It has come to my attention that people are Wrong On The Internet about password managers. This matters, because almost everybody should be using one. Herewith background, opinions, and a description of my own setup, which is reasonably secure.

What is a password manager? · It’s a piece of software that does the following (although not all of them do all of these):

Store your passwords in a safe way, protected by at least a password, which we call the “master password”. Make new passwords for you. Here’s an example of a generated password: QzbaLX}wA8Ad8awk. You’re not expected to remember these. Make it easy to use passwords. One way is to copy it out of the manager and paste it into a password field. Another is to use a browser plugin that auto-fills login forms. On certain combinations of app and mobile device, you can use your fingerprint to open the password manager, which makes everything way faster and easier. Store other stuff too. I keep various Important Numbers and AWS credentials and recovery phrases and so on in there. Synchronize between devices. I have two computers and one phone and I need access to my passwords on all of them.

There’s more, but those are the essentials. The effect is that you end up using a different password for every site and app, that they’re all strong, and that you don’t have to remember very much.

My own manager, which I’ve been running for years now, contains 504 items, and I use it a few times a day, every day. Granted, many of the 504 are for sites and apps that no longer exist (like the dead people I can’t bear to erase from my contacts).

How they work · It’s pretty straightforward conceptually. They have a little database with all the stuff in it, and it’s all encrypted using your password. So even if someone steals the database, you’re probably OK because modern crypto makes it really hard to crack the code.

Where it gets interesting is how these things synchronize between devices, and how they use the network.

Basically, it comes down to this: Can you get access to your passwords over the Web? Lots of password managers allow this, but some don’t. For example, I use the 1Password app, which has no website whatsoever, and has a variety of ways of syncing (iCloud, Dropbox, WiFi, local folder) none of which involve talking to a website with a browser. [There are lots of other password managers, which I’m not gong to write about because I don’t use them.]

What’s wrong with a Web site? · The problem is that the site has my encrypted data, and at some point, wants me to type in the password. Thus, in principle, they can peek and see my passwords. And hand them over to the NSA. Or to the criminal gang that abducted the CEO’s children. This makes me unhappy.

In principle, this could be OK. What with modern JavaScript, it’d be perfectly practicable to do all the crypto inside my browser, never send the password (or anything unencrypted) over the wire, and have me sleep soundly at night. Furthermore, since JavaScript is by definition open-source, I could in principle look at the code and satisfy myself that it’s wholesome.

In practice, nope. The JavaScript platform is dynamic to the core and horrifyingly complex even before they start loading massive modern application frameworks on it; any teeny little bug or zero-day exploit at any level of the stack and I’m cooked. Also, the NSA or a crook only has to make the slightest little mod to the code, and take it away a few milliseconds later, and the horse would (silently) be out of the barn.

In the 1Password app’s sync model, however, one assumes they use the pretty-secure HTTPS-based APIs for each of these products, machine to machine, no JavaScript in the loop.

Why we’re talking about this · Because AgileBits, the company behind 1Password, is trying to get people to move over to a Web-based thing; that’s what you find when you go to 1password.com.

There’s a decent summary at cyberscoop and a longer, more personal narrative from Kenn White.

I, like many security-conscious people, am just not gonna use anything where the same party, who’s not me, gets to see my stored data and my password. Sorry. But I love the 1Password apps and I’d really like to go on using them. More on that later.

Let’s get serious · Am I claiming that my app-only approach is 100% safe? No, because security just isn’t binary, ever. Let’s see:

The bad guys could slip a sedative into my coffee at a coffee shop and install a keylogger on my computer, or install a camera anywhere I work and focus it on my hands, or phish me with a super-clever website or poisoned USB key, and get the keylogger in that way, or point a gun at me and ask me to unlock all my devices (then probably pull the trigger), or send a National Security Letter to AgileBits and force them to put backdoor code in a future 1Password app release that sends the goodies to the enemies.

And anyhow I’m obviously a lame-ass hypocrite because I use the 1Password Chrome plugin to fill in forms for me, and this means I type the master password into a browser. Having said that, I verified that it works when I have the networks turned off, and at the end of the day, the plug-in is no more nor less secure than the app I use all the time.

Is your setup perfect? · Well, I only remember four passwords: For my personal computer, for my work computer, for my AWS account, and the 1Password master. And the AWS password is just an accident of history; I only need 3.

Obviously I change them regularly and use password-less ssh access wherever I can, and lots of places I go have two-factor, via SMS or hardware token (Gemalto, Yubikey) or the Android Authenticator app.

So, on balance I feel pretty secure. One downside is when I’m setting up a new computer or phone. The process of typing in long generated passwords on a mobile “keyboard” is so impractical as to be hilarious.

In effect, my security is about as good as my mobile device’s. Actually a bit better, because the 1Password app needs one more fingerprint-or-password.

You sync through Dropbox, are you crazy?! · After all, Condi Rice is a board member, which has to worry you. But let’s assume the worst: that Dropbox turns turtle for the Feds, or gets totally pwned by bad guys. So, congrats, they have my encrypted password file. It’s not impossible that they might crack it. But it’d probably be easier and cheaper for them to slip a sedative in my coffee, or… (see above).

Why is AgileBits doing this? · For the same reason that Adobe has been pressuring its customers, for years now, to start subscribing to its products, rather than buying each successive version of each app. A subscription business is much nicer to operate than one where you have to go out and re-convince people to re-buy your software.

I understand, and I support AgileBits wanting to become a subscription biz. But I still want to keep my data and password away from their servers. This all seems fine to me. I pay my monthly rent to Adobe and it’s for Lightroom & Photoshop, not for their unexciting server-side offerings.

So AgileBits, why not? Please go ahead and start asking for subscriptions. But don’t ask paranoid people like me to go anywhere near 1Password.com.

AgileBits has addressed the situation in Why We Love 1Password Memberships, but it’s really unsatisfying, totally ignoring the security concerns. And (I guess I shouldn’t be surprised) failing to acknowledge the business advantages for them in making this move.

Am I wrong? · Maybe there’s something I and the others who are all upset about the 1Password move are missing; maybe it’s all just OK and there’s really no significant loss of security. In which case, AgileBits really needs to explain why.