Ask HN: Why do people use password managers?

22 points by prakhar897 ↗ HN
I'm not a security engineer so pardon me this is dumb.

From what I understand, password managers stores all your passwords in hashed format and uses your "master password" as the encrytor.

               master password
 H(password) <----------------> encrypted password
The key difference here being that this is two way hashing so passwords can be decrypted.

In reality, there are a lot of attack vectors like MITM, event logging or sometimes straight up storing data in plaintext. Through these hackers can generally get passwords of all users of these services.

So, why don't people use local password managers?

Just a txt file encrypted with "master password" should be pretty damning to break into. And the reward for breaking in would be password for 1 person. (compared to 100k businesses).

Obviously, this would be less convinient and wouldn't sync between devices. But would do the job.

And the best part is there are solutions already that do this: https://keepass.info/

So, why do people and companies use Okta, Lastpass, 1pass etc?

76 comments

[ 2.4 ms ] story [ 140 ms ] thread
I have lots of devices
I have many devices, and many passwords.

Using a cloud sync password manager allows me to follow best practices in having complex, unique passwords for each account.

Data breaches and password leaks at random websites are a much more common attack vector than all of your encrypted passwords being exposed via a password manager.

> Through these hackers can generally get passwords of all users of these services

I'm not sure that there's really evidence or history to back this up. As far as I know even the LastPass data breaches only exposed encrypted passwords, not decrypted ones.

For companies, the benefit is that shared credentials can be distributed to employees without people pasting them in slack, email, or other insecure services.

That access can be revoked by policy if say an employee leaves the company, and new credentials can be generated for all the employees who remain.

Some people do use KeePass exactly because of your saying. I have multiple devices and I like the easiness of use. I do not have to remmyto perform backups etc. it's all taken care of.
> Obviously, this would be less convinient and wouldn't sync between devices. But would do the job.

Seems like you answered your own question. While it is less secure, my password safe is synced across all devices. I can also easily share passwords with my family members and I can assist them with lockout issues. I don't think there's a nice solution for this with Keepass.

Also, a typical implementation is that the decryption is performed on your device. I don't think you send your key material to the provider but I don't know about all of them.

It is certainly a "keys to the kingdom" issue as you noticed, and I don't put 2FA reset credentials in the same place for example.

Known password managers such as Bitwarden don't simply communicate the master password from client to server in plain text: https://bitwarden.com/help/security-faqs/, the master password is salted and hashed client-side, then salted and hashed again when stored in Bitwarden servers. Even if you managed to perform a MITM attack, you'd only be able to download your encrypted vault data, which would then require your master password to decrypt (locally). I believe talking about security consideration requires specifying a threat model, but for the average user such a setup would definitely be considered secure enough. A local only setup would definitely be more secure, but then as you said you'd lose QoL feature such as ubiquitous access, or nice UI/UX, no setup hassle, easy usage of hardware tokens and so on. If one were to attack Bitwarden, he would either have to crack the encryption scheme to attack a specific user/business or target it through other means. Ultimately I think it's a small compromise of a small security sacrifice versus a big gain in terms of usability and availability.
It's my understanding, at least in the case of dashlane, that the master password never leaves the local device. It's not stored on the server anywhere, its not directly used as part of a log in. It is only used AFTER the encrypted blob has been downloaded to the device, to decrypt it.

https://www.dashlane.com/download/whitepaper-en.pdf

Okta isn’t a password manager. It’s an Identity Provider.

I use a password manager because I have multiple devices and a cross platform solution that I can access is a straightforward solution. A local password manager like Keepass is still vulnerable to attack by a compromised system. A well architected password manager is going to not store the decryption keys on their servers and only allow the password vault to be decrypted locally so if they get breached, they would still need to have your master password to gain access to the data. A malicious update could allow them to steal your information but so could a malicious Keepass or OS update.

Using a password manager with a strong password and multifactor authentication is mitigating so many security issues off the bat the new risks it introduces can be small.

Bitwarden has not had any of the problems you listed and can be self hosted.

> Okta isn’t a password manager. It’s an Identity Provider.

They're best known for being an identity provider but they do have a password manager product[0], which is what I think OP is referring to.

[0] https://www.oktapersonal.com/

Local backup strategies are often terrible and untested, if they even exist. While no service is infallible, 1Password and others seem a lot less likely to be lost/stolen/destroyed than a personal laptop.

I'm not sure why you're rolling Okta in here, but Okta can a completely different thing depending on what you're referring to.

Single sign-on (with something like Okta) makes it so that a user doesn't need to manage a dozen passwords and enables an organization to limit access of a user's account if needed.

If you use an app with Okta SWA, you (as the admin) can create a password for users so your users don't have the responsibility of making a strong password. But this is only for stuff that can't use OIDC/SAML.

