I cannot believe that I didn’t see this article by
@taviso back when it was posted:
Password Managers.
Now I have also looked into quite a few password managers. Not sure how this compares to Tavis’ experience, but I feel like I’m also qualified to have an opinion.
And I certainly see where Tavis is coming from. I’ve also seen all kinds of bad. Which is why “just use a password manager” as an advise might indeed make thing worse than they were before.
I disagree with his conclusion however. Yes, the browsers’ built-in password managers are quite good. I don’t think that this is due to fundamental technological disadvantages of browser extensions, they merely happen to value security over features.
Things start to look dire when you look at the sync functionality however, a trap that inexperienced users are likely to fall into without a second thought:
Can Chrome Sync or Firefox Sync be trusted with sensitive data?
Chrome’s default is to upload all your passwords to Google’s servers without any client-side encryption whatsoever. I understand that Tavis won’t speak up against his employer, and if someone won’t leak this data then it’s them. But I simply don’t trust them to keep their own hands off that data.
And while Firefox Sync is designed in a much better way in principle, they have this long-standing issue of doing completely insufficient client-side key stretching (1,000 rounds of PBKDF2). I just don’t get it how this is still not fixed after six years.
Conclusion: built-in password managers are good and fine, but only as long as you don’t enable sync.
As to all the other password managers out there: yes, they are often flawed. Yes, some are more flawed than others, and users have no way of seeing that. Which is an issue, one I’ve been trying to address with my research, just like Tavis did.
In the end however, “any password manager is better than no password manager” is largely true. It’s rare that password managers flaws create an acute danger, especially compared with all the issues caused by not using a password managers.
For the most part, the dangerous combination is: lax security practices paired with exposure (popularity). That’s the reason I’ve been warning about LastPass for years.
1Password is also exposed, by they are a hard target. Bitwarden is also exposed, but they seem willing to learn from the LastPass debacle and improve. Everything else? Not really popular enough to be worth the time.
So my advise would rather be: anything but LastPass. And don’t put your passwords into the Google or Mozilla basket please.
community.bitwarden.com
