eli5 Password manager apps

827 viewsOtherTechnology

I‘d not consider myself technologically unsavvy but I can‘t really understand how a password managing app on my phone can keep my passwords safe?
By that I don‘t mean what kind of encryption technology is used, I just can‘t believe that I really CAN trust a company not giving/selling all my passwords (or losing them to a hack).
That‘s also the reason why I never use apples pw manager for example.

Am I overly cautious? Is it safe to store my passwords in a pw manager app?

Maybe someone that understands the technology/encryption behind such apps can help me

In: Technology

15 Answers

Anonymous 0 Comments

Well, there’s two ways they can work. One is not as safe as the other.

Some services are “end to end” encrypted. That means the encryption keys are stored on YOUR device, and do not get stored by the company. They’re storing an encrypted file on their servers. But since you have the keys, they can’t decrypt the files. 1Password is a service like this. A good way to tell if a service is “end to end” is to look for two qualities:

* It’s hard to add new devices and may involve a convoluted process including one device that’s already added.
* If you forget your password you lose all your data.

The first one is because if it’s REALLY safe, the only person who ever has the “keys” for encrypting your data is you. The company does not have those keys. So they can’t give the keys to a new device, they can only help facilitate the transfer from one of your devices to the other. And if they’re being very honest, they can’t even be a “middle-man” and handle the keys at all. That makes transferring pretty complex.

The second makes more sense if we understand the less secure version.

LastPass is a service that does not do “end to end” encryption. They store the keys AND the encrypted file on their servers. So when you put in your password, you’re just proving you’re a person who should have access to the keys. Adding a new device is easy, because the company has and can share the keys.

This is why it’s easy to reset the password in these. The password’s not part of the encryption, it’s just part of gaining permission to use the keys. So when you change the password, nothing about the encrypted data changes. With end-to-end encryption, usually the password is PART of the key data, so if you forget it *it’s impossible* to decrypt the file. If the file can’t be decrypted, the password can’t be changed. If you still know the password, you can change it. When that’s the case what happens is you use the keys + password to decrypt, then keys + new password to encrypt a new file and upload that. If you legitimately forgot your password all you can do is delete the encrypted data and start over.

Services that aren’t end-to-end are a lot less safe. Ask LastPass. Last year they were fully compromised and the attackers stole BOTH users’ encrypted data AND the keys to unlock it. Game over. People shouldn’t use services like this. They are more convenient, but they also make it possible for people to steal ALL of your passwords at the same time. End-to-end services require someone to steal things from YOUR machine specifically, which is less likely.

So to address your question:

* End-to-end companies like 1Password can’t sell or lose your data because it is impossible for them to see your data.
* Companies like LastPass can sell or lose your data because they can decrypt it by themselves.

Note that practically no company’s going to sell your passwords. That would likely make them criminally liable. But they *might* sell a list of the sites you’ve saved passwords for. That’s valuable marketing data.

You are viewing 1 out of 15 answers, click here to view all answers.