Ideally you'd use Okta with OIDC/SAML with your applications so your individual users won't have static credentials, and in this case, there isn't really a parallel here to some software you'd run locally.

LastPass also does SSO (and probably other "password managers" as well).
I think at this point all the major ones do. 1Password Business, LastPass Enterprise, and BitWarden Enterprise all do.

I think the commenter was advising on the use of SSO in lieu of passwords where possible (at least in a corrosive context, but personally I use SSO via Azure AD wherever I can at home too.)

This applies more to Okta because once you log in, you get a screen showing all the applications you have access to.

As an end-user, if you click on any tile, you get your application regardless if the authentication scheme is SAML/OIDC/static credentials. In the case where static credentials are required for a service, the end-user doesn't have to get a sheet of paper telling them the username to use. Instead, a script provisions a username/password behind the scenes and Okta is responsible for keeping the username/password safe.

Admittedly, I don't know if the traditional password manager companies offer a system like this, where you get a matrix of apps to choose from and the user is removed from knowing a username/password is being exchanged.

How is the username/password entered into the site? Using the user's browser right?
Also, (some of) these password managers have accompanying browser extensions which add another layer of comfort.
No serious password manager with syncing stores your passwords in a way that gives them or anyone else with access access to your passwords. They are encrypted, so they need your master password.

People have multiple devices, so syncing is needed for usability.

Some password managers are basically local, but with end to end encrypted syncing. If you have to move passwords around, why not use a solution that already does it in a secure way?

I don't use one of those services but I do use a distributed self-hosted one. Reason is I have many different computers phones and tablets. I need my passwords everywhere.
> Obviously, this would be less convinient and wouldn't sync between devices. But would do the job.

Something that does not sync between devices does not do the job.

I tried to do this with keepass and google drive and one day found a 0byte keepass file. No idea what happened... luckily google drive had an auto backup from a while ago somehow. it was tedious to set up in the first place and any new device will need some setup again
A similar thing happened to me, but one day my keepass file was corrupted instead of 0 bytes. Quickly switched to 1Password after that.
(comment deleted)
FWIW, I currently do this with Dropbox without much issue. The only thing I've run into is "$USER's conflicted copy YYYY-MM-DD" or whatever it says but that is redundancy rather than loss so it's not much of a worry. I have still lost some passwords that I intended to save due to such a conflict but they were fortunately easy to reset; I would likely have been able to check the conflict files as well for the password if I really needed to.
I use a browser based password manager (ie 1pass, Lastpass, Internet Explorer, Chrome/Android, Apple/Safari keychain)

The major advantage when compared to a separate application (ie encrypted text document) is that the system/browser based url/context reduces Phishing, Clipboard jacking security issues.

Why does Okta exist? Primarily for their SCIM configuration (which is different and adds a level of org management)

Why do Lastpass and 1pass exist? Likely because Android/Chrome passwords weren't trusted yet and Apple keychain doesn't has as much of a consumer interface / cross platform concerns.

If you're fully entrenched in the Apple ecosystem, Keychain is the most seamless option. I don't use its "strong password" recommendation system, however, since it breaks on half the signup flows I try it on, sometimes botching things so badly I have to use the "forgot password" link to log in the very first time.
> why don't people use local password managers?

I do use a local password manager, personally. The disadvantage to doing so is that I don't get autofill of passwords and have to enter them by hand. I consider that a good thing, though, because it means that I end up memorizing the 3 or 4 passwords I use the most in a couple of days after generating them.

KeepassXC has auto-type
Yes, it's not that the password manager doesn't have autotype. It's that I need to enter passwords on a lot of different machines and I don't want to (and sometimes can't) install a password manager on every machine, nor sync passwords between machines.

So I use a standalone password manager on my phone instead.

Someone must have made a dongle that you can plug into the USB port of a machine. The dongle also has Bluetooth connected to your phone, and the dongle acts a virtual keyboard. So your phone can send over Bluetooth what to type, and dongle types that into the machine.

Or Bluetooth controlled robot hands. I will go with the latter.

This isn't a problem for me, though, so I don't need a solution. As I said, I consider typing in the passwords by hand to be a good thing, not a bad one.
Consider using a local pw manager with autofill, e.g. KeepassXC.

I had a phishing attack against me prevented by a password-manager; I ended up at a pixel-perfect copy of the login-page, with the domain of original link I clicked on being correct (it used an existing URL redirector on the original domain). It wouldn't auto-fill, so I looked at the address bar and gasped.

In most cases convenience. Sometimes, you may need to share a password one-off (ex. https://support.1password.com/share-items/) with a coworker or a friend. Setting up something like that with keepass is not really possible.

