Ask HN: Why should I trust password managers?

174 points by acadapter ↗ HN
This is a piece of tech that has slipped under my radar for a long time. I've been having my own methods for safe handling of passwords on the web.

Why do people trust password managers?

288 comments

[ 3.3 ms ] story [ 272 ms ] thread
It's a convenience vs. security tradeoff. The fact is, most people can afford to adopt a flawed security model to give themselves greater convenience, because most people aren't being specifically targeted and attacked. I doubt many people realize that they are making such a tradeoff, but that's more about dishonest advertising...
It's less flawed than relying on a low-strength memorable password that's reused across all services. Having a uniquely generated, random password for each service that gets autofilled by the password manager is much more secure.
I guess password managers seem like one of those few decisions that made my life both more convenient and more secure (after the initial adoption).

Out of curiosity, what could one use instead of a password manager that would be closer to the “more secure” side of things in your opinion?

> what could one use instead of a password manager

The comment you're replying to mentions "dishonest advertising", which suggests "password manager service".

I'd think using e.g. KeepassXC would be more secure (but less convenient) than this, since I manage where the password database is stored/accessed.

You could use a different password for each service and just write them in a paper notebook.

Paper is generally not susceptible to malware or other ways passwords can leak from a local or hosted password manager.

But now your password manager (notebook) is vulnerable to fire and water damage, with no backup or recovery options.
And also if you ever need to access anything on-the-go, you either can't or have to keep the notebook with you and make it susceptible to the things you mentioned + theft or snooping.
I use a copy machine to back up my password list. The pages go in my fire safe with other important papers, and a second copy off-site.

I guess you could just take pictures of the pages and save them to a thumbdrive or an SDcard, but I prefer the lower-tech solution.

You can't possibly believe that this is a viable alternative.
For some people (when paired with storing the notebook in a physical safe), it is. My parents were using Lastpass but somehow managed to lock themselves out completely and none of the recovery options worked.

For their use case and technical skill, a safely-stored notepad is best.

I don't trust them and use an offline virtual machine on Qubes OS to store my passwords instead.
I don't trust them. I store passwords locally on my machine (encrypted).
If you don't trust password managers you're trusting something else. You have to take that into consideration and weight in versus your threat model.

And you probably don't even need to trust a password manager with every password you have, you can keep just the random 200+ logins you probably have for weird websites. And keep banking, emailing and the other important stuff away from it. Also, you don't even need to have your password manager store the actual passwords there, you could "pepper" what is stored so you transform it after you paste it to the website.

One word about peppering, keep the inevitable future in mind and strongly consider ensuring your transform is available to whoever will be managing your affairs after you shuffle off. Keeping it with a lawyer or in a safe deposit box, perhaps.

Source: helped deal with an uncle's many, many digital resources after he passed unexpectedly.

Because if you don't use one, you'll almost certainly instead either reuse passwords across sites, store passwords insecurely, or choose weak passwords.
In my opinion, storing passwords in encrypted files is probably safer than putting passwords in a centralized location (provided you don't code your own encryption algo or make other silly mistakes).

There is not a lot of value in trying to attack a single person's password file, but the value is multiplied by the number of users when using a centralized platform.

> storing passwords in encrypted files is probably safer

That is too hard or tedious for most people. Syncing is a pain, and doesn't autofill on websites or in apps.

I use https://git-secret.io for this. But it's not user friendly enough to be used for everyday web browsing and account access. I personally use it to store things like root passwords or reset tokens, which I very rarely access.
> storing passwords in encrypted files

Which you almost certainly access with some kind of software, yes?

A password manager is just a piece of software that stores passwords in encrypted files, and makes it more convenient to edit them, associate them with a website, use them to log in, check them against known breaches, etc.

I think local open source password management software that you run on your machine are more trustable and less likely to be the subject of a big targeted attack than a cloud tool. So just to be clear, I am not advocating against Keepass or similar, only web tools with thousands of users.
Fair. I moved from 1Password to Enpass when the former started pushing cloud big time.

Enpass isn't open source but it's open... implementation details? There isn't a formal spec or standard but they were very forthcoming about how their encrypted SQLite implementation works and there are now open source third-party CLIs for it. https://github.com/hazcod/enpass-cli

One feature of 1Password (and other password managers with browser integration) that has saved me at least twice by now: The browser extensions will autofill only for matching domains. If autofill doesn't work on a site I have credentials in 1Password for, chances are it's a phishing attack. That's a last line of defence against well-crafted phishing attacks that I wouldn't want to give up.
I trust a local password manager, namely KeepassX running on my linux laptop. It's an open source dedicated piece of tech running on the local box, so I figure my trust model extends at least this far.

Otherwise, no, I wouldn't trust a commercial password manager with automatic sync on to someone else's servers. I also don't trust the browser enough to put an extension in it that has the keys to my password database.

It's a tradeoff. I get a nice level of security, but it's not 100% seamless. Without autofill, I often need to start up the password manager, search for a site, copy and paste password into the browser. (I just had to do this to log into HN.)

For some sites, I let the browser also save the password, which I treat as just a cache of low-value passwords. And the encrypted password manager database gets occasionally synched into gdrive, so I can also access it from my smartphone using the appropriate app.

