It has come to my attention that people are Wrong On The Internet about password managers. This matters, because almost everybody should be using one. Herewith background, opinions, and a description of my own setup, which is reasonably secure.
What is a password manager? · It’s a piece of software that does the following (although not all of them do all of these):
Store your passwords in a safe way, protected by at least a password, which we call the “master password”.
Make new passwords for you. Here’s an example of a generated password: QzbaLX}wA8Ad8awk. You’re not expected to remember these.
Make it easy to use passwords. One way is to copy it out of the manager and paste it into a password field. Another is to use a browser plugin that auto-fills login forms. On certain combinations of app and mobile device, you can use your fingerprint to open the password manager, which makes everything way faster and easier.
Store other stuff too. I keep various Important Numbers and AWS credentials and recovery phrases and so on in there.
Synchronize between devices. I have two computers and one phone and I need access to my passwords on all of them.
There’s more, but those are the essentials. The effect is that you end up using a different password for every site and app, that they’re all strong, and that you don’t have to remember very much.
My own manager, which I’ve been running for years now, contains 504 items, and I use it a few times a day, every day. Granted, many of the 504 are for sites and apps that no longer exist (like the dead people I can’t bear to erase from my contacts).
How they work · It’s pretty straightforward conceptually. They have a little database with all the stuff in it, and it’s all encrypted using your password. So even if someone steals the database, you’re probably OK because modern crypto makes it really hard to crack the code.
Where it gets interesting is how these things synchronize between devices, and how they use the network.
Basically, it comes down to this: Can you get access to your passwords over the Web? Lots of password managers allow this, but some don’t. For example, I use the 1Password app, which has no website whatsoever, and has a variety of ways of syncing (iCloud, Dropbox, WiFi, local folder) none of which involve talking to a website with a browser. [There are lots of other password managers, which I’m not gong to write about because I don’t use them.]
What’s wrong with a Web site? · The problem is that the site has my encrypted data, and at some point, wants me to type in the password. Thus, in principle, they can peek and see my passwords. And hand them over to the NSA. Or to the criminal gang that abducted the CEO’s children. This makes me unhappy.
In principle, this could be OK. What with modern JavaScript, it’d be perfectly practicable to do all the crypto inside my browser, never send the password (or anything unencrypted) over the wire, and have me sleep soundly at night. Furthermore, since JavaScript is by definition open-source, I could in principle look at the code and satisfy myself that it’s wholesome.
In practice, nope. The JavaScript platform is dynamic to the core and horrifyingly complex even before they start loading massive modern application frameworks on it; any teeny little bug or zero-day exploit at any level of the stack and I’m cooked. Also, the NSA or a crook only has to make the slightest little mod to the code, and take it away a few milliseconds later, and the horse would (silently) be out of the barn.
In the 1Password app’s sync model, however, one assumes they use the pretty-secure HTTPS-based APIs for each of these products, machine to machine, no JavaScript in the loop.
Why we’re talking about this · Because AgileBits, the company behind 1Password, is trying to get people to move over to a Web-based thing; that’s what you find when you go to 1password.com.
There’s a decent summary at cyberscoop and a longer, more personal narrative from Kenn White.
I, like many security-conscious people, am just not gonna use anything where the same party, who’s not me, gets to see my stored data and my password. Sorry. But I love the 1Password apps and I’d really like to go on using them. More on that later.
Let’s get serious · Am I claiming that my app-only approach is 100% safe? No, because security just isn’t binary, ever. Let’s see:
The bad guys could slip a sedative into my coffee at a coffee shop and install a keylogger on my computer, or
install a camera anywhere I work and focus it on my hands, or
phish me with a super-clever website or poisoned USB key, and get the keylogger in that way, or
point a gun at me and ask me to unlock all my devices (then probably pull the trigger), or
send a National Security Letter to AgileBits and force them to put backdoor code in a future 1Password app release that sends the goodies to the enemies.
And anyhow I’m obviously a lame-ass hypocrite because I use the 1Password Chrome plugin to fill in forms for me, and this means I type the master password into a browser. Having said that, I verified that it works when I have the networks turned off, and at the end of the day, the plug-in is no more nor less secure than the app I use all the time.
Is your setup perfect? · Well, I only remember four passwords: For my personal computer, for my work computer, for my AWS account, and the 1Password master. And the AWS password is just an accident of history; I only need 3.
Obviously I change them regularly and use password-less ssh access wherever I can, and lots of places I go have two-factor, via SMS or hardware token (Gemalto, Yubikey) or the Android Authenticator app.
So, on balance I feel pretty secure. One downside is when I’m setting up a new computer or phone. The process of typing in long generated passwords on a mobile “keyboard” is so impractical as to be hilarious.
