Ask HN: Why do people use password managers?
From what I understand, password managers stores all your passwords in hashed format and uses your "master password" as the encrytor.
master password
H(password) <----------------> encrypted password
The key difference here being that this is two way hashing so passwords can be decrypted.In reality, there are a lot of attack vectors like MITM, event logging or sometimes straight up storing data in plaintext. Through these hackers can generally get passwords of all users of these services.
So, why don't people use local password managers?
Just a txt file encrypted with "master password" should be pretty damning to break into. And the reward for breaking in would be password for 1 person. (compared to 100k businesses).
Obviously, this would be less convinient and wouldn't sync between devices. But would do the job.
And the best part is there are solutions already that do this: https://keepass.info/
So, why do people and companies use Okta, Lastpass, 1pass etc?
76 comments
[ 2.4 ms ] story [ 140 ms ] threadUsing a cloud sync password manager allows me to follow best practices in having complex, unique passwords for each account.
Data breaches and password leaks at random websites are a much more common attack vector than all of your encrypted passwords being exposed via a password manager.
> Through these hackers can generally get passwords of all users of these services
I'm not sure that there's really evidence or history to back this up. As far as I know even the LastPass data breaches only exposed encrypted passwords, not decrypted ones.
For companies, the benefit is that shared credentials can be distributed to employees without people pasting them in slack, email, or other insecure services.
That access can be revoked by policy if say an employee leaves the company, and new credentials can be generated for all the employees who remain.
In the early days they did not set a minimum length and they did not increase users settings once it became clear it wasn’t enough.
Seems like you answered your own question. While it is less secure, my password safe is synced across all devices. I can also easily share passwords with my family members and I can assist them with lockout issues. I don't think there's a nice solution for this with Keepass.
Also, a typical implementation is that the decryption is performed on your device. I don't think you send your key material to the provider but I don't know about all of them.
It is certainly a "keys to the kingdom" issue as you noticed, and I don't put 2FA reset credentials in the same place for example.
https://www.dashlane.com/download/whitepaper-en.pdf
I use a password manager because I have multiple devices and a cross platform solution that I can access is a straightforward solution. A local password manager like Keepass is still vulnerable to attack by a compromised system. A well architected password manager is going to not store the decryption keys on their servers and only allow the password vault to be decrypted locally so if they get breached, they would still need to have your master password to gain access to the data. A malicious update could allow them to steal your information but so could a malicious Keepass or OS update.
Using a password manager with a strong password and multifactor authentication is mitigating so many security issues off the bat the new risks it introduces can be small.
Bitwarden has not had any of the problems you listed and can be self hosted.
They're best known for being an identity provider but they do have a password manager product[0], which is what I think OP is referring to.
[0] https://www.oktapersonal.com/
I'm not sure why you're rolling Okta in here, but Okta can a completely different thing depending on what you're referring to.
Single sign-on (with something like Okta) makes it so that a user doesn't need to manage a dozen passwords and enables an organization to limit access of a user's account if needed.
If you use an app with Okta SWA, you (as the admin) can create a password for users so your users don't have the responsibility of making a strong password. But this is only for stuff that can't use OIDC/SAML.
Ideally you'd use Okta with OIDC/SAML with your applications so your individual users won't have static credentials, and in this case, there isn't really a parallel here to some software you'd run locally.
I think the commenter was advising on the use of SSO in lieu of passwords where possible (at least in a corrosive context, but personally I use SSO via Azure AD wherever I can at home too.)
As an end-user, if you click on any tile, you get your application regardless if the authentication scheme is SAML/OIDC/static credentials. In the case where static credentials are required for a service, the end-user doesn't have to get a sheet of paper telling them the username to use. Instead, a script provisions a username/password behind the scenes and Okta is responsible for keeping the username/password safe.
Admittedly, I don't know if the traditional password manager companies offer a system like this, where you get a matrix of apps to choose from and the user is removed from knowing a username/password is being exchanged.
People have multiple devices, so syncing is needed for usability.
Some password managers are basically local, but with end to end encrypted syncing. If you have to move passwords around, why not use a solution that already does it in a secure way?
Does it work on Android or iOS?
Something that does not sync between devices does not do the job.
The major advantage when compared to a separate application (ie encrypted text document) is that the system/browser based url/context reduces Phishing, Clipboard jacking security issues.
