A guide on password managers

In the current digital landscape, passwords are the predominant method for user authentication across most platforms. From a privacy perspective, passwords present a advantage over some other methods like biometrics, as they do not disclose any additional or unique data about you – apart from the selected username
Given the widespread adoption of passwords, manually managing multiple, unique passwords for each online account becomes more difficult. Having unique random passwords for each account is a crucial step toward safeguarding your privacy, particularly in the face of potential data leaks. If you are reusing passwords, when one of your accounts is compromised in a data breach, this puts all your other accounts that you reused the password for at risk. Creating and remembering strong, unique passwords for each account is challenging to say the least. Besides, we unconsciously lean towards familiar patterns or use easily memorable combinations which are not random and thus easier to crack.
Password managers, as the name says, are tools designed to help you navigate these issues with ease! They are designed to manage and store unique passwords for each online account. They function as a secure repository, allowing users to generate and store complex credentials. By ensuring the strength, randomness, and uniqueness of each password, the impact of potential data breaches, social engineering attacks, and brute-force hacking are minimised.
In this guide, we highlight the key aspects you should look for in a password manager to ensure that your vault is kept private and secure.

Note There are many password managers available and you can test alternatives. At PI we believe apps should be open source as they can be audited. By using an independent, open-source and unencumbered/free app, you are more likely to avoid products with conflicts of interest, spyware, or data-leakage.

• Vault encryption: Given that a file containing your passwords (your vault) must exist somewhere — whether locally on your device or in the cloud - assess where the password manager stores it. This vault can either be stored in plaintext (not encrypted, meaning anyone can read its content) or encrypted (meaning only someone with the master password — you — can read its contents). Whether storing the vault locally or in the cloud, choosing a password manager that stores its vault encrypted is the best practice, as it provides an additional security layer in case the file is compromised. Look for robust encryption methods, such as AES-256, which ensures with a great degree of confidence that, even if unauthorized access occurs, the stored information remains unintelligible.
• Vault location: Opting for a local, encrypted vault provides an additional layer of privacy, as your sensitive data remains stored within your devices and control. It ensures that, as long as you keep your devices safe, your vault is safe. On the other hand, if your device is unexpectedly compromised, you will lose access to your passwords, and possibly have them compromised. When working with a local vault, it is up to you to backup and keep the vault synced if you have multiple devices. In contrast, a cloud-based vault gives you strong availability guarantees and provide syncing effortlessly, so that you always have access to your vault even if you lose access to your device. However, using a cloud-based password manager introduces concerns about third-party access and the possibility of data breaches. It is crucial to scrutinize the security chain thoroughly, ensuring, for instance, that the cloud-based solution doesn't store sensitive information like master passwords in logs, as a breach in such logs could pose significant risks to your security. This information can typically be found summarized in security audits. Always exercise caution and diligence when considering a cloud-based password manager as you are essentially trusting a third-party to handle your interactions with your own vault.
• Audited security practices: It is a good practise to choose a password manager that undergoes regular security audits and is transparent about its practices. This provides a layer of assurance, as independent security assessments or audits offer external validation of the password manager's commitment to maintaining a high standard of security and privacy. Regular audits help ensure that the password manager is adhering to best practices and that potential vulnerabilities are promptly identified and addressed. Security audits provide an extra guarantee that the password manager prioritizes the security of your sensitive information.
• Zero-Knowledge architecture: Consider prioritising password managers that employ a zero-knowledge or zero-access architecture. This means that even the service provider cannot access your stored data or master password. This ensures an extra layer of security, especially relevant for individuals who may face targeted surveillance or persecution. If a provider of such a service is hacked or faces external pressures to disclose your data, the stored information remains unintelligible to whoever gains access, ensuring your passwords remain secure.

Below we discuss examples of mainstream password managers that we’ve tried out at PI; many others exist and are likely similar with varying levels of configurability.

• Keepassis an open-source, ad-, tracker-free password manager. It stores your passwords in a local, encrypted vault, and allows you to generate passwords that you can customize according to any password requirements. It has been audited by the EU-Free and Open Source Software Auditing Community. There are several apps (or ‘ports’) you can use to interact with a Keepass vault. For instance, one option is KepassXC – a cross-platform client for desktop computers, that enables you to interact with your vault. It provides a browser extension to automatically fill login forms, save credentials when you create an online account, and provide you with random, unique, secure suggestions for passwords. If you want to use it across all your devices you may select a server on which you can store the keepass vault and then use various apps to interact with the vault. This is more complicated. This method would help ensure you have more control and choice over where your vaults reside, rather than be forced to rely on a single provider or a cloud provider.
• Apple's Passwords allows you to securely sync your passwords between your Apple devices without exposing that information to Apple. It provides a password manager called ‘Passwords’. The password manager can automatically generate cryptographically strong password to use in Safari on MacOS and iOS. In mobile devices, you can also use this functionality in apps (and in iOS you can integrate other non-Apple password managers as well).
• Most common web browsers (Firefox, Chrome, Edge) provide you with a simple, cloud-based password manager. This allows you to store and synchronize your login credentials across multiple devices that use the same browser. However, it's important to note that these built-in password managers tend to offer fewer features compared to dedicated alternatives, such as password strength analysis, customizable options for secure password generation, and secure notes. It's worth considering that browser-based password managers have a limitation – they are exclusively tied to the web browser itself. As such, your stored passwords are accessible while browsing the web, but cannot seamlessly be used in other applications or programs.

Adopting a password manager serves as a crucial step in fortifying your online security and privacy. As we've written before, it is recommended that you complement passwords with some form of two-factor authentication (2FA) to further secure your account. In general, most dedicated password managers provide you with the ability to use 2FA authenticators for 2FA (e.g. Keepass as ‘TOTP’, 1password as ‘one time password’, etc). When choosing a password manager, consider prioritizing key features highlighted here, such as vault encryption, and adherence to best privacy and security practices.