In effect, my security is about as good as my mobile device’s. Actually a bit better, because the 1Password app needs one more fingerprint-or-password.
You sync through Dropbox, are you crazy?! · After all, Condi Rice is a board member, which has to worry you. But let’s assume the worst: that Dropbox turns turtle for the Feds, or gets totally pwned by bad guys. So, congrats, they have my encrypted password file. It’s not impossible that they might crack it. But it’d probably be easier and cheaper for them to slip a sedative in my coffee, or… (see above).
Why is AgileBits doing this? · For the same reason that Adobe has been pressuring its customers, for years now, to start subscribing to its products, rather than buying each successive version of each app. A subscription business is much nicer to operate than one where you have to go out and re-convince people to re-buy your software.
I understand, and I support AgileBits wanting to become a subscription biz. But I still want to keep my data and password away from their servers. This all seems fine to me. I pay my monthly rent to Adobe and it’s for Lightroom & Photoshop, not for their unexciting server-side offerings.
So AgileBits, why not? Please go ahead and start asking for subscriptions. But don’t ask paranoid people like me to go anywhere near 1Password.com.
AgileBits has addressed the situation in Why We Love 1Password Memberships, but it’s really unsatisfying, totally ignoring the security concerns. And (I guess I shouldn’t be surprised) failing to acknowledge the business advantages for them in making this move.
Am I wrong? · Maybe there’s something I and the others who are all upset about the 1Password move are missing; maybe it’s all just OK and there’s really no significant loss of security. In which case, AgileBits really needs to explain why.
Comment feed for ongoing:
From: Jason Heiss (Jul 20 2017, at 09:11)
100% agree. I would happily pay AgileBits a few USD a month for a subscription if they asked. I think that paying a single up-front fee for software gets the incentives all wrong and would encourage anyone selling software to sell it on a subscription model.
[link]
From: Anthony Williams (Jul 20 2017, at 09:12)
I agree that web interfaces, and anything where someone has both your private data and your password (at least for the instant when you send it to them through the browser) is a concern. That's why I don't store my private key in keybase.
I used to use LastPass, which has a web interface, but accessing the web interface from a mobile device is a pain, and I started to feel disturbed about them having my passwords.
Now I use Password Store on my Android devices, and QtPass on my desktop machines. They are all essentially the same app, just customized for the platform. They use GPG to encrypt each password separately, so in theory you can use different identities for separate passwords, and a git repo to store them, so you can see your old passwords too. It's not quite as easy to pass round a git repo as a binary file, but it's easy enough to host on your own web space.
Plus, the whole chain is open source, so you can audit it yourself, and create your own build if you like.
[link]
From: Aaron Parecki (Jul 20 2017, at 09:21)
I'm with you in that running this stuff in a browser makes me uneasy, although between https and actually trusting Agile Bits, I've launched the 1password web app on a couple of occasions. The vast majority of my use of 1password is their desktop and iOS apps.
The security of their ecosystem is written up in a PDF whitepaper, which is a good read: https://1password.com/teams/white-paper/
tl;dr your master password is never sent to Agile Bits, and they have no way of decrypting the data on their servers.
[link]
From: Doug K (Jul 20 2017, at 09:22)
true confessions: I have never yet used a password manager.
This is mostly because I don't trust websites to secure my passwords. Password Safe is what I have been planning to try, for some years now. For the moment I remember about a dozen long passwords which are written down along with the rest of them, on a couple of pieces of paper in approximately safe locations. That also has all the lies I tell in answer to 'security' questions.
I am probably living in a fool's paradise imagining this is secure. As John Gierach says, just don't tell the fool, might as well let him be happy..
[link]
From: Sean Bamforth (Jul 20 2017, at 09:49)
I'm generally OK with subscriptions, but the size of the 1Password team so depressed me (I mean, what do all those people actually do?) that it put me off the product.
I can't help but feel that it doesn't take 8o people to manage my passwords, and any company this size is doomed to either fall to its competition, or suffer in some other way that's going to increase the attack surface of my password file.
I'm back with lastpass now, and I'm not 100% happy about that, but the user interface is better and as a company they don't *feel* as mismanaged.
All of which is an extra demonstration of the weird decisions that go into safeguarding this most precious resource.
[link]
From: COD (Jul 20 2017, at 09:59)
I use KeyPassX for the same reason. Keeps my passwords secure, and I can sync across Mac, Linux, and Android.
[link]
From: Miike (Jul 20 2017, at 10:04)
I acknowledge the greater security risks and also want to mention how this shift also provides certain features that would otherwise be very cumbersome.
