Ask HN: Why should I trust password managers?
This is a piece of tech that has slipped under my radar for a long time. I've been having my own methods for safe handling of passwords on the web.
Why do people trust password managers?
Why do people trust password managers?
288 comments
[ 3.3 ms ] story [ 272 ms ] threadOut of curiosity, what could one use instead of a password manager that would be closer to the “more secure” side of things in your opinion?
The comment you're replying to mentions "dishonest advertising", which suggests "password manager service".
I'd think using e.g. KeepassXC would be more secure (but less convenient) than this, since I manage where the password database is stored/accessed.
Paper is generally not susceptible to malware or other ways passwords can leak from a local or hosted password manager.
I guess you could just take pictures of the pages and save them to a thumbdrive or an SDcard, but I prefer the lower-tech solution.
For their use case and technical skill, a safely-stored notepad is best.
And you probably don't even need to trust a password manager with every password you have, you can keep just the random 200+ logins you probably have for weird websites. And keep banking, emailing and the other important stuff away from it. Also, you don't even need to have your password manager store the actual passwords there, you could "pepper" what is stored so you transform it after you paste it to the website.
Source: helped deal with an uncle's many, many digital resources after he passed unexpectedly.
There is not a lot of value in trying to attack a single person's password file, but the value is multiplied by the number of users when using a centralized platform.
That is too hard or tedious for most people. Syncing is a pain, and doesn't autofill on websites or in apps.
Which you almost certainly access with some kind of software, yes?
A password manager is just a piece of software that stores passwords in encrypted files, and makes it more convenient to edit them, associate them with a website, use them to log in, check them against known breaches, etc.
Enpass isn't open source but it's open... implementation details? There isn't a formal spec or standard but they were very forthcoming about how their encrypted SQLite implementation works and there are now open source third-party CLIs for it. https://github.com/hazcod/enpass-cli
Otherwise, no, I wouldn't trust a commercial password manager with automatic sync on to someone else's servers. I also don't trust the browser enough to put an extension in it that has the keys to my password database.
It's a tradeoff. I get a nice level of security, but it's not 100% seamless. Without autofill, I often need to start up the password manager, search for a site, copy and paste password into the browser. (I just had to do this to log into HN.)
For some sites, I let the browser also save the password, which I treat as just a cache of low-value passwords. And the encrypted password manager database gets occasionally synched into gdrive, so I can also access it from my smartphone using the appropriate app.
Been doing this for 5+ years at this point, and it works for me... can't even remember what on earth I did before. Probably passwords in tiny plain text files.
The database is encrypted, so if someone were to hack them, they would at least have some (hopefully major) issues decrypting it all.
My most secure accounts use their own individual, memorable, secure password.
I do fear that even if my self-hosted password manager is secure today, there's nothing stopping a malicious update to that software which could exfiltrate all of my passwords.
Answering the original question: I trust that Bitwarden's Github source is what drives their service and that their popularity ensures the source is audited on a regular basis by reasonably skilled software folks. It's the same degree of trust I give to the people that build every reasonably vulnerable product I use: elevators, phones, cars, door/window locks, etc.
-----
For me (and perhaps only me) a more pressing concern is that fingerprint scanning is common in apps that are meant to protect data: banking apps, stock market apps, Bitwarden.
NOBODY makes a significant effort to hide fingertips. Cameras are cheaper, more accurate, and more numerous than ever. People don't clean every surface they touch. It can't be so difficult to 3d print a mold and find the right material to make a false finger.
Android's security model has a nice built-in feature: If you have someone's phone for a few seconds and know their unlock code (not too tough to espy... right, Ye?) you can keep retrying the false finger for that person until it works. Only then do you switch to the important app.
Oh, and... Fingerprints, unlike master passwords, are nearly impossible to change.
- Level 0: the serious stuff that would absolutely suck if it got compromised. Namely Google. Banks.
- Level 1: things that would be an inconvenience if they were compromised. Okay it's annoying that someone got into my Amazon account or something, but this can be dealt with.