Why does Okta exist? Primarily for their SCIM configuration (which is different and adds a level of org management)
Why do Lastpass and 1pass exist? Likely because Android/Chrome passwords weren't trusted yet and Apple keychain doesn't has as much of a consumer interface / cross platform concerns.
I do use a local password manager, personally. The disadvantage to doing so is that I don't get autofill of passwords and have to enter them by hand. I consider that a good thing, though, because it means that I end up memorizing the 3 or 4 passwords I use the most in a couple of days after generating them.
So I use a standalone password manager on my phone instead.
Or Bluetooth controlled robot hands. I will go with the latter.
I had a phishing attack against me prevented by a password-manager; I ended up at a pixel-perfect copy of the login-page, with the domain of original link I clicked on being correct (it used an existing URL redirector on the original domain). It wouldn't auto-fill, so I looked at the address bar and gasped.
If you want to manage passwords amongst family members, it's easier to set them up with one of the cloud services compared to Keepass. You also get some level of customer support, and don't have to worry as much about when your password breaks.
I personally have set up KeePass, made sure it's backed up regularly, and even set up a WEBDAV server to access it remotely. It works great for me, but I know how everything is set up. Strongbox for mobile access is the main reason I can actually use this, and this is a paid application that not everyone is willing to pay for. Experience-wise, other mobile applications for KeePass have not compared, and I have no idea how apps for Android compare, since I set up everyone with iOS devices. Sometimes, the connection to the server gets disrupted, and I have to reconnect. Not everyone wants to do this, and can have less confidence in the other supporting infrastructure.
As much as attack vectors exist, the biggest risk is you losing access to your own passwords (there's been enough lost crypto wallets you can read about on the internet). Compared to that, a cloud based service is better for a large group of people.
You've answered your own question.
I have no idea.
I use a locally encrypted store, and have done so for almost 10 years. I keep thinking to myself "there's got to be something better, surely I could make an external device..." but it remains to be seen.
The few times I have, I've used adb.
* Syncs between devices. I can login to my accounts in all my devices. If I can access my Dropbox account, I can access everything else with the master password.
* Auto password generation. I don't ever even bother looking at the passwords. Just generate something like 32 characters with all ASCII characters, including "special" characters. This goes a long way.
Having used KeePass (with Dropbox sync) since ~2018 I don't even know how people operate without a password manager. It's so intensely convenient. Just dump all the info in the database. I can even take notes in my database. Write my credit card number, SSN, other private info. Put SSH keys. Put website info. Describe where I put my tax documents. Password manager is a pointer to everything else.
Keepass has nice clients but some require bringing my own sync(syncthing frequently failed due to conflicts) and some apps went out of maintenance. Some supported ones like dropbox/gdrive but frequently broke integration every other month due to api changes. Also, when I want to use 2FA, a basic synced encrypted file doesn’t work and having 2-3 apps(most standalone OTP apps needs my phone number or email or credit card) scattered between different platform. Basically after 10-15 credentials, it becomes maintenance headache.
What the likes of 1Password/Bitwarden/Lastpass(naughty naughty …) does is, they provide ubiquitous experience on all of my devices and seamlessly does the sync for a very little price(bitwarden 1year is only €10/-, that is dirt cheap compared to one falafel bread cost me €6+) removing all of the maintenance and management headache.
As for security, I would trust bitwarden or 1Password more than random unmaintained keepass app with self managed syncing and random loss(fixing sync conflict on a keepass db is super risky domain of severe data loss!). Also it is their business to manage my passwords and if hackers are harvesting passwords easily from them, what makes you think that hackers can’t do that on the very website that you enter your credit card details?
Password managers are major improvement in quality of life and security. Heck, I don’t even know 99% of my password, I just click generate and autofill without having to think about all arcane 1 uppercase, one special digital rules on different websites.
—EOR—
If you make life unlivable, either for yourself or for a group of people, you can expect security to fall by the wayside.
Real-world security isn't just about digraphs and compendia of named (known!) attack types, listed together with mitigations. (Although all that certainly helps!)
It is, unfortunately, also about maintaining and managing personal systems. No matter how scaled and nuanced, the security of any organization comes down to personal habits.
Password managers make it significantly easier to track, prune, maintain and manage identity across sundry & clastic platforms, and therefore, improve security.