworthy.

And yet, there are lots of those services/apps, which makes me wonder if I am missing an important point: am I being mistakenly paranoid? Under what basis can I trust said solutions?

Examples include Dashlane and 1Password.

Saturn
  • 563
  • 1
  • 5
  • 10
  • I recommend reading [this](https://security.stackexchange.com/questions/3458/password-manager-vs-remembering-passwords?rq=1) post. The author echoes your concerns on the third bullet point under the cons section, but in general the consensus I've gathered is that password managers are helpful, trusted by many, and offer better protections than alternative solutions, which is why I'll continue using one. – jonroethke Jan 25 '19 at 22:56
  • Are you just asking about the proprietary options because you've discounted open source? Or are you asking if you should discount proprietary password managers off-hand? Personally, I feel both options are about as trustworthy, and Esa Jokinen's answer applies to both. Realistically speaking, unless you're a cryptography programmer, the ability to do your own code review of open source password managers is only enough to rule out the weakest of password managers. – Ed Grimm Jan 26 '19 at 21:38

2 Answers2

2

In the end this always comes to trust: you must trust that the program is doing what it's saying, and you should pick a company you are willing to trust. Keep in mind that a password manager is not by all means the only software you trust nor the only software that could steal or leak your passwords. Or you could accidentally paste the password to a fake web site. Or something could be monitoring your keyboard or clipboard. This level of paranoia would require ruling all these possibilities out, too.

Just like Troy Hunt reasons in Password managers don't have to be perfect, they just have to be better than not having one. I also like how this article points out that a paper copy kept in a safe place has less possible attackers than anything saved on a computer.

Password managers are a good thing. Even when issues like the LastPass one above are found, they're still far superior to our frail human brains when it comes to your overall security posture. Until such time as that changes and either they're worse due to a flaw that actually causes some serious damage or we create something better again, this is where the game is at. Less sensationalism, more pragmatism.

How to pick a password manager you could trust?

The most paranoid options:

  1. Create one by yourself. It's a hard thing to code a password manager from scratch, but it could be combined from other tools. This has a limit that you must trust them all. To fulfill all the general functionality of a commercial password manager you need:

    • A tool that creates (truly) random passwords.
    • A tool for encryption: you could store them as files in a VeraCrypt disk.
    • A tool that can be automated to securely sync the encrypted version between your devices, e.g. Rsync. The less you trust the encryption the more you need to secure the communication: you could e.g. do this only on your LAN.

  2. Only use an offline password manager that doesn't communicate over the network at all. Update it manually and block its access to the Internet. If you need to have the passwords synced across multiple devices, see where the database is located and sync it with an external tool you can trust.

If you can loosen your tin foil hat a little, take a look at the described functionality of the password manager you are planning to buy. If it stores the passwords unencrypted on a cloud (or does the unencyption on server-side), forget it. If it doesn't encrypt the password (like the ones built in the browser), forget it.

If the password manager encrypts the password locally and synchronizes the encrypted version, that's a lot more secure architecture. This should be your minimum requirement. To a certain extent you can check whether the program seems to work at described. The rest comes back to trust.

Many antivirus vendors have expanded to password managers. If you already trust a company that much to give them ultimate power over your operating system, it is not very practical to avoid trusting them in this matter, is it? Aviva Zacks has compared Kaspersky, Bitdefender and Norton. I'd add F-Secure, as their TOTAL solution now comes with a license for a password manager, KEY.

What if someone finds a vulnerability in my password manager?

You can estimate your risks by reading about the vulnerability and how it can affect you. If you don't have the expertise to estimate your risks or if you find yourself at risk, wait for them to fix it, update your password manager and then change your possibly compromised passwords. Or switch to another password manager.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
0

You are not being too paranoid.

Tavis Ormandy discovered that a great many password managers are poor. Unfortunately he didn't recommend any that seemed better than others.

I realize this leaves you in the poor position of trying to find a good one, and I'm not sure what to suggest at this point. Sorry.

sarnold
  • 721
  • 4
  • 7
  • 2
    "26 Aug 2016" a little bit old to be used as a source in computer security. Troy Hunt actually wrote about a bug that affected LastPass: https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/ – Kevin Jan 26 '19 at 02:20
  • 1
    Twitter is a poor source. Lots of opinions without actual examples, references or justifications. – Esa Jokinen Jan 26 '19 at 06:36