- Level 2: passwords my in-laws are going to use to watch Netflix or the like. If this gets compromised... ok, that's a pain for Netflix but this is essentially a victimless situation.
Password managers are really good for the Level 2 stuff. Really, there are too many passwords we need to know. They are okay for the Level 1 stuff, just have an idea who you're going to call. I wouldn't use them for the Level 0 stuff.
Like anything else, you balance your risk against convenience. Approached this way, even if the password manager gets hacked, you're only minorly inconvenienced. Always have 2FA on where allowed and what's the worst that will happen?
Level 2 passwords I'll sometimes just reuse a memorable password.
My password manager is open source and offline, though, so that helps.
I use enpass, and am in charge of my own syncing and storing in the datastore of my choice. I personally prefer this model.
But they are end-to-end encrypted, so if someone broke into their database they would be useless unless they also had access to your device.
1Password (and any other mainstream password manager) has no access to your passwords because they're encrypted locally. People who go to extreme lengths to keep an encrypted file secret practice LARP security.
To preempt the question of "how can you trust them to encrypt your stuff though?" The same way you trust Enpass to encrypt your stuff, I'd make a guess 99.9% of users have not personally audited their code.
1) Not actually understanding the technology or threat model.
2) Having incredibly sensitive information which absolutely cannot leak even by accident, and needs to be handled manually with extreme care. This describes vanishingly few practical scenarios.
It seems unlikely to me, but I could imagine situations where that level of concern might make sense.
I imagine nation state-supported malicious hackers are targeting them. Everything else is getting breached and leaked these days, there’s a non-trivial possibility these will too.
I just use KeePassXC instead, and periodically ‘sync’ the database across my workstations and laptop. And by ‘sync’, I mean manually export the database and rsync it around to my workstations and laptop and re-import it on each. But given how infrequently I create new web accounts, this isn’t a major hassle. It works fine, I don’t need some centralized service for this.
Maybe I'm missing something but sure they can't store its hash but they can and do store the password strongly encrypted. Presumably without the master password, at least, it should be close to impossible to retrieve the passwords. Or is that assumption wrong?
[0] https://support.1password.com/security-assessments/ [1] https://bitwarden.com/images/resources/Bitwarden-Security-As...
That said, it's not bulletproof. The chink in the armor is the browser extensions they all use. All it would take is somebody to slip some trojan code into one of the browser extensions and all of the sudden you have a few hundred million decrypted password databases which could trivially be uploaded to wherever.
e.g. someone manages to slip malicious code into Chrome/Chromium which eventually makes its way out to every Electron app/most browsers, or something gets injected into Windows/macOS/Linux, etc.
On the other hand, yes there eventually is a trust point somewhere. A spiral of upstream what-ifs isn't productive IMO, I agree.
You could. But if you haven't trusted all/most of your passwords to any single app, you wont have a problem with them being exposed when that particular piece of software is compromised.
Even if someone compromises your OS itself, you'll only lose the passwords you typed in while you were using it compromised. And that's if it does captures thoses, and if it sends them to some remote endpoint, and if it's not caught soon, and so on.
With a password manager compromised, on the other hand, you could loose anything you've put it in, all at once.
Setting up local automated sync is on my todo list, it’s just lower priority than too many other things. As I mentioned, I don’t create new accounts so often that I need automated sync.
https://bugcrowd.com/agilebits
Besides which bug bounties are not really intended to disincentivize people from committing crimes, they're intended to incentivize researchers to report findings and reward them for their efforts.
Doesn't matter for our case, since it already assumes the database potentially compromisable. The parent's comment concerned whether the "bounty for capturing a flag inside a publicly available encrypted vault" is enough. So the question is not whether the bounty is enough given it's impossible to win, but whether it's enough given it might be possible to win.
In other words, whether someone who finds an exploit to decrypt the vaults contents would get a better value by (a) revealing it to 1Password company and taking the $100K bounty, or (b) selling the exploit to people who would give millions to be able to decrypt other's vaults...
https://twitter.com/saurik/status/1491821215924690950
Password managers don't operate with those economic models though.