Been doing this for 5+ years at this point, and it works for me... can't even remember what on earth I did before. Probably passwords in tiny plain text files.

You don't "send" your password to the manager, you enter it locally. Ideally, it never leaves your computer, so it is far less likely to 'leak'

The database is encrypted, so if someone were to hack them, they would at least have some (hopefully major) issues decrypting it all.

I use a password manager for the hundreds of accounts I have where security is not super important. Mostly as way to not have to reuse passwords (credential stuffing now makes up a significant amount of attack traffic), nor fight the varying password requirements ("shoot, did this website require a special character?"). Tbh, it's nice to have one less thing to worry about. For the increasing number of sites which require 2fa, it also let's me keep a totp token accessible from all my devices.

My most secure accounts use their own individual, memorable, secure password.

I do fear that even if my self-hosted password manager is secure today, there's nothing stopping a malicious update to that software which could exfiltrate all of my passwords.

Came here to say this. When you're on the job hunt, there are a thousand different MyWorkDays you'll need to sign into and what an incredible pain it is to keep track of those manually. Just don't forget to delete all those accounts when you're done hunting.
I leave the really unimportant crap in the Firefox "generate and remember this login", the regular passwords in Bitwarden, and financial passwords in my head.

Answering the original question: I trust that Bitwarden's Github source is what drives their service and that their popularity ensures the source is audited on a regular basis by reasonably skilled software folks. It's the same degree of trust I give to the people that build every reasonably vulnerable product I use: elevators, phones, cars, door/window locks, etc.

-----

For me (and perhaps only me) a more pressing concern is that fingerprint scanning is common in apps that are meant to protect data: banking apps, stock market apps, Bitwarden.

NOBODY makes a significant effort to hide fingertips. Cameras are cheaper, more accurate, and more numerous than ever. People don't clean every surface they touch. It can't be so difficult to 3d print a mold and find the right material to make a false finger.

Android's security model has a nice built-in feature: If you have someone's phone for a few seconds and know their unlock code (not too tough to espy... right, Ye?) you can keep retrying the false finger for that person until it works. Only then do you switch to the important app.

Oh, and... Fingerprints, unlike master passwords, are nearly impossible to change.

This is my approach as well. I see passwords as being in tiers:

- Level 0: the serious stuff that would absolutely suck if it got compromised. Namely Google. Banks.

- Level 1: things that would be an inconvenience if they were compromised. Okay it's annoying that someone got into my Amazon account or something, but this can be dealt with.

- Level 2: passwords my in-laws are going to use to watch Netflix or the like. If this gets compromised... ok, that's a pain for Netflix but this is essentially a victimless situation.

Password managers are really good for the Level 2 stuff. Really, there are too many passwords we need to know. They are okay for the Level 1 stuff, just have an idea who you're going to call. I wouldn't use them for the Level 0 stuff.

Like anything else, you balance your risk against convenience. Approached this way, even if the password manager gets hacked, you're only minorly inconvenienced. Always have 2FA on where allowed and what's the worst that will happen?

Password managers are by far the safest way to store the level 0 stuff too, fwiw.
That's what I'm thinking. My level 0 passwords for sure will be in my password manager (except for one of them, for some reason).

Level 2 passwords I'll sometimes just reuse a memorable password.

My password manager is open source and offline, though, so that helps.

I trust the one I wrote for myself. I would have a hard time trusting a 3rd party tool without a lot of insight and feedback as to its design and implementation, and credible assessments of its trustworthiness.
Same here. But then I wouldn't recommend anyone to do the same
IMO it's strange that people use cloud-based password managers. Companies like 1Password have all your passwords in their cloud. So they are an enormous target.

I use enpass, and am in charge of my own syncing and storing in the datastore of my choice. I personally prefer this model.

> Companies like 1Password have all your passwords in their cloud.

But they are end-to-end encrypted, so if someone broke into their database they would be useless unless they also had access to your device.

source code is not open source so end-to-end encryption might not be there when you expect it.
At the same time, the native and WebExtension clients are proprietary and autoupdate by default. Travel Mode can only be accessed by typing your decryption keys into the live website (my.1password.com). An infrastructure compromise would be even worse than a database dump.
You're right - although you can pick better or worse providers. At least 1Password doesn't have a long history of breaches (like LastPass lol).
Because that's literally the entire point of cryptography, being able to move secret information across an insecure channel.

1Password (and any other mainstream password manager) has no access to your passwords because they're encrypted locally. People who go to extreme lengths to keep an encrypted file secret practice LARP security.

To preempt the question of "how can you trust them to encrypt your stuff though?" The same way you trust Enpass to encrypt your stuff, I'd make a guess 99.9% of users have not personally audited their code.

Right, there are two reasons to not trust such a program which remotely stores an encrypted blob for you:

1) Not actually understanding the technology or threat model.

2) Having incredibly sensitive information which absolutely cannot leak even by accident, and needs to be handled manually with extreme care. This describes vanishingly few practical scenarios.

I read a story once, which may be apocryphal, about various intelligence services switching back to printed/typewritten records for incredibly sensitive stuff to avoid the possibility of it leaking without having planted a spy.

It seems unlikely to me, but I could imagine situations where that level of concern might make sense.

