How to Choose a Secure Password Manager?

A password manager is an excellent way to protect multiple accounts with
robust passwords. With a password manager, you can create unique, complex
passwords for an unlimited number of accounts while only needing to remember a
single master password.

 
However, when it comes to picking a password manager it is
important to bear some important considerations in mind
. Failure to do so could mean you end up with a password manager that
isn’t completely trustworthy.
 
 
 
How are passwords
stored?
 
Password managers come in two distinct varieties. The first kind are
services where the user retains full control over the encryption of their
passwords. With this kind of password manager, it is impossible to recover the
account if you lose your master password. This is because the service has no
control over the passwords and has no ability to access them under any
circumstances.
 
The second kind of password manager allows consumers to entrust the
service to encrypt their passwords on their behalf. This means that the third
party holds the key used to encrypt and decrypt the user’s passwords. In this
kind of system, it is possible for consumers to recover their account and set
up a new master password if they should happen to forget it. However, this kind
of password manager does not provide end to end encryption and is therefore not
as secure.
 
The first kind – in which only the consumer can access his or her
password – is by far the most secure. This is because the key for accessing the
password is never stored on company servers and is therefore never vulnerable
to hackers.
 
Open source Vs Closed
source


In addition to selecting a password manager where only the user can
encrypt and decrypt passwords, it is important to consider whether a password
manager is closed or open source.
 
Closed source password managers (also known as proprietary software) is
locked so that nobody can analyze or audit the code. This makes it impossible
to verify any claims made by the password manager’s developer.
 
A closed source password manager may claim to use end to end encryption
to secure passwords. It could also claim that passwords are only ever stored
locally rather than being transmitted to company servers. However, despite
these claims, if the source code for the software is closed source – it is
absolutely impossible to verify those claims.
 
It is for this reason that many privacy and security advocates refuse to
use any privacy software that isn’t open source. When a password manager is
open source – or has at least had its source code made available – it is
possible for anybody to look at the code to ensure that it doesn’t have any
mistakes, vulnerabilities, or deliberate backdoors.
 
Admittedly, some (or all) of the closed source password managers on the
market could be telling the truth about the level of protection that they
provide. And there is not necessarily any proof currently circulating – that
those firms are collecting everyone’s passwords on behalf of the NSA or some
other nefarious group, for example.
 
However, the fact remains that if a password manager is closed source it
is impossible to verify what it is doing. This means that it can never be
considered as secure as an open source competitor.
 
Depending on your personal needs you may decide to use a closed source
service due to the ease of use, or because the account can be recovered. The
choice is yours, and it really does depend on your personal threat model, but,
when it comes to privacy and security; open source is always better than
closed.

 

Irfan Shakeel
Irfan Shakeel, the founder of ehacking project, he also hosts cyber security training classes at EH Academy. He has discovered many vulnerabilities in the famous platforms (like Google, Dailymotion, Harvard University & etc.). He specializes in Network hacking, VoIP pentesting & digital forensics. He is the author of the book title “Hacking from Scratch”.

Most Popular

The Complete OSINT Tutorial to Find Personal Information About Anyone

This article mainly focuses on how to discover a person's digital footprint and gather personal data by using open-source intelligence (OSINT). So, in its...

How to find the password of hacked email addresses using OSINT

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy...

How to Identify Company’s Hacked Email Addresses Using Maltego & HaveIbeenPawned

This article is part of the Maltego OSINT tutorial, where you will learn to identify the already hacked account, and it’s password using the...

5 Key Vulnerabilities in Global Payroll

The cyber threat against payroll is growing in sophistication and frequency, according to the latest FBI cybercrime report. Many of these attacks exploit fixable...