Unless a successful attack actually occurs, in which case it's literally almost priceless in terms of their reputational damage, unless they can get their hands on it before someone else.
But, if you ask around enough with security teams at the large cloud providers, there are definitely rumors of APT-level activity being detected/blocked at the infra level. Yet, cloud is still the most secure option out there vs. on-prem in 90% of the use cases for it so to speak. Similarly, there is just too much precedent of high trust firms being breached, and nothing really happening to them as a result (fines, loss of users, etc).
So, you allocate $1mil, possibly spend it, and either way can't use it for anything else, or you allocate a fixed cost of $600k/yr and get a lot more out of it on the security front, to include solid defense-in-depth, detections, and IR capabilities for if/when the successful PWM attack finally occurs. Personally, yes probably worth putting out a hefty bounty, but pragmatically you'd get more out of hiring the engineers.
In fact, I'd argue that, if they are positing that the reputational risk for a successful hack exceeds 10% of their notional valuation, then they should try to commit at least 10% of their market cap as insurance against that ever happening, or at least if they would gain enough information to prevent this from ever occurring. This isn't that hard to figure out.
The best thing about that insurance is that it's literally free -- they never have to pay out unless the event actually occurs.
Given that the payout is probabalistic and serves business goodwill, I'd argue for a more substantial reward. Possibly secured through a bond or insurance policy.
No, they don’t store directly the actual password, they store it encrypted by a encryption key derived from your master password. A leak of the database won’t reveal any password, as long as your master password stays secure (aka is not "hunter3")
You mean, the master password that many people reuse across sites and has been leaked into the darknet by breaches of other sites? Or if not leaked directly, at least some entropy about it probably has been.
I know these services don’t store the password in plain text, but it’s still stored in reversible format. That’s a juicy target.
You only have to remember one password, and for that reason people can choose a longer and more complex one.
Then your passwords are encrypted using that master password.
So people cannot “reverse” your password if you pick a reasonably long master password.
For reference, my master password is a 27 character sentence which would take somewhere between a millennium and the heat death of the universe to crack. It encrypts around 500 passwords, each in itself 25-35 character long pass phrases I do not know.
Then I store a YubiKey which is a second factor to these accounts in another safe deposit box in another location.
So should I forget my master password: drive to box 1.
Should my house with all my computers burn down: drive to boxes 1 and 2, find a pc or phone somewhere, and I have access to all my accounts.
Should my password manager go bankrupt overnight and take my vault with them: drive to boxes 1 and 2, then click “forgot my password” on all services and use my e-mail to recover access.
Should my password manager go bankrupt overnight and take my vault with them, my e-mail provider go bankrupt overnight and take my mailbox with them: at least I have my own e-mail domain, so I can set up a new mailbox elsewhere
Should my password manager go bankrupt overnight and take my vault with them, my e-mail provider go bankrupt overnight and take my mailbox with them, and my domain registrar go bankrupt overnight and take my domain with them: yeah…then I’m screwed. I’ll migrate to a wooded country and become a hermit.
1Password vaults are also encrypted with a separate secret key that is generated locally and never stored. So you'd need the password and the secret key to decrypt.
You don't reuse passwords at all. That is expressly the point of password managers. You generate a new password that is completely random and quite long for each independent website.
If one of the sites is breached, no matter. Damage is contained to that site. The only password of yours that is leaked for that site. The only place that password can be used is - you guessed it - that site.
However, without placing too much unwarranted trust in the user, consider the following:
- extensive warnings during user onboarding about how to approach setting and safe keeping of the master password, especially around reuse.... ok, but some users are still hopeless with this, what then
- taking Lastpass for instance, lock-out features for logging into the extension if you're coming out of a new geo-ip (proactive risk control)
- taking LP again, alerting to the user for successful logins to the platform from new geo-ips (reactive risk control).
- all the on-device security controls required to get into a PWM: touch/face-id logins for the apps, an official browser extension, on and on. I'd also imagine LP security is watching HIBP very closely.