I don’t trust or use SAAS password managers. They are massive honeypots just waiting to be pwned and everyones’ passwords to all their websites stolen. They have above average security, but unlike a typical website they can’t just store a one-way hash of passwords that remains secure even when stolen, they have to store the actual password.

I imagine nation state-supported malicious hackers are targeting them. Everything else is getting breached and leaked these days, there’s a non-trivial possibility these will too.

I just use KeePassXC instead, and periodically ‘sync’ the database across my workstations and laptop. And by ‘sync’, I mean manually export the database and rsync it around to my workstations and laptop and re-import it on each. But given how infrequently I create new web accounts, this isn’t a major hassle. It works fine, I don’t need some centralized service for this.

Same here. KeePassXC, sync manually and backup it manually. I don't trust SaaS as well.
I add on KeepassXC, synched to one of my cloud storage in the background with a decently misleading name and in a misleading folder.
So…security by obscurity.
Nothing wrong with security through obscurity as an extra layer on top of encryption.
Fair point. In the end, all these security measures that we’re using are really just a form of “security through obscurity,” isn’t it. ;-)
You could use Syncthing so you don't have to manually sync and backup nor trust any SaaS
> they can’t just store a one-way hash of passwords that remains secure even when stolen, they have to store the actual password

Maybe I'm missing something but sure they can't store its hash but they can and do store the password strongly encrypted. Presumably without the master password, at least, it should be close to impossible to retrieve the passwords. Or is that assumption wrong?

That is correct and they apparently have the audits to prove it.

That said, it's not bulletproof. The chink in the armor is the browser extensions they all use. All it would take is somebody to slip some trojan code into one of the browser extensions and all of the sudden you have a few hundred million decrypted password databases which could trivially be uploaded to wherever.

Could you not argue the same thing for almost any code used by almost any piece of software closer to the metal?

e.g. someone manages to slip malicious code into Chrome/Chromium which eventually makes its way out to every Electron app/most browsers, or something gets injected into Windows/macOS/Linux, etc.

On one hand, yes software supply chain vulns are getting difficult to maintain conceptually total coverage of while also maintaining a pleasant environment for developers to productive in.

On the other hand, yes there eventually is a trust point somewhere. A spiral of upstream what-ifs isn't productive IMO, I agree.

>Could you not argue the same thing for almost any code used by almost any piece of software closer to the metal?

You could. But if you haven't trusted all/most of your passwords to any single app, you wont have a problem with them being exposed when that particular piece of software is compromised.

Even if someone compromises your OS itself, you'll only lose the passwords you typed in while you were using it compromised. And that's if it does captures thoses, and if it sends them to some remote endpoint, and if it's not caught soon, and so on.

With a password manager compromised, on the other hand, you could loose anything you've put it in, all at once.

The likelihood of malicious code making its way into a browser extension in production is way, WAY higher than it is for something like Chrome or Windows.
I am the same, but with the enhancement of using Resilio Sync to automatically sync the file between devices.
I do the same, with Nextcloud though, but I doubt SkyMarshal would consider that as an enhancement. He, and others, sync it manually and "offline" for security reasons.
You can use any kind of sync software you prefer, be it cloud-based or local LAN-only. At least with cloud-based it’s not a glaringly visible honeypot with a huge target painted on it.

Setting up local automated sync is on my todo list, it’s just lower priority than too many other things. As I mentioned, I don’t create new accounts so often that I need automated sync.

I do the same thing but worry about a nation state or rich enough hackers to just take over the project and add nefarious code. I’ll never audit the code and make sure it produces the binary I get from the Apple store. So I’ve started adding my own “salt” - I type an extra character or two (same for all passwords) to the end of every password I enter. It’s the easiest way to protect against not being able to trust my local password app that I can think off.
If the hacker can decrypt your whole password safe and view all your plaintext passwords, I think they'll work out your scheme.
Unless the hacker mass decrypts a couple million passwords, in which case one person's passwords that don't work for the login bot probably won't catch the hacker's attention.
I don’t understand how. If I record that my password for Google is xyzzy, but in reality it’s xyzzy123, and 123 is part of every password but not recorded anywhere (other than my mind), how would they work that out? They’d just see that none of my passwords worked. If there is a weakness to this system please let me know.
For what it's worth, 1Password has a longstanding $100k bounty for capturing a flag inside a publicly available encrypted vault.

https://bugcrowd.com/agilebits

I suspect that’s not nearly enough, given that their breached database would probably sell for multiple orders of magnitude more on the darknet. Should probably be $1M at least.
1Password vaults are encrypted end-to-end, their database would not be worth nearly that much. It's a bunch of worthless data. A successful hack of 1Password would probably require pushing bad client updates.

Besides which bug bounties are not really intended to disincentivize people from committing crimes, they're intended to incentivize researchers to report findings and reward them for their efforts.

(comment deleted)
Parent comment is right about the value of a successful vault exploit. Given the number of people and companies using 1Password now, $100k would likely pale in comparison to an exploit's value on the black market.
>1Password vaults are encrypted end-to-end, their database would not be worth nearly that much. It's a bunch of worthless data.