If you want to manage passwords amongst family members, it's easier to set them up with one of the cloud services compared to Keepass. You also get some level of customer support, and don't have to worry as much about when your password breaks.

I personally have set up KeePass, made sure it's backed up regularly, and even set up a WEBDAV server to access it remotely. It works great for me, but I know how everything is set up. Strongbox for mobile access is the main reason I can actually use this, and this is a paid application that not everyone is willing to pay for. Experience-wise, other mobile applications for KeePass have not compared, and I have no idea how apps for Android compare, since I set up everyone with iOS devices. Sometimes, the connection to the server gets disrupted, and I have to reconnect. Not everyone wants to do this, and can have less confidence in the other supporting infrastructure.

As much as attack vectors exist, the biggest risk is you losing access to your own passwords (there's been enough lost crypto wallets you can read about on the internet). Compared to that, a cloud based service is better for a large group of people.

"Obviously, this would be less convinient (sic) and wouldn't sync between devices."

You've answered your own question.

What you're describing is more secure and I do know several people that do this, sometimes with syncing via Dropbox. But it's a battle against convenience and user experience and requires a fair amount of technical expertise to set up and use. While I _could_ teach my family to use a local password manager like keepass, it would be an uphill battle, whereas using 1Password, etc is _easy_ for them and means I reduce the number of tech support phone calls I get from my family (for context the most recent call was about fixing earthlink web email roughly a month ago).
Honestly?

I have no idea.

I use a locally encrypted store, and have done so for almost 10 years. I keep thinking to myself "there's got to be something better, surely I could make an external device..." but it remains to be seen.

So you manually type over the password when you need to log into something on your mobile phone?
With very few exceptions I don't access anything that would need a secure login from my mobile phone.

The few times I have, I've used adb.

Small correction. They don't use hashing, as hashing is by definition a one way operation. They use encryption, which implies the ability to decrypt (2 way).
You're missing the most important points:

* Syncs between devices. I can login to my accounts in all my devices. If I can access my Dropbox account, I can access everything else with the master password.

* Auto password generation. I don't ever even bother looking at the passwords. Just generate something like 32 characters with all ASCII characters, including "special" characters. This goes a long way.

Having used KeePass (with Dropbox sync) since ~2018 I don't even know how people operate without a password manager. It's so intensely convenient. Just dump all the info in the database. I can even take notes in my database. Write my credit card number, SSN, other private info. Put SSH keys. Put website info. Describe where I put my tax documents. Password manager is a pointer to everything else.

Given the rise of “login to do stuff”, I have little over 400 credentials with at least 350+ generating OTP.

Keepass has nice clients but some require bringing my own sync(syncthing frequently failed due to conflicts) and some apps went out of maintenance. Some supported ones like dropbox/gdrive but frequently broke integration every other month due to api changes. Also, when I want to use 2FA, a basic synced encrypted file doesn’t work and having 2-3 apps(most standalone OTP apps needs my phone number or email or credit card) scattered between different platform. Basically after 10-15 credentials, it becomes maintenance headache.

What the likes of 1Password/Bitwarden/Lastpass(naughty naughty …) does is, they provide ubiquitous experience on all of my devices and seamlessly does the sync for a very little price(bitwarden 1year is only €10/-, that is dirt cheap compared to one falafel bread cost me €6+) removing all of the maintenance and management headache.

As for security, I would trust bitwarden or 1Password more than random unmaintained keepass app with self managed syncing and random loss(fixing sync conflict on a keepass db is super risky domain of severe data loss!). Also it is their business to manage my passwords and if hackers are harvesting passwords easily from them, what makes you think that hackers can’t do that on the very website that you enter your credit card details?

Password managers are major improvement in quality of life and security. Heck, I don’t even know 99% of my password, I just click generate and autofill without having to think about all arcane 1 uppercase, one special digital rules on different websites.

—EOR—

1Password started off like that and relied on file syncing services like Dropbox for supporting multiple devices. It's still using the same foundation, but 1Password provides the syncing service itself. (They aren't supposed to see the master password.)
I think the meta point across the other answers in this thread is that when people choose less "secure" options, it's often because they have a different set of input values for their cost/benefit calculation. Too often, I feel like security conscious folks try to convince me to do X rather than Y by explaining to me why Y is insecure, when in reality I'm just not motivated enough to make a change.
Because poor usability just is a vuln.

If you make life unlivable, either for yourself or for a group of people, you can expect security to fall by the wayside.

Real-world security isn't just about digraphs and compendia of named (known!) attack types, listed together with mitigations. (Although all that certainly helps!)

It is, unfortunately, also about maintaining and managing personal systems. No matter how scaled and nuanced, the security of any organization comes down to personal habits.

Password managers make it significantly easier to track, prune, maintain and manage identity across sundry & clastic platforms, and therefore, improve security.