Put all that together, odds are you or the PWM security teams are able to filter pretty well for password reuse for master passwords. So yes I'd expect sources/stats to be out there, or at least counterpoints to the above which when put together map a decent defense-in-depth for PWMs which isn't present in most or almost any browser extensions, to include Tier 1 cryptocurrency browser extensions which are responsible for significant more funds and still maintain good security (think: Metamask).
[1]: https://blog.1password.com/what-the-secret-key-does/
[0] https://play.google.com/store/apps/details?id=keepass2androi...
For the old-school (am I young?) websites like mail, fb, bank accounts, etc I remember the passwords.
Seems like a workable compromise for now. Tho I am scared I will start getting lazy and start storing sensitive websites in pwd managers.
However, given KeePass is still a piece of software, nothing stop state-supported malicious hackers injecting vulnerability into it, and suck your password away into their database.
Have you consider making sure all your computers are offline when using KeePass?
As time goes on without reported backdoors, the chance that your passwords are safe just gets better.
Passwords should not be rotated unless they have been comphremised. Password rotation is the problem, not your password.
Use different teirs of passwords. Have a single password u use for anything that is non-senstive, and then go custom on anything that is. Only login to those sensitive services from 1 devices, forgo your convience. These custom passwords should be very rarely be used and u can come up with some custom way to store / remmeber them. Atleast then i have to spend hours and hours and hours on your box, looking, instead of minutes.
In addition to a master passphrase, I also use a keyfile for keypass, so even if the database is compromised I would hope that it’s still not useful without the keyfile.
Convenience vs security.
The balance i struck with a self hosted instance of bitwarden has been good for me.
I run it.
It’s open source
It’s third party audited
Company has a good history generating trust
Did I mention I host it?
If you have an application that you trust (be it track record, inspection or known-good controls), and that application happens to also be a password manager, then the trust in the manager itself should be fine. If, however, you use a third party service, i.e. something managed by a company that holds your data, that is a different topic because you're talking about trusting a company.
A password manager can be KeePass on your local FDE storage medium. A password manager can also be a web app hosted elsewhere. It can also be both. You can even mix it up and have the storage medium be remote storage in stead of local storage.
If you currently have a file called "passwords.txt" stored in a public S3 bucket, that would be your 'own method' but would that really be good? Or perhaps you have an RSA-wrapped AES-encrypted spreadsheet you store locally with no back-ups, also possible. Too many unknown parameters.
At the end of the day the solution that gets you strong unique passwords per entity in a way that you don't lose access to personally but also don't give unwanted access to towards third parties is better than not having a solution at all. (this includes physical paper password books, those are 'unhackable' after all)
However for important accounts, I use 2FA with yubikeys or codes that are not stored on 1password. Just in case.
Especially for non-tech family members and friends. Its either an easy password manager or using the same password everywhere.
There's no such thing as perfect security, but as a security-minded person I see nothing there to concern me simply because the data is stored in a company's S3 environment vs on Dropbox vs on my local disk. Presuming that the software itself has not been maliciously modified to leak the key, then regardless of where the data is stored it either requires breaking the encryption or finding the password that generated the key in order to access the data. My local disk is no more secure in that aspect, except that I may have the illusion of control. Availability is also an aspect of data security (in the CIA triangle) and a cloud provider that properly replicates and manages backups of data is more reliable than my local disk in this aspect and a fair trade-off for data I likely want to synchronize across systems and devices (phone and laptop, at minimum).
Why should you trust a password manager?
For me, it's pretty simple. I don't use social login, and I use unique usernames (most of the time) and passwords (every time) for hundreds of sites I've created accounts on over the years. This is because breaches /will/ happen, and password re-use is probably the single largest issue for user security, including for "power users" like myself. A password manager of /some kind/ is basically required to have unique passwords across hundreds to thousands of sites. Certainly, there's more to it, and you need to figure out your own threat model and trust constraints, and I can't solve that for you. But as far as I am concerned, if I have a reasonable assurance that the right algorithms are used and those algorithms are correctly implemented by the password manager software, I see no reason to distrust it.