Doesn't matter for our case, since it already assumes the database potentially compromisable. The parent's comment concerned whether the "bounty for capturing a flag inside a publicly available encrypted vault" is enough. So the question is not whether the bounty is enough given it's impossible to win, but whether it's enough given it might be possible to win.

In other words, whether someone who finds an exploit to decrypt the vaults contents would get a better value by (a) revealing it to 1Password company and taking the $100K bounty, or (b) selling the exploit to people who would give millions to be able to decrypt other's vaults...

The value of such an exploit likely exceeds their valuation.
I think you misunderstand how 1password vaults works.
That is terribly low for such a critical issue. There are Ethereum L2s that pay out $2M bounties.

https://twitter.com/saurik/status/1491821215924690950

That's a bad analogy, although you point out a possibly good thing for L2/crypto - the bug bounties are massive because the projects have a silly amount of funds.

Password managers don't operate with those economic models though.

1Password has raised almost $1B. Surely they could put at least $1M toward a critical bounty?
Depends on the cost/benefit. 3x security engineers to detect/respond vulns and attacks is less expensive but gets similar coverage plus a lot of other work capacity, for instance.
1M allocated to this bug bounty is 1M not spent if their security is strong enough.
What cost? There is literally zero cost.

Unless a successful attack actually occurs, in which case it's literally almost priceless in terms of their reputational damage, unless they can get their hands on it before someone else.

Although PWMs would get a reputation hit from a breach, there isn't any precedent yet for a high-trust software being breached publicly and what happens to their reputation.

But, if you ask around enough with security teams at the large cloud providers, there are definitely rumors of APT-level activity being detected/blocked at the infra level. Yet, cloud is still the most secure option out there vs. on-prem in 90% of the use cases for it so to speak. Similarly, there is just too much precedent of high trust firms being breached, and nothing really happening to them as a result (fines, loss of users, etc).

So, you allocate $1mil, possibly spend it, and either way can't use it for anything else, or you allocate a fixed cost of $600k/yr and get a lot more out of it on the security front, to include solid defense-in-depth, detections, and IR capabilities for if/when the successful PWM attack finally occurs. Personally, yes probably worth putting out a hefty bounty, but pragmatically you'd get more out of hiring the engineers.

Agreed!

In fact, I'd argue that, if they are positing that the reputational risk for a successful hack exceeds 10% of their notional valuation, then they should try to commit at least 10% of their market cap as insurance against that ever happening, or at least if they would gain enough information to prevent this from ever occurring. This isn't that hard to figure out.

The best thing about that insurance is that it's literally free -- they never have to pay out unless the event actually occurs.

Yes.

Given that the payout is probabalistic and serves business goodwill, I'd argue for a more substantial reward. Possibly secured through a bond or insurance policy.

Password managers unlock hot wallets, and much more besides.
The vault vendor likely isn't exposed to that full liability. But in a business-trust basis, the goodwill is all but certainly worth > $100k.
> They have above average security, but unlike a typical website they can’t just store a one-way hash of passwords that remains secure even when stolen, they have to store the actual password

No, they don’t store directly the actual password, they store it encrypted by a encryption key derived from your master password. A leak of the database won’t reveal any password, as long as your master password stays secure (aka is not "hunter3")

> as long as your master password stays secure (aka is not "hunter3")

You mean, the master password that many people reuse across sites and has been leaked into the darknet by breaches of other sites? Or if not leaked directly, at least some entropy about it probably has been.

I know these services don’t store the password in plain text, but it’s still stored in reversible format. That’s a juicy target.

Do you understand the concept of a password manager?

You only have to remember one password, and for that reason people can choose a longer and more complex one.

Then your passwords are encrypted using that master password.

So people cannot “reverse” your password if you pick a reasonably long master password.

For reference, my master password is a 27 character sentence which would take somewhere between a millennium and the heat death of the universe to crack. It encrypts around 500 passwords, each in itself 25-35 character long pass phrases I do not know.

This kind of dependence sometimes scares me to be honest, not that password dependent services have left much choice to us.
I store the printed credentials to my password manager and my e-mail account in a safe deposit box (without mentioning on that paper what the codes are for).

Then I store a YubiKey which is a second factor to these accounts in another safe deposit box in another location.

So should I forget my master password: drive to box 1.

Should my house with all my computers burn down: drive to boxes 1 and 2, find a pc or phone somewhere, and I have access to all my accounts.

Should my password manager go bankrupt overnight and take my vault with them: drive to boxes 1 and 2, then click “forgot my password” on all services and use my e-mail to recover access.

Should my password manager go bankrupt overnight and take my vault with them, my e-mail provider go bankrupt overnight and take my mailbox with them: at least I have my own e-mail domain, so I can set up a new mailbox elsewhere

Should my password manager go bankrupt overnight and take my vault with them, my e-mail provider go bankrupt overnight and take my mailbox with them, and my domain registrar go bankrupt overnight and take my domain with them: yeah…then I’m screwed. I’ll migrate to a wooded country and become a hermit.

