A family member recently asked me about password managers. As it happened, I had recently had a string of Very Bad Experiences with same, so had been thinking about it entirely too much. Here’s how I answered:
I will try, and doubtless fail, to keep this brief:
1Password
1Password will do everything you want and more. It was a great product that I have been using since it was in beta testing — well over a decade. It was truly one of my favorite pieces of software. But they kept “improving” it more and more and more. A password manager is security-critical, and complexity is the enemy of security. I was becoming increasingly uncomfortable with all the added features. Then about two [three] years ago they got a big chunk of VC funding and went full enterprise-focus. You used to be able to store your encrypted password vaults on whatever cloud service you wanted; now you *have* to use theirs. It’s not 100% clear (and it needs to be!) what happens if their cloud service vanishes. Anything stored in the cloud can and will go away at any time and without notice — this has happened over and over to customers of even big, “stable” players like Google, Amazon, Apple, Oracle, and Microsoft, yet everyone behaves as if it’s a big surprise when it happens.
-> A mature and well-written product.
-> A Canadian company with other overseas developers so there’s less chance of a gagged, government-ordered secret compromise to the product.
-> You must have a subscription; your only hosting option is them. See Hosting, below.
-> It has full brower integration, which can be really handy but in the latest version the implementation is poorly thought out, invasive, and frustrating even on sites where you’re not using 1Password. More on browser integration below.
-> It has grown bloated, convoluted, and complex to the point where I yell at it at least once a day. The complexity, frankly, scares me. Their encryption work and security practices are first-rate, but that doesn’t mean squat if an implementation bug allows a bypass. Every new feature is an invitation to just such a bug.
-> They are now the Big Cheese of password managers. That’s bad, in that there are a lot of people constantly trying to compromise the product. It’s good, because if a zero-day bug is found, there are much more important people than you (sorry) who will be targeted first.
-> It is a proprietary, closed-source project. Books can, and have, been written about the relative merits of closed- vs open-source security products and there is no clear winner, but for me the tipping point is this: If AgileBits suddenly closes up shop, you’re totally screwed. With an open-source product, someone else can take over maintenance and development (even if that someone has to be me).
Standard Notes
I have long used and been a big fan of Standard Notes, but I haven’t used it as a password manager. In fact, I haven’t used it for much more than its primary purpose: an end-to-end encrypted app for keeping text notes synchronized across devices. I use it multiple times a day every day.
-> It’s open-source, and its basic functionality is free. I subscribed initially just to support the developers, but a subscription also gets you some fancy editors which I use more than I had anticipated.
-> Subscriptions are cheap.
-> The developers are *seriously* committed to simplicity.
-> For the most part, all of your data with Standard Notes is stored as [encrypted] plain, human-readable text so it should remain accessible after the apocalypse and for decades to come. I’ve been alive long enough now to have lost works of great literary meritdrivel when companies vanished and took the technology for reading their proprietary data storage formats with them.
Synchronization
An important feature of a password manager is that it be able to synchronize across multiple devices. 1Password and Standard Notes both have web-based clients and native (via Electron, a controversy for another day) apps that run on Windows, macOS, iOS, Android, and Linux. Sync is important because you want access to your passwords with whatever device you’re using at the moment. Of course, it also creates security risks.
End-to-end Encryption
If you’re moving data among devices, you want it thoroughly encrypted *before* it leaves your device and decrypted only after it’s safely in a device under your control. You’d think this would be obvious to everyone, but apparently it wasn’t to one-time industry leader Last Pass.
Browser Integration
It is really cool to have your password manager fill in your username, password, and MFA (multi-factor authentication) token automatically when a web site asks for it. The more I have studied web browsers, though, the more I have become convinced that it is simply not possible to do browser integration safely. It is also impossible to do it 100% reliably, and 1Password’s current implementation is intrusive (popping up suggestions that cover the button you’re trying to click, mostly) and fails about 10% of the time, often wiping out things you have already typed when it does. So though I’ve been using and liking browser integration since the aughties, I think today is the day I’m turning it off in 1Password as I move to replacing 1P with something else (likely SN).
Hosting
If you’re doing synchronization, you pretty much have to have a host somewhere. (There’s an interesting exception called Resilio Sync, which uses the peer-to-peer BitTorrent protocol, but that’s a different discussion.) As I said above, 1P now requires that you use their hosting. The same is almost true for SN, but they do make all the software available for self-hosting. I once tried to set it up, and discovered that it didn’t really work. That said, they were very responsive to my inquiries about it and have now thoroughly revamped the self-hosting project. I’m going to try it out again soon.
