A cryptographer's perspective on choosing a password manager

Summary: To evaluate the various password managers available, I come up with desired features and a threat model. I then compare 1Password, Lastpass, Enpass, KeePass, pass, iCloud Keychain, and memorization with a paper notebook as backup, and see how they each stack up in terms of security and usability.

Password managers

"You really should use a proper password manager."

It's something I've been telling myself for a couple of years now. I've been using a home-brew password manager I came up with a few years ago, but I'd never really invested much effort in it. It works, it's probably fairly secure (because of good crypto, but also: who's gonna attack my password manager that only I use?). I can store and retrieve passwords, but it's cumbersome. No browser extension, no mobile sync – so I end up with memorizing most of my passwords anyway, which means I reuse a lot of my passwords.

But, as you might know, reusing passwords is bad. And as a cryptographer (although a theoretical one – I'm basically a mathematician), I really should know better. Of course I don't have just one: a unique one for my email, another one for my bank, one password for websites I don't care about. But that last category has by now gotten so large and I actually started to care about some of my accounts on these websites, so I need a new approach. Thus, a few days ago I decided to take action and invest some effort into finding a good password manager. This post is the result of this effort.

In case you're not yet fully convinced you need a password manager, let me try to convince you. (Even though for Steemit you couldn't even pick your own password, so unless your memory is really good, you're already storing that one somewhere.) A password manager helps you avoid two pitfalls:

Reusing passwords If you use the same password to log in to websites A and B, then if website A gets compromised (or the admin has ill intentions for you), then can also access your account at website B. Note that this is true regardless of how website A stores their passwords, because each time you log in you send them your password. You can of course choose different passwords for different categories of websites, like one for your social media accounts, another for your bank, and another for websites you don't really care about, but when that last category keeps growing it can get a pretty big deal if suddenly all of your accounts on those websites are accessible by someone who doesn't like you.

Using short and predictable passwords Short and predictable passwords are easy to memorize. But they're also easier to bruteforce, for someone wanting access to your accounts. When a hacker steals the password database of a site you use, passwords are usually encrypted. The shorter the password, the easier it is for the hacker to figure out your password.

With a password manager you can use a strong, unique password for each service you use. The downside of this, is that someone who wants access to your accounts only needs to look in a single place. This is where the threat model comes in. But before we can talk about threats, we need to look at what we want to achieve.

What I want is simple, in essence. Basically, I want easy access to services (websites, computer accounts, etc.) from any of my devices (laptop, phone, work computer, etc.).

The threat model

Security by itself is a sort of empty term. Secure against what? What you want to defend against of course fully depends on your personal needs. Here's what I came up with for my situation.

My passwords need to be secure against:

Service isolation: One service being compromised doesn't lead to another service being compromised – see "Reusing passwords" above.
Bruteforce attacks on the services – see "Using short and predictable passwords".
Snooping: Someone briefly accessing my device, when I am logged in. Also shoulding surfing can be a concern, which is why something like autofill is good.
Device theft: Someone stealing my device. Let's assume it gets into the hands of a skilled hacker.
Malicious software on my device. This is a hard one to defend against. Generally if something has access to your computer it's over, although OS-level sandboxing is getting better. Using a popular password manager increases this risk. For good defense against this, you probably need something like Qubes.
Software vulnerability: Compromise of the password manager. This is hard to evaluate. We'll have to base ourselves mostly on the reputation and security practices of the author of the manager. Using a popular password manager increases this risk.
Data loss: Losing my passwords.
Server compromise: If we're using a server to synchronize, someone with access to that server.

There is rarely a thing such as "absolute security". It's all about estimating and weighing the involved risks. This is something you should do for yourself.

Features

I want easy access to services, hence a password manager that's usable. This means:

my device can run the software
there is some synchronization between devices
it should be easy to use a service (e.g. log into a website)

Additionally, I'm including the price of the system.

