Question How secure are Password Managers ?

[Vellaura]

Hey all.

I was wondering how safe and secure password managers are. In this case google password manager associated with a google account. And as a overall other password managers, if there is a difference.

The reason I ask is because I was under the impression that if someone was able to gain access to your google account in this particular case then they get access to ALL your passwords right?

Is it safer to just have a complicated password written on a piece of paper and enter manually? All though I'd need to only enter it once every long while as it would remember the sign in.

I just wanted to get a better understanding of how it all works and which is the most secure option.

Thank you.

 

[Cilantro7536]

I am not using Google Password Manager, but it does have "on-device" encryption, which supposedly keeps your password vaults on your local devices only, not in the cloud. Someone who just has access to your credentials theoretically cannot sync the passwords directly without further access.

I do have some misgivings about Google Password Manager:

• It's the most attacked password manager. Any malware that steals password stores will steal from a Google PWM as well. You are already less likely to be attacked by using a third-party password manager.
• It's designed to be conveniently used with Chrome and Google's ecosystems. Security may not be first on their mind. Third-party password managers have to put more effort into the security part to gain credibility and to be more compatible with other browsers/platforms.
• It's hard to figure out the technical details of how Google protects the secrets. Open-sourced third-party PWMs, like Bitwarden or Proton, allow you to directly inspect the code. Closed-sourced PWMs like 1Password seem to respond to technical detail questions better.
• The default Google encryption setup, I believe, is still cloud-storage vault, which has the exact problem that you are afraid of. If they get your Google account, they will most likely get your passwords and Google Authenticator secrets as well. Putting the secrets into different baskets may be a less nerve-wracking option.

If you use Gmail to register for accounts, you'll have to protect it as carefully as you protect your password manager, because it can be used to reset your accounts' passwords.

It's hard to say which would be the "safest" password manager to use. On mobile devices, they all are somewhat safe. On Windows, where the security model is permissive, your password manager can be attacked from a non-elevated process. If you are fully committed to the Apple ecosystem, using its built-in password manager is very convenient and is protected by OS components, albeit with fewer features and compatibility.

I have been fully committed to using a password manager for a while now, so I would naturally say it's a better option, especially for someone with the technical inclination to do 2FA, encrypted backups, recovery plans, etc. For technically-disinclined populations, maybe a password book, 2FA options, and a random passphrase generator would be better.

 

[JayGau]

I personally don't trust them. I feel too much like it's putting all your eggs in the same basket and if someone manages to hack it, they get access to everything.

I have notes on my phone where I writes hints of my passwords so for me it's very easy to remember what they are, but impossible for anyone else to guess, so even if someone could access the notes they would be useless.

 

[Vellaura]

Thank you for the informative answers.

 

[thestryker]

I use KeePass (there are many community forks of it available as well) because I want everything to be locally controlled. If you need passwords on the go you can use some form of cloud storage for the database (I use a dropbox account that isn't used for anything else). For me it's worth the extra effort and less integrated nature as I still have good passwords without having to remember or write them down without giving up total control.