The Evolution of Password Manager (1/4)

As we all know, there are tons of password manager reviews on YouTube and many other platforms, such as "The best password manager for 2020", "How to choose password manager", etc. However, most of them just focus on features, few on security. It might be because only a few people have deep insights into the security of password managers.

To help people grasp a better understanding of the security of password managers, we will share a series of articles focusing on how password managers encrypt and store passwords.

TL;DR

Up to now, password managers have evolved over 4 generations, and each one has brought better technology to improve the security of passwords.

This article will talk about the first generation of password managers: browser password managers.

They can be used to manage passwords but not to protect them well.

Passwords are important and we have lots of them.

Passwords should be long, complex, and unique.

Thus nobody can remember all of them.

We write them on sticky notes or type them in spreadsheets. But we are not comfortable with that.

We save them in a cloud-based note and set a password to protect them. It is convenient, but it might not be safe.

We usually use browsers to surf the internet and login to websites. So browsers integrate a tool, password manager, to help us remember and fill passwords.

Browser password managers are the first generation used widely. However, the passwords saved in browsers are not encrypted or encrypted in a way that can be decrypted easily.

For example, the most popular browser, Chrome, uses DPAPI to encrypt passwords on Windows. Any application run by the user can recover the original passwords by using CryptUnprotectData.

encrypted ≠ secured

And developers even write open-source programs that can extract the passwords saved by Chrome from Windows, Mac, Linux, and other platforms. Check out this one, Chrome-Password-Grabber

Well, it is not wise to put all your passwords in one place without decent protection. It is just like a gold mine for hackers.

If a browser can help you fill passwords without asking for a master password to unlock the password vault, then it does not provide a good vault. If the browser can read passwords directly, then malicious applications can read them too.

Moreover, browsers are hackers' favorite targets. Check out this Opera sync servers hacked, usernames and passwords at risk.

In conclusion, I strongly recommend that you do not use browser password managers.

What about the password-protected note?

It depends. If the note app does not encrypt your notes but just authenticates the user with the password, it is not safe. Malicious apps might be able to access the database and grab all your passwords.

Even more terrifying is that the note app synchronizes your notes to the cloud. If the cloud side is hacked, your passwords might be exposed. And also, the developer of the note app can read your notes on the cloud side.

So please be careful when using this kind of note apps. Do not save your passwords in a note app, unless you are sure that it encrypts your notes with the password.

In my next post, I will explain how a good password manager encrypts data with a master password.

Continue to read