This keeps your passwords save until you enter your master password. At that point you have to trust the software that was downloaded a few days ago from an appstore or a few seconds ago from the company webserver. It might have been backdoored and happily phone home your master password.
Your downloaded password manager might be a few years old and YOU decide when to upgrade.
I also baked in the presumption that the software isn't malicious in my comment and called it out. So, sure, yes malware that leaks your password can exist. That doesn't really have any effect on whether password managers are a good thing or trustworthy.
The USA has been shown to be quite willing to violate all those conditions: NSA directly influencing cipher design, interfering with chip manufacture, seizing hardware wholesale, and engaging in “enhanced interrogations” in attempts to extract information.
The threat level of this state action is 100% because they aren’t going o spend all that time and money on these tools and not use them. They aren’t focussed on cracking your password, they just crack everyone’s because that is easier to automate (see prior discussion regarding weakening encryption to suit the tools the TLAs already have access to).
At least with my secrets stored on my hardware I have the assurance that the TLAs will need to be targeting me directly in order to obtain my secrets (much less likely than getting caught up in a dragnet).
gpg "make-key"
mkdir -p ~/.passwordstore/foo/bar
echo "hunter2\nusername: hunter@hunter.com\n" \ | gpg "sign" > ~/.passwordstore/foo/bar/entry.gpg
gpg "decrypt" ~/.passwordstore/foo/bar/entry.gpg
tree ~/.passwordstore/
--
Basically, "passwordstore" is pretty trustworthy, open source, reasonably inspectable, and kindof automates the above steps in a decent CLI (and has a nice git integration for syncing).
There's another plugin: "password-tomb" which basically adds in a "zip -r tomb.zip ~/.passwordstore && unzip tomb.zip" with some extra encryption blobbing around things.
I'm nudging towards wanting all that "junk" stored on a mostly-offline (or read-only USB, or doing something with fetching encrypted secrets over the network), and trying to figure out in a temporary ram-disk to try and reduce exposure-time.
The reason it feels pretty good for me is that it degrades gracefully and can be used with standard tooling. It's totally possible to have a script which does: "foreach password => unlock && dump && append-to-pdf && qr-code => print.pdf" and print that out at intervals, so it's got great survivability characteristics. It allows me to self-host even completely offline using git. If I have the GPG key, I can recover the passwords w/o any tooling. Really it's kindof my ideal situation for trustworthiness.
Tangentially, if you precede a command with a space, then it won't show up in your shell history. (Double check to be sure, as this is likely a configurable option of your shell. e.g., 'histignorespace' in zsh.)
E.g., they’re not typing `echo` commands in the same way that they’re not typing `gpg "make-key"` (which is not a real command).
There's also a mobile app for ios and ipad that work just fine, including storing OTP.
It requires the user to run a daemon that reads ~/.passwordstore passwords and feed it to the extension https://github.com/passff/passff-host - but the design is pretty transparent to inspection if you're inclined to check
For most people, the biggest threats that come from passwords are: data breaches (compromising reused passwords), human memory limits (you can't remember high entropy passwords easily, in general), and an ever-increasing demand for both high quality passwords and unique passwords.
If you look at these threats from the perspective of most people, a password manager works well! You don't have to worry about breaches, memory limits, or even password generation. You can just generate-and-store random passwords for every site that meets their requirements, and walk away.
But that doesn't mean that that's the end of threat modeling. Other risks that you're probably thinking of are the security of the cryptosystem involved, bugs in the application, and fear of backdoors. These are valid threats, but for the vast majority of people, they're mitigated by other reasons, or are non-factors.
To give an example: a password manager that most cryptographers would laugh at is writing your passwords on a sticky note. Yes, that's bad from a cryptography standpoint, but if you make a new unique password for each site, and each one is sufficiently long and complex, you've actually mitigated the threats involved with password reuse, memory, and complexity. But you've also made it impossible to steal from a cryptography backdoor, and the barrier-to-compromise involves your physical space being violated. But again, if you ask a cryptographer, or even most security professionals, this is a bad idea, because you're still risking physical compromise if...you work in an office, have kids, don't guard your home, etc.
