Security of password managers

TL;DR you should still use one..

I had no idea how many services I was using, until I started using a password manager and inputting the passwords as I next logged in to more than 200 services. The idea of a password manager is to retain your passwords in an encrypted vault and to help you to login without necessarily typing the password every time you log in. This allows you to more easily have separate and strong passwords for each service. Let's have a look at some of the main benefits of using one and what you can do if you are on the paranoid side.

Encryption at rest

In most cases the password managers use something like AES-256 to encrypt your passwords at rest. AES is a standard and well tested cipher. The encryption is not usually the weakest link in the security of a password manager. In some cases your encrypted vault will be stored online, so that you may reinstall or login to a different version of the manager form another device. When done correctly, the vault is only decrypted on your device. Make sure your password manager uses strong encryption. Also see what options you have to make a backup of your encrypted vault.

Risks

The main risks that would allow others access to your password when using this type of software, come from how your passwords are handled and whether you have autofill enabled. In order to fill in your complex and randomized password, it usually needs to pass through your operating systems clipboard. This is very much like any copy-and-paste operation, except the content is your secret password. The clipboard is a useful tool, but it must necessarily allow very open access to it's functions by nearly any program. The good password managers mitigate this risk by emptying the clipboard after a few seconds, so that the secret is only in memory for a limited time. Most vulnerabilities that I've seen are related to the autofill function or when the password is used. Logically this is the most opportune time as you need to decrypt the password in order to use it. Using 2FA will make it much more difficult for bad actors to use your password when it eventually leaks.

Convenience

The main benefit you will feel when using a password manager is always having your password ready to be input into the login form. You can also launch most sites successfully from the software directly. The hidden benefit is that you don't have to remember all of your passwords, at least not the ones needed for random non-essential services. Therefore you can change the passwords to randomly generated strings that have all the required components and are so very difficult to brute force. Again, you don't need to use it for all of  your services, but it will make your life much easier if you use it with some. This of course depends on how paranoid you are.

Most have some kind of helper application for mobile or browser extension that does the heavy lifting with all the interfaces. Though you will want to set these to ignore some pages that seem to confuse the system and will override your input in some cases. This has happened to me with some admin interfaces where you may have more than one password field or protected field, which caused issues.

! UPDATE !: According to a recent article, LasPass has several trackers enabled which may weaken it's security and leak info, like use of mobile biometrics etc.

Your options

• 1Password - most recommended
• Bitwarden - popular open source option
• LastPass - well known runner up
• KeepassXC - most modifiable open source solution

If you are interested in self hosting your password manager at some point or are looking for that open source flexibility, I would recommend Bitwarden for you. However, if you are not the kind of person that hosts their own servers and you just want a working and reliable service, I would suggest going for 1Password, who have the best track record and are always on top of reputable comparisons.

Tips

• Make sure your chosen tool uses strong encryption.
• See how you can hold a backup of your vault.
• Possibly disable auto-fill if you are worried about clipboard visibility.
• Use Two-Factor Authentication a.k.a. Multi-Factor Authentication.
• If you want to have maximum control, go with an open source solution. Beware this can be a complex process if you elect to go full DIY, though there are easy options available as well.
• If you don't trust your password manager explicitly, then you can leave important passwords out of its vault. It is very hard to hack a paper note.

Sources

• https://conference.hitb.org/hitbsecconf2017ams/sessions/extracting-all-your-secrets-vulnerabilities-in-android-password-managers/
• https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1 - S. Huber, S. Artz and S. Rasthofer - Vulnerabilities in Android Password Managers.pdf
• https://team-sik.org/trent_portfolio/password-manager-apps/
• https://1password.com/
• https://www.lastpass.com/
• https://www.wired.com/story/best-password-managers/
• https://keepassxc.org/
• https://bitwarden.com/
• https://www.theverge.com/2021/2/26/22302709/lastpass-android-app-trackers-security-research-privacy
• https://www.theverge.com/22311182/best-free-password-manager-bitwarden-zoho-vault-roboform-sticky-password