Could you help me understand, that if you are this considerate and comprehensive about your risk factors and prepared at all sorts of possibilities, why still use a password manager solution that can "go bankrupt overnight and take my vault with them"? Why not just use KeePass and manage the vault yourself? If your answer is "I only need to do these safe box things once", then writing your own scripts to sync KeePass database between your devices is also only needed done once, right? Even if it's more hassles, considering you will never have the last 3 bullets listed, isn't that worth the trouble?
Because I think my password manager is far more competent in keeping my safe available “in the cloud” than I am in keeping my safe available.
But the password to your domain was in the password manager.
You can check this fairly easily with https://haveibeenpwned.com/Passwords. It's not exhaustive obviously but it's something.

1Password vaults are also encrypted with a separate secret key that is generated locally and never stored. So you'd need the password and the secret key to decrypt.

What sources do you have that indicate master pws in the pw manager context are getting leaked or reused?
you don't really need a 'source' for that do you? - it's common knowledge that people reuse passwords across sites. It's not best practice for sure, but plenty of people do it. If some low quality site leaks your email and password and if you were dumb enough to use that as your master password for your password manage, you are at more risk than if the bad actor didn't have that information.
But that's exactly why you use a password manager; so it can generate passwords for you, while you only need to remember one password to unlock it.
You should probably think a little more critically about password managers.

You don't reuse passwords at all. That is expressly the point of password managers. You generate a new password that is completely random and quite long for each independent website.

If one of the sites is breached, no matter. Damage is contained to that site. The only password of yours that is leaked for that site. The only place that password can be used is - you guessed it - that site.

A master password is the only pw in a PWM at real risk of reuse.

However, without placing too much unwarranted trust in the user, consider the following:

- extensive warnings during user onboarding about how to approach setting and safe keeping of the master password, especially around reuse.... ok, but some users are still hopeless with this, what then

- taking Lastpass for instance, lock-out features for logging into the extension if you're coming out of a new geo-ip (proactive risk control)

- taking LP again, alerting to the user for successful logins to the platform from new geo-ips (reactive risk control).

- all the on-device security controls required to get into a PWM: touch/face-id logins for the apps, an official browser extension, on and on. I'd also imagine LP security is watching HIBP very closely.

Put all that together, odds are you or the PWM security teams are able to filter pretty well for password reuse for master passwords. So yes I'd expect sources/stats to be out there, or at least counterpoints to the above which when put together map a decent defense-in-depth for PWMs which isn't present in most or almost any browser extensions, to include Tier 1 cryptocurrency browser extensions which are responsible for significant more funds and still maintain good security (think: Metamask).

Not sure if this helps or hurts, but the places they're most likely to see a problem are in the clients and automatic browser plugin updates. An attacker doesn't even need to target a password manager directly; they can collect passwords pretty well with any compromised plugin, just not all of the passwords at once.
For that reason I trust 1Password in the non-SAAS version. The password vault is stored locally and then snchronized between devices via iCloud. So there is no single point. First there needs to be an exploit for iCloud and second to the 1Password vault. The benefit of this is, the vault is a simple website by itself that can be loaded into any webbrowser without the app.
Oh that’s cool, didn’t realize 1pw had a self-hosted version, will check it out.
Unfortunately, the self-hosted option is only available in version 7. Version 8 is the current version and does not offer self hosting. 1Password has said they will not offer it in future versions either, so it’s not worth getting set up if self hosting is critical to you.
for the N number of websites that force me to create accounts, I use an auto-generated password from the password manager and save to the same SaaS password manager. These are for websites I don't care if the passwords get leaked, I can live with the damage. Some have access to credit cards, but meh.

For the old-school (am I young?) websites like mail, fb, bank accounts, etc I remember the passwords.

Seems like a workable compromise for now. Tho I am scared I will start getting lazy and start storing sensitive websites in pwd managers.

If your threat model truly think it worth the hassle for you to use KeePass offline and sync offline. Then so be it.

However, given KeePass is still a piece of software, nothing stop state-supported malicious hackers injecting vulnerability into it, and suck your password away into their database.

Have you consider making sure all your computers are offline when using KeePass?

Just don't update your password manager. If it's fully offline (and it's a mature product), there's a pretty low chance there'll be an update that you'll actually need.

As time goes on without reported backdoors, the chance that your passwords are safe just gets better.

Password managers just move the the problem somewhere else IMO. Saving passwords with your browser is even worse.

Passwords should not be rotated unless they have been comphremised. Password rotation is the problem, not your password.

Use different teirs of passwords. Have a single password u use for anything that is non-senstive, and then go custom on anything that is. Only login to those sensitive services from 1 devices, forgo your convience. These custom passwords should be very rarely be used and u can come up with some custom way to store / remmeber them. Atleast then i have to spend hours and hours and hours on your box, looking, instead of minutes.

I’m in the boat as well, I don’t quite trust SaaS managers and ultimately settled on KeePassXC. I also host my own mailinabox though, so my database is synced on my personal Nextcloud across my devices.

In addition to a master passphrase, I also use a keyfile for keypass, so even if the database is compromised I would hope that it’s still not useful without the keyfile.

Everything is a risk reward calculation.

Convenience vs security.

The balance i struck with a self hosted instance of bitwarden has been good for me.

I run it.

It’s open source

It’s third party audited

Company has a good history generating trust

Did I mention I host it?

It depends on what you mean by password managers and trust.

If you have an application that you trust (be it track record, inspection or known-good controls), and that application happens to also be a password manager, then the trust in the manager itself should be fine. If, however, you use a third party service, i.e. something managed by a company that holds your data, that is a different topic because you're talking about trusting a company.