A lot of people dislike 1Password's decision to store passwords in cloud storage. This is a real risk, because a cryptosystem backdoor would create danger. If you use a password storage app with strong cryptography, and store the passwords in a completely benign location (e.g., a network share, some random cloud storage provider), you can decouple the cryptography from the storage, which brings some safety.
Now, back briefly to your question: why would people trust a completely SaaS password storage provider? Well, for me, it's that I know that Google Project Zero exists, and they do a lot of research into third party apps. I sleep easier at night knowing that lots of smart people are invested in trying to break 1Password's cryptography, and have thus-far been unsuccessful. Sure, a government might have a secret backdoor that I don't know about. But in my threat model, the government could just come arrest me for violating a non-disclosure agreement I've signed, and hit me with a wrench.
In summary: for the vast majority of people, the threats that come from "memorizing passwords" are mitigated by password managers. Heck, you even say you have your "own methods for safe handling of passwords". I would argue that you have a password manager, it's just more DIY than something off-the-shelf, and that's fine!
Now, none of the above necessarily makes password managers safe. The increasing legal scrutiny that password manager providers face, means that they will tend to be relatively safe, but they're still a single point of failure. At some point you need to decide what trust level you want though, security is a lot about tradeoffs, and ease of access is always at odds with keeping things safe.
Maybe you need the password for crypto wallets, but that's on the deceased for not thinking of another plan.
Unauthorized use of someone else’s password may be illegal.
That's a neat trick! :)
Using a deceased person's password, even with this supposed "authorization" is a terrible idea.
There are laws and rules and standards of practice for dealing with this stuff and they should be followed. This lawyer is at best, giving bad advice and at worst, encouraging breaking rules and regulations.
What we all should do is build in plans for our deaths around the time we hit 18, and make sure our heir(s) know what's up. i.e. I have these insurance policies, these bank and credit and investment accounts, etc.
One solution, Fidelity has a free service available for people to help with this: https://www.fidsafe.com/
A piece of paper of course works just as well, assuming your heir(s) know where in the world these papers are.
I have recently started putting some low-value (social media) passwords in the firefox password store, just for autofill convenience. Does anyone know if there are some massive landmines to this sort of thing?
I use a local password manager, KeePass: https://keepass.info/
It's probably the only good middle ground for keeping track of passwords, SSH certificates and other data: a password protected local database that i can move to USB sticks or SD cards for backups, or keep inside of an encrypted 7z archive, or a VeraCrypt file if i cared that much.
You not only get to have a simple way to use it (it's just a file that's compatible with the software, like SQLite is also really easy to use), but also get to pick where/how you want to store that data in an easy to understand manner.
Right now it's great for all of my vaguely relevant access credentials, from numerous e-mail accounts, to online shopping accounts, to even access data for online platforms, hosting solutions, servers etc. with as many separate databases as i choose.
In my eyes, it's also really great for letting you randomly generate secure passwords - i don't know almost any of the non-essential service passwords and because it's so easy to generate new ones for accounts, i'm not plagued by "password-reuse-itis" either. When coupled with 2FA, it's pretty decent from a security standpoint.
It also has a clearly understandable attack surface - infected password manager binaries, stealing passwords when in memory or malware on the system (like keyloggers, clipboard watchers), someone stealing the database AND the master password, asking me nicely for it with a 5$ wrench: https://xkcd.com/538/
For why people use web based ones which aren't so clearly understood or dependable (your list of risks would be a lot longer with those), i'm not sure. It's probably just convenience.
(1) I believe in the fundamental goodness of humans.
(2) I believe that keepassxc being a Free Software, was made with honest intentions by competent people.
(3) That human society should be organized on the principle of mutual aid, and that involves trusting (initially at least) those who say they intend to aid you.
But it's true that on some level we need to trust others so it's hard to say where to draw the line.
Not sure it’s the best way to do it, security wise, but it’s what I found works for me in a security/convenience trade-off