Candidates

Let's look at the various password managers available. I will look at their supported platforms. I need the manager to run on at least MacOS and iPhone, since those are the platforms I'm using personally. However, I'll expect the software to run on all of MacOS, Windows, Linux, iOS, and Android – if it deviates from this I will mention it.

For synchronization, I will distinguish between:

Their cloud (the service itself providing storage)
3rd party cloud (e.g. Dropbox, Box, iCloud)
Own cloud (e.g. WebDAV support)
Local network ("syncing through Wifi")

Easy of use: autofill and automatic entry of a new password is a big plus. As for browsers, if it has autofill I will expect it to run on Safari, Chrome, Firefox, and Internet Explorer.

1Password is often mentioned. It has a good reputation, looks polished, and is fairly expensive. They just launched a $ 36 per year subscription service which includes all apps and a web service – I'd recommend not using the web service. First 6 months are free if you register before September 21 with this link.

Features

★★☆☆ Platforms
No Linux support, closed source.
★★★☆ Synchronization
Their cloud, 3rd party cloud, local network.
★★★☆ Ease of use
Autofill, auto entry, TouchID.
★☆☆☆ Price
$ 36 per year

Security

★★★★ Service isolation
★★★★ Bruteforce attacks
★★★☆ Snooping
Can be set to auto-lock after idle for a number of minutes.
★★★☆ Device theft
Key derivation: (40K-100K) rounds of SHA512.
★★☆☆ Malicious software
Password file encrypted. Unknown how hard it is to steal data from unlocked vault. Popular app, likelier target.
★★★☆ Software vulnerability
Security conscious development team. Good track record, one minor CVE in 2012. Closed source. Security whitepaper
★★★☆ Data loss
Cloud storage. CSV export tool in the app. Documented data format. Some open source parsing tools available (1) (2), but status unclear.
★★★☆ Server compromise
Data on their cloud is end-to-end encrypted; on other clouds it isn't. OPVault uses metadata encryption and authenticated encryption.

LogMeIn Lastpass started as a browser plugin, and still mostly uses browsers as its main back-end.

Features

s
★★★★ Platforms
Runs pretty much everywhere, mostly as a browser extension. Company maintained open source CLI.
★☆☆☆ Synchronization
Their cloud.
★★☆☆ Ease of use
Auto fill, auto entry, TouchID. Not quite polished.
★★☆☆ Price
First device free. Premium $ 12 per year.

Security

★★★★ Service isolation
★★★★ teforce attacks
★★☆☆ Snooping
Can be set to auto-lock after idle for a number of minutes (not default).
★★☆☆ Device theft
Key derivation: 5K rounds of SHA-1.
★☆☆☆ Malicious software
Password file encrypted. Unknown how hard it is to steal data from unlocked vault. Runs in browser.
★☆☆☆ Software vulnerability
Plagued by security issues in the past, and as recently as a week ago. Closed source.
★★☆☆ Data loss
★★☆☆ Data loss
Cloud storage (only theirs). CSV export tool in the app. Company maintained open source CLI.
★☆☆☆ Server compromise
Account password on their server is equal to the vault password.

Enpass offers a free desktop version, and a fixed once-off $ 10 per additional platform app. It uses SQLCipher as its storage backend.

Features

s
★★★★ Platforms
Offers lots of native apps for different platforms.
★★★☆ Synchronization
Their cloud, 3rd party cloud, own cloud.
★★★☆ Ease of use
Auto fill, auto entry, TouchID.
★★★☆ Price
Desktop app free. Other platforms cost $ 10 once.

Security

★★★★ Service isolation
★★★★ Bruteforce attacks
★★★☆ Snooping
Can be set to auto-lock after idle for a number of minutes.
★★★☆ Device theft
Key derivation: 24K rounds of SHA-1.
★★☆☆ Malicious software
Password file encrypted. Unknown how hard it is to steal data from unlocked vault.
★★☆☆ Software vulnerability
Closed source. Security mostly through SQLCipher.
★★★☆ Data loss
Cloud storage. Export tool in the app. SQLCipher is free/open source. Easy access with scripting languages.
★★☆☆ Server compromise
Metadata encrypted. SQLCipher uses authenticated encryption.

