Nowadays, we all have huge numbers of subscriptions to online accounts and services. For those accounts to be secure, each one of them must have a unique, robust password. What’s more, truly strong passwords must be complicated, which means that they are extremely difficult to remember.
The best solution is a password manager specifically designed to remember all your passwords on your behalf. By using a password manager, you can set up strong unique passwords for each and every online account without the difficulty of having to remember them all.
However, not every password manager was created equal, and there are some important things to consider when it comes to picking a service.
Password managers - can they be trusted?
When it comes to selecting a password manager, there are some primary considerations that make those services more or less desirable than each other. One of the most important of these is whether the software is closed or open source.
Closed source software is proprietary and is licensed (copyright protected) in such a way that nobody is permitted to use, modify, or distribute it. In addition, closed source software is locked-up in such a way that it is impossible to analyze the code (without being granted direct access by the developer).
If the code for a password manager is closed source, no third party audit can take place, and it is impossible to verify any claims made by its developer. This means that you must trust the password manager’s developer when it tells you how data is stored or transmitted by the password manager.
Any time that a password manager is closed source, you simply do not know whether the service is as secure as the developer claims, and it could be putting your privacy and security at risk.
Open source - the gold standard
Although it is possible to publish the source code for any program online (on Github, for example) this makes the code available but not necessarily “open source”. Open source software must not just be available to audit, it must also have an open source license that complies with the Open Source Definition.
Software that complies with those strict standards must be free to redistribute, must provide unlimited access to the source code, and must adhere to all ten of the definitions that characterize source code as “open source.” Software that adheres to those standards, and for which the creator has wavered all their rights with a Creative Commons License (CCL) is truly open source.
Open source software can be audited by any third party. This is vital for privacy and security because it means that security experts (or anybody who wants to) can analyze the code and verify that there are no mistakes, vulnerabilities, or deliberate backdoors. It also means that any claims about encryption standards, key management, how data is transmitted to company servers, or how data is synchronized across devices - is actually verifiable.
It is also worth noting that while publicly available code is not necessarily “open source” in the strictest definition of the term - it is still satisfactory for security and privacy purposes. This is because it does still permit security professionals to analyze and verify the source code for the service.
Other important considerations
As you can see, open source Vs. closed source is an important consideration when it comes to selecting any privacy software. However, when it comes to password managers, there is arguably something else that is just as important (and is inextricably linked to the closed source/open source debate).
Password managers come in two varieties; services where you encrypt your own passwords and only you can decrypt them. And services where you entrust a third party to encrypt your passwords for you (and for which the third party holds the key used to decrypt the passwords on your behalf).
Of course, if your passwords are stored on company servers this does slightly increase the risk that they could be hacked (for example, a hacker could simply guess your master password). However, this risk is extremely minimal as long as your master password is both unique and complex, and/or you use a key file or another form of Two Factor Authentication (2FA).
It is worth noting that if a password manager provides true End-to-End Encryption (E2EE), then your account will never be recoverable. This is because only you have the power to access your passwords with your master key. If you lose your master key, you will be locked out of your passwords forever. This might be concerning to some users - who fear losing or forgetting their master password. However, it is actually a sign of a better password manager.
Anybody who desires a truly secure password manager is better off opting for a service that can never be recovered and for which only they hold the master key. In addition, to be truly trustworthy, a password manager’s software ought to be open source.
As previously explained, it is impossible to verify whether a password manager is either of the previously mentioned kinds if it is closed source. As a result, it is impossible to verify that a closed source password manager isn’t secretly sharing your master key with a third party.
Any closed source password manager that claims to have E2EE could theoretically by compiling every user’s’ password collection on behalf of the NSA. Even if this might seem unlikely - it is a possibility - if the password manager is closed source.
Closed source VS Open source password managers
Below we have compiled a list of popular password managers so that you can see whether they are closed or open source. Many of the closed source password managers on this list have got excellent reputations, and some may be a good option for you depending on your threat model.
However, we still recommend unrecoverable open source managers to anybody who wants the very best levels of security available.
- Sticky Password - Closed source
- KeePass - Open source
- LastPass - Closed source
- Enpass - Closed source
- 1Password - Closed source
- Dashlane - Closed source
- Keeper - Closed source
- Password Safe - Open source
- SafeInCloud - Closed source
- Keychain - Open source
- Roboform - Closed source
- Myki - Closed source
- Bitwarden - Open source
- Pass - Open source