You’re not likely to ever want to go through the hassle necessary to self-host, but there are reasons why just having the option available is important. For example, should SN themselves cease to exist or be taken over by spooks, there will probably be at least one person (me) who will stand up a self-hosting server to allow refugees to keep using SN.
Multi-Factor Authentication
https://en.wikipedia.org/wiki/Multi-factor_authentication
There are currently lots of ways that multi-factor authentication is implemented. My favorite is time-based one-time passwords (TOTP). Variants that rely on SMS (texting) or phone calls are TERRIBLE because it is so, so easy to hijack someone’s phone number. Email is, perhaps, a little bit better. But TOTN is a hassle, usually requiring that you have an authenticator app on your phone (only!) creating a single point of failure (and the most popular version, Google Authenticator, doesn’t even back up properly so if your phone dies you’re immediately tossed into account recovery hell). Both 1Password and Standard Notes implement the TOTP protocol directly in the password manager, so TOTN codes are securely synced across devices and available right where you’re also getting your passwords. This greatly increases convenience, at the expense of some security.
Note that some security standards (I’m looking at you, Drug Enforcement Administration) don’t allow you to integrate your MFA codes with any software that runs on your computer. If you’re subject to government or big-enterprise security restrictions, beware.
Biometric Unlock
My 1P master password is long — well over 20 characters. It’s a major fucking pain in the ass to type it on a phone’s virtual keyboard. You can avoid that by using biometric unlocking with a fingerprint or your face. I don’t do that, however. First, if a long password is used to cryptographically encrypt your passwords file, barring some implementation flaw, that file CANNOT be recovered without your password. CANNOT. Even by the NSA. Even with a mythical “quantum computer.” Of course, there are other ways to extract it…
But think about it: if biometrics can unlock your password file, that means everything needed to decrypt the passwords are ALREADY ON THE DEVICE. If the device is in adversarial hands, you’re only protected because phones and computers usually have something called a “secure enclave” that is just a much simpler computer used to store sensitive information. But it’s a *computer* and by “much simpler” we mean only tens of thousands of lines of code instead of millions. If you think such a thing is invulnerable to software bugs or hardware attacks, you’re living in a dream universe.
Another issue is that biometrics cannot be changed. Once your fingerprint or face or iris or retina is compromised, it’s compromised until you have surgery. If a password gets compromised, you just change it.
Evolving case law seems to be headed in the direction that divulging one’s password is “testimonial” (a term I’m using with only limited understanding) and so protected in the US by the Fifth Amendment. No such protection is provided for biometrics and, even if you cannot be compelled, most biometrics can be used successfully when the victim is sleeping, unconscious, or even dead.
All that said, I use biometrics to lock my phone because I can then use a short auto-lock timeout and much longer password than I would ever be able to enter each time I use my phone.
On iPhones, if you hold down the side (power) button and either volume button it will lock the phone so that your password is then needed to unlock. So if you have the luxury of advance warning, you can have the benefits of both.
I do not use biometric unlock with 1Password, but then I probably have much more sensitive info than most.
I am hoping that Standard Notes will let me have some notes that I can lock with biometrics, and others that will require a unique passphrase. Then I can keep my password to catfancy.com in the former and my password to americanexpress.com in the latter. Or maybe the other way ’round.
A Word about Passkeys
Everybody is hailing the new passkey standard as The End of Passwords. More Secure! Now with 500% More Goodness! Your credentials never leave your device!!! (An absolute lie.)
Passkeys address two problems: people are crap at choosing passwords, and web developers are polycrap at implementing them. But they tie you irrevocably to your devices and the companies that manufacture them, and base all your security on the blind faith that your secure enclave can never be compromised. It has happened before and it WILL happen again.
Other Options
I have heard some good thing from people not in the security biz about enpass:
KeePassXC is an open-source password manager that the developers of TAILS (a security/anonymity focuse Linux distribution) think is worthwhile:
https://keepassxc.org
https://tails.boum.org
Hardware Keys
Hardware keys are also greatly hyped, but that’s a whole other world and, again, mostly addresses the human factors of poor password hygeine at the expense of always having to have your token available and accepting the risks of either total loss if the token is lost, or compromised security that results when you have backup systems in place.
International Travel
I wipe my phone before crossing borders. It’s a total pain, and other solutions are coming, but right now that’s what I do.
Enough. I hope this is helpful and not all just textual diarrhea. I’ll probably put it on my blog.
–Ron
For now, for most users, my advice would still be to use 1Password—I’m just not as happy about that as I used to be.