KeePass is an open source password manager for Windows, but can run on *nix platforms under Mono. There are numerous unofficial ports for various platforms. KeePass has two database formats, version 1.x and version 2.x – some ports are only compatible with one version.

For my use case, I need mobile (iOS) app and a browser extension. KyPass seems to be an app with a relatively large amount of features, but it is closed source and costs $ 7. Since this offers few benefits over for example Enpass, I will use MiniKeePass which is open source. It supports manually copying your database (no two-way sync) from mail and 3rd party cloud apps.

For browsers, there's a built-in plugin for IE, Keefox for Firefox, and CKP for Chrome. There's an unmaintained Safari extension as well. Keefox seems fairly mature, CKP is still in beta.

Features

s
★★☆☆ Platforms
Open source, there are numerous forks. Browser support is lacking.
★☆☆☆ Synchronization
Manually copying files on iOS. KeePass itself has two-way sync.
★☆☆☆ 3. ★☆☆☆ Ease of use
Manual sync and manual password entry on iOS. You have to keep track of different apps.
★★★★ Price
Free and open source.

Security

★★★★ Service isolation
★★★★ Bruteforce attacks
★★★☆ Snooping
Can be set to auto-lock after idle for a number of minutes. Has autofill/autotype.
★★★★ Device theft
Key derivation: chained iterated SHA256/AES. IND-CDBA secure (PDF)
★☆☆☆ Malicious software
Password file encrypted. Tool available for stealing from a locked vault on Windows.
★★☆☆ Software vulnerability
Open source tool. Vulnerabilities in the past [1] [2].
★★★☆ Data loss
Everything is open source. Cloud storage must be done manually.
★★☆☆ Server compromise
No authenticated encryption on the database.

pass

pass is the Unix philosophy applied to password management: it's a small shell script that uses GnuPG for encryption and Git for synchronization. The downside: no iOS app without a jailbreak. There is an Android app and a Firefox plugin

Features

s
★☆☆☆ Platforms
Open source. Desktop well supported. There is a Firefox plugin, none for Chrome/Safari/IE. Synchronization
3rd party cloud, own cloud, local network if you set it up.
★☆☆☆ Ease of use
Autofill using Firefox, no auto entry. No autofill on Price
Free and open source.

Security

★★★★ Service isolation
★★★★ BruBruteforce attacks
★★★☆ Snooping
gpg-agent can auto lock after a number of minutes.
★★★★ Device theft
Uses GPG, which is quite robust.
★★☆☆ Malicious software
Password file encrypted.
★★★☆ Software vulnerability
Open source. While GPG is well-tested, some of the shell scripts/browser extensions/apps might not be secure.
★★★☆ Data loss
Uses GPG as a backend, which is long-lived. Git makes it easy to keep decentralized copies everywhere, but still requires user action.
★★★★ Server compromise

Apple also offers a password storage option, with iCloud Keychain. It only works on Safari, both on iOS and MacOS. Chrome and Firefox also offer password storage for their browser, but iCloud Keychain looks a little more feature complete. Of course, it doesn't work on Android or Windows devices.

Chrome dropped support for it. There is a Firefox plugin for the Keychain, but it doesn't work with iCloud due to Apple only allowing sandboxed apps to access iCloud.

Features

s
★☆☆☆ Platforms
Only MacOS/iOS. Only works with Safari.
★☆☆☆ Synchronization
Their cl Ease of use
Autofill, auto entry, TouchID supported.
★★★★ Price
Free and open source.

Security

★★★★ Service isolation
★★★★ Bruteforce attacks
★★★☆ Snooping
The keychain is always unlocked. Needs login password to show passwords. Metadata (URLs, account names) is visible though.
★★★☆ Device theft
Encrypted using your login password.
★★☆☆ Malicious software
Password file encrypted.
★★★☆ Software vulnerability
Closed source.
★★☆☆ Data loss
Storage on their cloud, which is unlikely to disappear soon. Exports are possible, but require effort.
★★★☆ Server compromise
Closed source. Stored end-to-end encrypted.