A password manager can be KeePass on your local FDE storage medium. A password manager can also be a web app hosted elsewhere. It can also be both. You can even mix it up and have the storage medium be remote storage in stead of local storage.

If you currently have a file called "passwords.txt" stored in a public S3 bucket, that would be your 'own method' but would that really be good? Or perhaps you have an RSA-wrapped AES-encrypted spreadsheet you store locally with no back-ups, also possible. Too many unknown parameters.

At the end of the day the solution that gets you strong unique passwords per entity in a way that you don't lose access to personally but also don't give unwanted access to towards third parties is better than not having a solution at all. (this includes physical paper password books, those are 'unhackable' after all)

This is the only one I use. I've used it for like 5 years and have hundreds of passwords stored. Everything is offline and encrypted with GPG along with being command line driven. It's the ultimate tool for someone who primarily uses a workstation or laptop.
I have a few devices so I store the passwords as a git repo and periodically push/pull between them -- super seamless.
...and there's a few handy-dandy phone apps which also support the git syncing.
browserpass is the killer addon for pass - just calling it out
I use 1password for the convenience they offer.

However for important accounts, I use 2FA with yubikeys or codes that are not stored on 1password. Just in case.

Especially for non-tech family members and friends. Its either an easy password manager or using the same password everywhere.

I'm surprised by so many of the comments here out-of-hand dismissing or denigrating any password manager that stores data in the cloud. There are ways to store data securely, one of the simplest methods is to do zero-knowledge encryption of that data by way of key-generation from a password only the user knows at the time of decryption. This is essentially how the vault functionality of most password managers work, whether that vault is stored locally or not. They used something like PBKDF2 to generate the key used for encryption from your password.

There's no such thing as perfect security, but as a security-minded person I see nothing there to concern me simply because the data is stored in a company's S3 environment vs on Dropbox vs on my local disk. Presuming that the software itself has not been maliciously modified to leak the key, then regardless of where the data is stored it either requires breaking the encryption or finding the password that generated the key in order to access the data. My local disk is no more secure in that aspect, except that I may have the illusion of control. Availability is also an aspect of data security (in the CIA triangle) and a cloud provider that properly replicates and manages backups of data is more reliable than my local disk in this aspect and a fair trade-off for data I likely want to synchronize across systems and devices (phone and laptop, at minimum).

Why should you trust a password manager?

For me, it's pretty simple. I don't use social login, and I use unique usernames (most of the time) and passwords (every time) for hundreds of sites I've created accounts on over the years. This is because breaches /will/ happen, and password re-use is probably the single largest issue for user security, including for "power users" like myself. A password manager of /some kind/ is basically required to have unique passwords across hundreds to thousands of sites. Certainly, there's more to it, and you need to figure out your own threat model and trust constraints, and I can't solve that for you. But as far as I am concerned, if I have a reasonable assurance that the right algorithms are used and those algorithms are correctly implemented by the password manager software, I see no reason to distrust it.

> There are ways to store data securely, one of the simplest methods is to do zero-knowledge encryption of that data by way of key-generation from a password only the user knows at the time of decryption.

This keeps your passwords save until you enter your master password. At that point you have to trust the software that was downloaded a few days ago from an appstore or a few seconds ago from the company webserver. It might have been backdoored and happily phone home your master password.

Your downloaded password manager might be a few years old and YOU decide when to upgrade.

Your argument has nothing to do with cloud storage or password managers generally and seems to be an argument against automatic updates. So, fine, disable automatic updates (although I'd argue you're safer with them).

I also baked in the presumption that the software isn't malicious in my comment and called it out. So, sure, yes malware that leaks your password can exist. That doesn't really have any effect on whether password managers are a good thing or trustworthy.

If the client for a cloud password manager is open-source, I'm inclined to trust it about as much as I would a non-cloud open-source password manager.
I use 1password7 in a mode where I have to manually sync my vault. I've used other tools to prevent 1password from initiating any network connectivity at all.
And what threat model does this satisfy?
Ultimately I just wouldn’t use a password manager if it wasn’t synced with the cloud and didn’t offer simple browser integration. Sure, that increases the attack surface. But the alternative is not that I put loads more effort into faffy open source workflows, it’s that I go back to using crap passwords.
The safety of ciphertext stored in the cloud is entirely dependent on the lack of state level actors interfering in encryption research, cipher engine design, chip manufacture, operation of cloud hardware, and day to day safety of cloud operator employees.

The USA has been shown to be quite willing to violate all those conditions: NSA directly influencing cipher design, interfering with chip manufacture, seizing hardware wholesale, and engaging in “enhanced interrogations” in attempts to extract information.

The threat level of this state action is 100% because they aren’t going o spend all that time and money on these tools and not use them. They aren’t focussed on cracking your password, they just crack everyone’s because that is easier to automate (see prior discussion regarding weakening encryption to suit the tools the TLAs already have access to).

