eli5 Password manager apps

799 viewsOtherTechnology

I‘d not consider myself technologically unsavvy but I can‘t really understand how a password managing app on my phone can keep my passwords safe?
By that I don‘t mean what kind of encryption technology is used, I just can‘t believe that I really CAN trust a company not giving/selling all my passwords (or losing them to a hack).
That‘s also the reason why I never use apples pw manager for example.

Am I overly cautious? Is it safe to store my passwords in a pw manager app?

Maybe someone that understands the technology/encryption behind such apps can help me

In: Technology

15 Answers

Anonymous 0 Comments

I can’t really explain the encryption but I can say that the vast majority of cyber security experts recommend using a password manager. Is there a 0% chance of your PM getting compromised? No, that’s impossible. But the risk of using simple passwords and reusing passwords if you don’t have a password manager is much higher.

Anonymous 0 Comments

You can’t be certain any program does what you want.

You can write your passwords on a piece of paper and put the paper in your wallet, next to those valuable paper sheets called “money”. This isn’t resilient to having your wallet stolen, but you can keep a copy on paper in a safe in your office.

Paper can be trusted not to run off without you knowing it. No software can be trusted as much as paper.

Anonymous 0 Comments

I wouldn’t imagine them outright selling passwords as that would lead to the mother of all cybersec lawsuits if discovered (plus a properly engineered manager does not give the platform access to your passwords), but you’re right to worry about a hack. Lastpass was famously hacked a couple times and had users’ (encrypted) passwords stolen. There is always a risk of that, but the risk of using bad passwords and the inconvenience of constantly forgetting good ones outweighs it for most people.

If you pick a trusted provider with a good track record, the chances of a hack are very slim and if you use a strong master password coupled with 2FA, the chances of anyone getting anything useful out of that hack is even slimmer.

Anonymous 0 Comments

Most people are hacked because they use the same username/email and password against multiple sites. So if a site leaks your password a hacker might take that email and password and try it on any number of sites to see if it works through automated scripts. This makes it very easy for hackers to have access to multiple accounts that were technically never leaked. A password manager protects you from this type of attack, because you can have randomly generated passwords unique for each application.

Anonymous 0 Comments

Password managers don’t make you 100% safe. But they typically make you safer by making it easy to use unique passwords on all your sites.

Personally I use open source software to store my passwords. I trust it more than normal password managers since public software experts can see exactly how it works.

Anonymous 0 Comments

I personally use a password manager (Keepass) that is entirely on my phone and doesn’t send data anywhere so there is nothing to compromise unless you get your hands on my actual phone. It’s less convienient then other managers but more secure.

Anonymous 0 Comments

A password manager is another party you need to trust but there is a point where you do just have to trust someone.

If a company that makes the web browser you use wants to steal your passwords, they can. They can just grab them straight from the password field on the webpage, they can read the keystrokes as you type, etc. In your example of Apple’s password manager: If you use Apple’s browser it doesn’t matter if you don’t use Apple’s password manager.

Unless you meticulously check the source code of your browser and compile it yourself ([and you trust your compiler](http://genius.cat-v.org/ken-thompson/texts/trusting-trust/)) you cannot guarantee that whoever built your browser (or whatever piece of software you’re using) isn’t stealing everything you put in. You just have to trust that they are morally upright people, or more realistically, that they have more to lose than gain if they did that.

Anonymous 0 Comments

The good part is you dont have to trust them when they are open source (and you are able to understand the code or trust that others have examined the code and trust it).

Now as to why a good pw manager cant sell your passwords or lose them to a hack is because they dont have your passwords. They only have the encrypted passwords. Now if you can trust apple or someother company that isnt open source is a diffrent question. But to note if apple realy wanted to get your passwords they could get them anytime you type them in on your iPhone it doesnt matter if you save them or not, so if you dont trust them with that you shouldnt be using an iPhone or any non open source OS for that matter.

Anonymous 0 Comments

Many comments are getting it wrong:
– Software can be secure and you can be certain of what an app does if the code is open source and the build is verifiable (which means, you can verify that the app was built from the same source that was published)
– Good password managers (Bitwarden, for example) encrypt your passwords BEFORE they leave your device, by deriving the encryption key from your “Master password”. So, your passwords cannot be sold, because the company’s servers only have undecryptable data.

It is safe to store your passwords in a password manager, as long as that password manager is open-source, verifiable and audited and is not LastPass (you can look-up why).

Anonymous 0 Comments

Part of it is trust in what they purport to say they are doing.

For instance, apple’s keychain is encrypted in such a way that Apple doesn’t have access to your passwords. So even if they wanted to sell your passwords, they’d have to circumvent the encryption. Now that assumption still falls on the basis of trusting what Apple says they’re doing.

Ironically, breaches are a good example of password managers doing what they purport to. It’s never been a breach of “the passwords in plaintext” but instead the encrypted vault (admittedly, some issues with how safe the vault’s encryption come up during these breaches as well).

Your concerns are valid though, there are self-hosted (and opensource) password manager apps that perform the same type of role as cloud based password managers, that leave it to you as to how you are storing/pre-sharing the vault across multiple devices. Those largely remove the trust the vendor is doing what they’re saying.