My Journey Through Password Managers - J. Faber's Blog & Wiki

# My Journey Through Password Managers ## Concept All password managers operate on the same principle: they act as a vault. This means they're designed to be impenetrable when locked, but that also makes them useless unless unlocked. Some are automatically unlocked upon OS login, some use biometrics, and others require a PIN or password. In my opinion, the vault should lock itself as soon as it's not needed to minimize vulnerabilities. I set mine to lock automatically after one minute of inactivity or do it manually when needed. ## My journey Like many people, I started by using the same passwords on multiple sites—a terrible idea. The risk is not just theoretical; there have been [numerous data breaches](https://haveibeenpwned.com/). Some hacked databases stored password in plaintext. Using the same password (and email) on multiple services is a dream come true for hackers. The [OAuth protocol](https://oauth.net/2/), known as **Login with \[…\]**, was introduced as a more secure alternative. Like everything it has advantages and disadvantages: - \+ ease of use - \+ reduced password fatigue - \+ enhanced security (brute force protection, 2FA (2nd factor authentication - or generally MFA - multi factor authentication), re-auth when doing suspicious activity) - \+ best security practices - \- privacy - \- vendor lock - Being dependent on a single provider can be risky. If your account gets banned, whether it's justified or not, you could lose access to all services you used that provider to log in with. This is especially concerning if you haven't set up an alternative login method. Losing access could affect not just the services but also your email and, typically, your entire online identity. ([1](https://www.businessinsider.com/google-users-locked-out-after-years-2020-10), [2](https://www.reddit.com/r/Android/comments/wu1wbc/google_bans_mans_account_will_not_reinstate_even/), [3](https://www.androidauthority.com/google-account-banned-1054640/), etc.) > [!info] > I aim to avoid vendor lock-in in all aspects of my life, including credentials. I've migrated away from Google and feel much better for it. Maybe someday I'll write about how I manage my data. ## Chrome/Firefox/Safari The first password managers I used were built into Chrome and Firefox. These are simple but limited to one browser or platform. They unlock automatically upon login and remain so until you end the session. There were easy methods how to steal them [in the past](https://tech.hindustantimes.com/tech/news/saving-password-on-google-chrome-read-this-and-you-might-delete-them-now-71640862982554.html) multiple times. ## Last Pass I then moved on to LastPass, my first truly cross-platform password manager. Initially, everything worked well, but after some updates, I started facing issues on Android. I had submitted issues but it didn't help so I started looking for alternatives. I switched just in time, as LastPass was later [compromised](https://www.forbes.com/sites/daveywinder/2023/03/03/why-you-should-stop-using-lastpass-after-new-hack-method-update/). I **don't recommend** LastPass to anyone. ## BitWarden Bitwarden was my next choice, serving me well for several years. It's [open-source](https://github.com/bitwarden) and generally reliable. However, I started experiencing memory leaks in the browser extensions (sometimes even 800 MB) and had to write a script to restart them. Annoying, but manageable. I paid for it to support the development and open source philosophy - it was just $10/year. ## 1Password I was hesitant to try 1Password due to the cost ($2.99/month). I expected it to offer the same functionality as Bitwarden, just in nicer coat. But I gave a shot and it **blew my mind**. Its without a doubt **the best password manager for developers, sys-admins or DevOps specialists**. Killer features - Sleek design - First class citizen on apple devices but works very good on android too - SSH agent - Good security model - Command line interface - Can act as vault for: - Kubernetes - Github pipelines - any service that can do HTTP GET request to retrieve secrets - Sharing secrets with ability to see only once More info can be found in my [[1Password|wiki page]]. ## Password and 2FA in one One thing that I am not sure about is 2FA keys in password manager. Its very convenient to have them saved in the same app but putting all eggs in one basket is not good idea. I am still not decided whats the best way to handle this. For less important services I use 2FA from 1Password, for important ones I have them stored in dedicated 2FA app - Microsoft Authenticator. ## Passkeys > [!quote] Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.<br><br>Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity. > > [fido website](https://fidoalliance.org/passkeys/) Passkeys use asymmetric cryptography (public and private key) to verify the signature of the user. 1. **Client** requests from server random challenge 2. **Server** provides the random challenge 3. **Client** signs the **challenge** + **username** + **credential ID** with his **private key** (usually biometric request from browser) 4. **Server** checks if **username** and **credential ID** is known. If yes, server gets the **public key** stored for **credential ID** and verifies the signature. 5. If verification succeeded, the **server** knows the **client** is able to get the token. There are many [services](https://passkeys.directory/) that offer passkeys as an login option and the list is expected to increase in the future. More technical details about passkeys can be found [here](https://www.passkeys.io/technical-details). > [!warning] > Passkeys are of course the most secure and convenient option to login. Unfortunately they have one big issue at the moment: **vendor lock**. There is no way to export them from 1Password, Apple Keychain, …. Let's hope that there will be an option to export them in foreseeable future. ## Conclusions I strongly **advise to use password managers**. This is a order I would personally rate the managers (from worst to best) - OS(Apple, Microsoft, Google) or Browser password managers (Firefox, Google) - [[Bitwarden]] - [[1Password]] I don't recommend LastPass to anyone. > [!important] > In any case, don't forget to ==regularly backup== your vaults to another encrypted storage - I personally use [KeePassXC](https://keepassxc.org/) as off-site vault and store the 1Password backup as an attachment once a month.