At least with my secrets stored on my hardware I have the assurance that the TLAs will need to be targeting me directly in order to obtain my secrets (much less likely than getting caught up in a dragnet).

https://www.passwordstore.org/

gpg "make-key"

mkdir -p ~/.passwordstore/foo/bar

echo "hunter2\nusername: hunter@hunter.com\n" \ | gpg "sign" > ~/.passwordstore/foo/bar/entry.gpg

gpg "decrypt" ~/.passwordstore/foo/bar/entry.gpg

tree ~/.passwordstore/

--

Basically, "passwordstore" is pretty trustworthy, open source, reasonably inspectable, and kindof automates the above steps in a decent CLI (and has a nice git integration for syncing).

There's another plugin: "password-tomb" which basically adds in a "zip -r tomb.zip ~/.passwordstore && unzip tomb.zip" with some extra encryption blobbing around things.

I'm nudging towards wanting all that "junk" stored on a mostly-offline (or read-only USB, or doing something with fetching encrypted secrets over the network), and trying to figure out in a temporary ram-disk to try and reduce exposure-time.

The reason it feels pretty good for me is that it degrades gracefully and can be used with standard tooling. It's totally possible to have a script which does: "foreach password => unlock && dump && append-to-pdf && qr-code => print.pdf" and print that out at intervals, so it's got great survivability characteristics. It allows me to self-host even completely offline using git. If I have the GPG key, I can recover the passwords w/o any tooling. Really it's kindof my ideal situation for trustworthiness.

Doesn't that 'echo' command go straight to the command history? It would reside in ~/.bash_history unencrypted until I type 2000 other commands.
I think it's just an example to give you a conceptual idea of what 'pass' is doing under the covers. Of course, using 'pass' does not require 'echo'ing your password anywhere.

Tangentially, if you precede a command with a space, then it won't show up in your shell history. (Double check to be sure, as this is likely a configurable option of your shell. e.g., 'histignorespace' in zsh.)

I agree with your points, but why showcase a super secure system with a flawed example? Also, so many things can go wrong with this setup, I'm inclined to think that this is one of the upsides of a password manager like KeePass.
I think you may have focused in on the tangential sentence rather than the point about it being a conceptual overview with Unix commands being used as a metaphor, i.e., not a literal example.

E.g., they’re not typing `echo` commands in the same way that they’re not typing `gpg "make-key"` (which is not a real command).

No, you appear confused. 'pass' is pretty hard to misuse. It, at no point, makes it easy to put a password into shell history. You're getting caught up in a transcript to showcase the concepts. The actual implementation of 'pass' is quite secure. It does those things for you in a way that is secure, precisely so you don't have to worry about 'echo'ing passwords in plain text.
Adding a space before echo will keep the command out of .bash_history (if $HISTCONTROL == ignorespace or ignoreboth)
Start your command with a space to prevent it from reaching history
I typically use the generate pass command to generate a new password - that isnt in history
I've been using `pass` for years. Yes it's more manual but I'm in full control of the password management.

There's also a mobile app for ios and ipad that work just fine, including storing OTP.

Is that "sign" supposed to be "encrypt"?
In addition, plasma-pass, qtpass, android password store (https://github.com/android-password-store/Android-Password-S...) are nice as well. Throw in a NFC Yubikey and OpenKeychain on android, then you can lock them with hardware keys. Since pass uses git, syncing can be done to a private repo on your home network or even just a cheap usb stick.
So, I think in-general, the answer is that for a question like this, you need to start from doing threat modelling, and work outward. Threat modelling is the first step that must be conducted, and then you can find solutions that fit your needs from that.

For most people, the biggest threats that come from passwords are: data breaches (compromising reused passwords), human memory limits (you can't remember high entropy passwords easily, in general), and an ever-increasing demand for both high quality passwords and unique passwords.

If you look at these threats from the perspective of most people, a password manager works well! You don't have to worry about breaches, memory limits, or even password generation. You can just generate-and-store random passwords for every site that meets their requirements, and walk away.

But that doesn't mean that that's the end of threat modeling. Other risks that you're probably thinking of are the security of the cryptosystem involved, bugs in the application, and fear of backdoors. These are valid threats, but for the vast majority of people, they're mitigated by other reasons, or are non-factors.

To give an example: a password manager that most cryptographers would laugh at is writing your passwords on a sticky note. Yes, that's bad from a cryptography standpoint, but if you make a new unique password for each site, and each one is sufficiently long and complex, you've actually mitigated the threats involved with password reuse, memory, and complexity. But you've also made it impossible to steal from a cryptography backdoor, and the barrier-to-compromise involves your physical space being violated. But again, if you ask a cryptographer, or even most security professionals, this is a bad idea, because you're still risking physical compromise if...you work in an office, have kids, don't guard your home, etc.

A lot of people dislike 1Password's decision to store passwords in cloud storage. This is a real risk, because a cryptosystem backdoor would create danger. If you use a password storage app with strong cryptography, and store the passwords in a completely benign location (e.g., a network share, some random cloud storage provider), you can decouple the cryptography from the storage, which brings some safety.

Now, back briefly to your question: why would people trust a completely SaaS password storage provider? Well, for me, it's that I know that Google Project Zero exists, and they do a lot of research into third party apps. I sleep easier at night knowing that lots of smart people are invested in trying to break 1Password's cryptography, and have thus-far been unsuccessful. Sure, a government might have a secret backdoor that I don't know about. But in my threat model, the government could just come arrest me for violating a non-disclosure agreement I've signed, and hit me with a wrench.