I use the 1Password for Families product, which wouldn't be straightforward without some kind of cloud-based sync hosted by AgileBits. For the unfamiliar, 1P for Families is basically a 5-user version of AgileBits' 1P for Teams product.
This has let me onboard my dad, who accepted the value props of better passwords AND easier sharing between us. Previous, we'd have to exchange on phone/email/SMS/whatsapp and often resulted in using the same password for many services for simplicity.
I suppose having a shared vault on Dropbox is theoretically possible, but is far from smooth to setup and opens up the possibility of sync collisions, which is worse.
[link]
From: SteveB (Jul 20 2017, at 10:54)
I notice a lot of complaints about password managers in browsers and storing your credential bank in the cloud...
Rightfully so.
At Bluink, our Bluink Key solution stores all your passwords, OTP seeds, and FIDO U2F private keys on your phone in an AES 256 bit encrypted container... Never in a browser or cloud service. You can keep a personal backup where ever you want.
With our Bluink Key USB device, we connect your phone to your machine, and "inject" passwords directly for you. As well as OTP codes for Google Auth. and FIDO U2F.
For personal use, the app is free (iOS and Android), and you can buy the Bluink Key on Amazon or our Bluink.ca site.
Why not try the future of security today?
[link]
From: Greg Lloyd (Jul 20 2017, at 11:26)
I'm also a long time 1Password fan. One app + subscription issue: What if you choose not to renew (or 1Password goes away)? I'd accept a policy that says that a subscription app goes read-only (except for master password/admin changes) if the license lapses for any reason.
[link]
From: Tyler Kellogg (Jul 20 2017, at 12:00)
Regarding #5 (National Security Letters):
AgileBits is Canadian; are they subject to National Security Letters? I don't believe Canada makes use of this but I am keen to be proven wrong.
[link]
From: Evert (Jul 20 2017, at 12:21)
I recently switched to enPass. It's pretty good, and could maybe even be called a 1Password clone.
The reason I switched from 1Password was not because of the subscription service (I was grandfathered into their existing plan), but superior Linux support.
All their desktop applications are free, the mobile apps are cheap and you can use Dropbox to sync.
[link]
From: Steve Feinstein (Jul 20 2017, at 12:43)
The assertion that the password is sent to the website for the decryption of your password is not true for the case of the LastPass manager.
LastPass uses javascript on the local browser client after retrieving the encrypted blob from the the internet server.
Login is handled by a challenge response scheme where the actually password isn't sent to the server, but the server asks the client to prove who it is by encrypting some data with the password/key and sending that to the server where it can use the public key to prove that you know the password. Again the password never goes over the wire.
[link]
From: Guy Middleton (Jul 20 2017, at 13:30)
I too am a longtime 1Password user, and also unhappy about the move to software subscriptions in general.
We all understand that software companies want a recurring revenue stream, but there are better ways to do it.
I like the approach Picturecode takes for their raw-file converter -- you purchase the software, and can optionally pay a yearly subscription fee for updates.
The new Jetbrains subscription model also works fairly well. After subscribing 12 months, you have a perpetual licence, so effectively the purchase price is the one-year subscription cost.
[link]
From: John Cowan (Jul 20 2017, at 15:18)
I keep my passwordsand other magic numbers in a plain-text file on a server belonging to a friend I trust, since it's not practical for me to have my own server. When I want something, I ssh to that server. I'm considering moving the data to an encrypted file on AWS.
[link]
From: Pat (Jul 20 2017, at 18:06)
The real question, to my mind, is why AgileBits hasn't charged for upgrades. They themselves make the point you do -- that it's hard to convince people to pay for upgrades -- but they haven't even tried.
In 6 major versions, going back more than a decade, only once did they ever charge for an upgrade (3 to 4). The other four upgrades were completely free.
Why not at least try charging a nominal fee, before completely changing both their architecture and business model?
[link]
From: gms (Jul 20 2017, at 20:25)
Keepass + Dropbox on all devices
[link]
From: Mike MacLeod (Jul 20 2017, at 21:06)
It's important to note that even cloud based password managers are still superior to not using a password manager at all.
And these days, the lines separating 1Password and LastPass are pretty faint, not just because 1Password wants to go subscription but also because LastPass now has native apps for mobile (iOS and Android) and Windows.
When I was in the market for a password manager I actually needed desktop linux support, and 1Password didn't offer that. A browser based password manager will run on any platform that can run a browser, which can be a significant advantage.
[link]
From: Pete Forman (Jul 21 2017, at 09:49)
I do the same as COD and gms: KeePass, which works on all my OSs and mobile devices, and cloud (Google Drive at the moment) to sync the encrypted password database.
