How to decrypt password manager vault without the password manager client?

Question

I've started looking into password managers these days and have come to trust the general concept. They provide convenience and very good general security if used right.

However there is one point of concern that remains:

What happens if my password manager service fails i.e. both the servers and the client (or browser plugin) are suddeny disfunctional. The password plugin cannot be used anymore. I cannot access my passwords via the web interface of the manager service. The built-in export functions of the manager is not available (client corrupted). Let's imagine e.g. a hacker attack that compromised both server and client side functionality. One could also imagine that a corrupt gouvernment obliges a password manager to shut down their service. As a security oriented user I have of course used randomized strong passwords everywhere and only personally know my master password. In this scenario I have now lost access to all my credentials. How could I recover my login data to all the hundreds of websites that is stored in the vault? Of course, we would hope that the service I use would recover "quickly" but then, I might still need urgent acces to some elements in the vault.

To me what would be needed is an external program that is capable of decrypting the locally stored vault, when provided with the master password. Since the encryption algorithm used by a service is usually known, this should theoretically be possible.

Thank you all in advance for your insights.

Some edits in response to the discussion: Edit 1: I have settled for the popular solution LastPass. If you have concrete answers concerning LastPass they are of course welcome, but I intentionally formulated the question non-specific, because I couldn't find much on this topic and it seemed really a "general problem" to me.

Edit 2: Manual vault exports + manual encryption. This is exactly the workaround that I use now: All in all the concern I formulated was not strong enough to discourage me from switching to tool - based password management, especially with this rather viable workaround available. Of course it would still be nice if a manager did this automatically.

Edit 3: Backup a working client version - LastPass is not ideal with respect to this issue, since there is no standalone app (or I was to stupid to find it). That makes it already more complicated to always have a backup of a working client version on my pc, because it is all browser plugin based. Otherwise this is a viable solution as well. - actually it is preferable because I would always be able to access the latest version of my vault. Edit 3.1 - so actually I was to stupid to find it - or rather the LastPass website is not very clear about it. The installer that is described as follows: "LastPass Universal Windows Installer

The Universal Windows installer installs browser extensions for Internet Explorer, Edge, Chrome, Firefox, and Opera." also contains a native app.

Edit 4 : Password recovery without access to the vault - Yes and no. First of all it is tedious. Secondly it doesn't work if the credentials for my recovery mail are also stored in the vault.

Answer 1

The answer will be different for different password managers, but your question is extremely important.

Many password managers (including the one I work for) store your encrypted data locally on your machines for the non-browser clients. We explicitly encourage people to use a native client so that you can use your data off-line (among other reasons).

The scenario in which the service becomes unavailable will still leave you with working native clients which will be able to read your data. I find it hard to imagine a scenario in which you would still have your data but for some reason the native clients would be unavailable. Remember that there will typically be older versions of software "out there" and among your backups. (If you are asking this question, I also trust that you are making good backups of your down systems.)

Specifically for 1Password

I can give you a partial answer with respect to 1Password, for which I work.

Starting with the bad news is that we still don't have a robust and easy to use local data backup/export system that preserves the structure of the data. It is, of course, possible to export you data from 1Password, but it loses a lot of the structure of the data and isn't suitable for automatic backups.

The 1Password local data stored on your system is tuned for particular things about the platform and is subject to change. So, for example, if you took your 1Password.sqlite file used by 1Password for Mac it wouldn't be readable by 1Password for Windows. One from a year ago might not be readable with the current client. We need to have the flexibility to tinker with that data format. This is why an exporter/backup tool is needed instead of a reader directly for that data.

We've documented in great detail how our encryption works, but that documentation doesn't quite cover everything you need to know about the sqlite3 data stored on your machine. Indeed, it is the part that isn't documented that is subject to change.

As the core of it is all the same and conforms to what we've documented, it isn't too hard to reverse engineer the rest. Indeed, people have done so. Free (John the Ripper, hashcat) and commercial data recovery/cracking systems have tools to do exactly this. And we have always tried to assist those doing so when they ask specific questions about the data format.

This is hardly an ideal situation. The plan (though it has been a plan for a while now) is that we will provide a local encrypted backup format that is open and fully documented and which and preserves all of the item detail. This has been 90% done for a long time, but the last 10% has been taking a while.

But in the mean time, you can regularly use the existing export mechanisms and save those in a security location (as export isn't encrypted). Or rely on the fact that your own backups will contain versions of the 1Password app which can read the local data that you also have on your system backups.