In summary: for the vast majority of people, the threats that come from "memorizing passwords" are mitigated by password managers. Heck, you even say you have your "own methods for safe handling of passwords". I would argue that you have a password manager, it's just more DIY than something off-the-shelf, and that's fine!

I will tell you a good reason to trust password managers. I know a lawyer who does estate planning. When you start talking about "what happens when I die", passwords are a class of problem that has only gotten worse in the last 2 decades. There are legal ways for estate executors to request passwords, but it is a pain, and can be time consuming. She tends to recommend password managers because they tend to be more consistent than written down passwords in a safe. Further, having a password manager, where someone can be designated as a trustee makes executing a will considerably easier.

Now, none of the above necessarily makes password managers safe. The increasing legal scrutiny that password manager providers face, means that they will tend to be relatively safe, but they're still a single point of failure. At some point you need to decide what trust level you want though, security is a lot about tradeoffs, and ease of access is always at odds with keeping things safe.

I'm pretty sure even after death, it's still technically breaking the law to use someone else's password. So I'm surpised a lawyer would be so open about it, though I agree it definitely makes life 90% easier when it comes up :)
Yeah, I can't think of many reasons why an executor would need the passwords of the deceased. Banks and other financial institutions have a protocol for this: send them the death cert, and they distribute to beneficiaries or as directed by law. There's no need to log in as that (dead) user, and it could make things complicated if withdrawals or transactions are made that go against the beneficiary rules.

Maybe you need the password for crypto wallets, but that's on the deceased for not thinking of another plan.

It’s not illegal to use someone else’s password even if all of the parties are alive.

Unauthorized use of someone else’s password may be illegal.

how does one go about getting authorization from someone deceased?

That's a neat trick! :)

We are discussing a lawyer who does estate planning, that’s something people do before they die.
Because of the recent badness that has happened around people dying(identity theft, etc), the SSA and everyone else gets notified when deaths happen, and lock & flag accounts, etc.

Using a deceased person's password, even with this supposed "authorization" is a terrible idea.

There are laws and rules and standards of practice for dealing with this stuff and they should be followed. This lawyer is at best, giving bad advice and at worst, encouraging breaking rules and regulations.

What we all should do is build in plans for our deaths around the time we hit 18, and make sure our heir(s) know what's up. i.e. I have these insurance policies, these bank and credit and investment accounts, etc.

One solution, Fidelity has a free service available for people to help with this: https://www.fidsafe.com/

A piece of paper of course works just as well, assuming your heir(s) know where in the world these papers are.

Like most of the posters here, I trust my local password manager (keepass) for the most part (well, if my personal machine is compromised to the point where I don't trust programs running on it, I guess I'm truly boned).

I have recently started putting some low-value (social media) passwords in the firefox password store, just for autofill convenience. Does anyone know if there are some massive landmines to this sort of thing?

A long time ago it was the case that browsers would save passwords locally in plaintext. But these days Firefox will encrypt your passwords and host them for you so that they can sync across devices. If you don't trust them there is even an option to host this password server yourself and configure Firefox to point to that instead. The main downside is that the app (Firefox Lockwise) is no longer supported.
> I've been having my own methods for safe handling of passwords on the web.

I use a local password manager, KeePass: https://keepass.info/

It's probably the only good middle ground for keeping track of passwords, SSH certificates and other data: a password protected local database that i can move to USB sticks or SD cards for backups, or keep inside of an encrypted 7z archive, or a VeraCrypt file if i cared that much.

You not only get to have a simple way to use it (it's just a file that's compatible with the software, like SQLite is also really easy to use), but also get to pick where/how you want to store that data in an easy to understand manner.

Right now it's great for all of my vaguely relevant access credentials, from numerous e-mail accounts, to online shopping accounts, to even access data for online platforms, hosting solutions, servers etc. with as many separate databases as i choose.

In my eyes, it's also really great for letting you randomly generate secure passwords - i don't know almost any of the non-essential service passwords and because it's so easy to generate new ones for accounts, i'm not plagued by "password-reuse-itis" either. When coupled with 2FA, it's pretty decent from a security standpoint.

It also has a clearly understandable attack surface - infected password manager binaries, stealing passwords when in memory or malware on the system (like keyloggers, clipboard watchers), someone stealing the database AND the master password, asking me nicely for it with a 5$ wrench: https://xkcd.com/538/

For why people use web based ones which aren't so clearly understood or dependable (your list of risks would be a lot longer with those), i'm not sure. It's probably just convenience.

I trust my password manager (keepassxc) because

(1) I believe in the fundamental goodness of humans.

(2) I believe that keepassxc being a Free Software, was made with honest intentions by competent people.

(3) That human society should be organized on the principle of mutual aid, and that involves trusting (initially at least) those who say they intend to aid you.

Even in people are statistically good, there can be anomalies and corrupting forces.

But it's true that on some level we need to trust others so it's hard to say where to draw the line.

I run a self-hosted instance of a Bitwarden compatible server. It’s only available locally on my local network. So, when out and about, I VPN back home.

Not sure it’s the best way to do it, security wise, but it’s what I found works for me in a security/convenience trade-off