The main reason I chose KeePass was its availability across all my device platforms. A nice feature is that when you copy to clipboard the contents are purged after a few seconds.
[link]
From: Mike Rodriquez (Jul 21 2017, at 13:22)
I switch from 1pass to KeePass a few years back, and after this little episode am not planning on making any changes.
[link]
From: Jon H (Jul 21 2017, at 16:47)
How do you go about syncing two PCs and a smartphone with 1Password? The wifi sync is designed for just a single PC to smartphone sync. I've been managing to use a hack where I sync the phone to one PC at a time, but this is not perfect. It takes forever to transfer the data if I switch from syncing on PC to another on my phone. So long that my phone could interrupt the process by falling asleep. It also clearly looses certain folder data, perhaps because the folders are missing entirely from the smartphone app.
[link]
From: ludovic (Jul 22 2017, at 10:05)
I also had some hesitation going with the 1Password hosted/subscription model. I have no problem with the subscription bit, but I do with the hosted bit.
Then I figured that:
1) Parts of the "hosting" is really replacing Dropbox syncing with AgileBits syncing. I trust AgileBits more that Dropbox, so that part was easy.
2) AgileBits never has your unencrypted data or master password. As you said, it all happens in the browser using Javascript. So at that point it's a matter of how much you trust the Javscript code vs. how much you trust, say, the Objective-C code running in your 1Password app, and, as you mentioned, the Javascript that's running anyway in your browser to auto-fill forms and auto-open websites.
Of course, the answer is that Javascript in the browser is a lot less trustworthy, but if you don't trust it, just don't go to 1password.com and it will never run. At which point, what you're paying for is effectively just a replacement for Dropbox.
[link]
From: ard (Jul 22 2017, at 19:06)
as said , I dont like the web for my password manager.
I do use a rather unknown PW manager, for about 10 yrs now and feel confident with it. I normal do a copy-paste to put PW in forms. I update monthly on 2 USB sticks and use that to synchronize My PW man. on my other computers. .
I have a question: would keyloggers be able to get your PW if you only copy-paste it?? or will a keylogger only see: Ctrl+C and Ctrl+V???
Anybody has a clue??
thanks
[link]
From: Tim (but not THE Tim) (Jul 23 2017, at 20:55)
I use Norton Security on my Windows machines at home, and it has worked for me, however their Identity Safe password manager became problematic because they want to store the vault on their site so I can sync among devices - but I don't want to do that.
[link]
From: Jont (Jul 24 2017, at 06:27)
To answer to some above user: Keepass deletes automatically the copy/paste pwd in memory after x seconds.
I used LastPass but this soft had so many dangerous bugs. Went to Keepass with copy in zeroknowledge cloud (tresorit.com), very happy.
[link]
From: Michael Rourke (Jul 27 2017, at 00:09)
Agilebits could move to a subscription model without moving password storage to the cloud - at least on iOS. So I'm not sure that is the full story.
I totally agree you shouldn't need to store your data on a server run by your password storage service provider. However if you are absolutely sure your key never leaves your device or desktop you could say it doesn't really matter - but this depends on your level of trust with the implementation of the password storage service.
My view is keep it simple. Browser integration has had problems in the past too. Classic convenience/security tradeoff.
[link]
From: Alex Weissman (Nov 23 2017, at 21:12)
The move towards SaaS is definitely part of a broader trend by companies to position themselves as gatekeepers of consumers' digital experiences. Tablet/smartphone devices with their "walled gardens" that prevent you from installing arbitrary software, streaming media sites specifically designed to prevent the consumer from permanently downloading the content they've paid for, and the "access packages" predicted under a post- net neutrality world, all scream of a power grab that has been succeeding for the past decade.
This is no different - AgileBits is essentially making consumers artificially dependent on their platform in the name of convenience. The problem is that the vast majority of consumers are neither technically-minded nor business-minded, which means that they won't see the inherent conflict of interest. Their best interest is to keep your data on their own servers, where they can charge you a monthly fee to access it. Your best interest meanwhile, is to keep your data _off_ their servers, where it is less vulnerable to a determined attacker.
Perhaps scarier than the vulnerability itself, is what the success of this gatekeeper model says about the average consumer of tech products. How much longer before the general-purpose programmable computer disappears off shelves entirely, replaced by devices that can only install "apps", which will only allow you to store your data in the "cloud"? At this point you'll have no choice _but_ to use 1Password's SaaS. Little by little consumers have been ceding control to large vested interests, and this is the extreme, but logical conclusion.
[link]
From: Alex Weissman (Nov 24 2017, at 10:13)
D'oh! Your platform appears to have purged the colon from the URL in my last comment. Trying again without the scheme prefix ^^
[link]