Memorization plus pen and paper

Pen and paper

And now for the simplest password manager: pen and paper. If you want access anywhere, this requires taking a notebook with you. Let's assume we're trading off some usability by memorizing some passwords, and having fewer of them and shorter ones.

Features

s
★★★★ Platforms
It works anywhere.
☆☆☆☆ Synchronization
N Ease of use
Copying passwords is cumbersome.
Price
You'd want to treat yourself to a nice notebook, right?

Security

★★☆☆ Service isolation
Fewer unique passwords.
★★☆☆ Bruteforce attacks
Easier passwords.
★☆☆☆ Snooping
It's relatively easy to snoop on the notebook.
★☆☆☆ Device theft
Passwords are not stored on any computer, but now we need to account for theft of the notebook.
★★★★ Malicious software
★★★★ Software vulnerability
★☆☆☆ Data loss
One physical copy. Making copies is hard.
★★★★ Server compromise

As you can see the risk profile is quite different from the more high-tech solutions.

Conclusion

Here's the combination of the above tables.

Feature	1Password	Lastpass	Enpass	KeePass	pass	iCloud	Pen and paper
Platforms	★★☆☆	★★★★	★★★★	★★☆☆	★☆☆☆	★☆☆☆	★★★★
Synchronization	★★★☆	★☆☆☆	★★★☆	★☆☆☆	★★★☆	★☆☆☆	☆☆☆☆
Ease of use	★★★☆	★★☆☆	★★★☆	★☆☆☆	★☆☆☆	★★★☆	★☆☆☆
Price	★☆☆☆	★★☆☆	★★★☆	★★★★	★★★★	★★★★	★★★☆
Service isolation	★★★★	★★★★	★★★★	★★★★	★★★★	★★★★	★★☆☆
Bruteforce attacks	★★★★	★★★★	★★★★	★★★★	★★★★	★★★★	★★☆☆
Snooping	★★★☆	★★☆☆	★★★☆	★★★☆	★★★☆	★★★☆	★☆☆☆
Device theft	★★★☆	★★☆☆	★★★☆	★★★★	★★★★	★★★☆	★☆☆☆
Malicious software	★★☆☆	★☆☆☆	★★☆☆	★☆☆☆	★★☆☆	★★☆☆	★★★★
Software vulnerability	★★★☆	★☆☆☆	★★☆☆	★★☆☆	★★★☆	★★★☆	★★★★
Data loss	★★★☆	★★☆☆	★★★☆	★★★☆	★★★☆	★★☆☆	★☆☆☆
Server compromise	★★★☆	★☆☆☆	★★☆☆	★★☆☆	★★★★	★★★☆	★★★★

Some observations:

1Password and Enpass are comparable. 1Password is easier to use and offers more features, Enpass supports more platforms and is cheaper.
I wouldn't recommend Lastpass.
As far as the open source apps go: they're less easy to use, especially on iOS. I'd choose pass over KeePass for flexibility.
If you just use Apple platforms, don't want to pay for anything, and aren't too concerned about data loss – for example if you have password reset available through your email for all your accounts – iCloud is a good option.
Pen and paper: it works, but isn't really the way to go – unless you're really concerned about software vulnerabilities and are willing to make a lot of physical copies that others won't be able to find.

Ultimately, you have to decide for yourself which features and security concerns weigh more heavily than others. Personally, I've gone with Enpass for most of my accounts since I like the price better than 1Password, and I'm happy with it so far. For some passwords that need a bit more protection (e.g. Bitcoin wallets), I'll stick with my home-brew solution together with pen and paper.

Thanks for reading! Let me know what you think, and which password manager you're using. Also, if you have any other suggestions for password managers for me to look at, I'd love to hear about it.