Password Managers that don't store passwords

Martin Brinkmann
Oct 3, 2016
Updated • Oct 3, 2016
Security
|
18

Password managers are one of the best options to manage account information. The two major flavors they come in are local storage and remote storage solutions which both offer advantages and disadvantages.

Local storage solutions like KeePass or Enpass keep the encrypted password database file on the local system thus removing cloud storage and network traffic as an attack vector. Remote storage solutions like LastPass or Dashlane on the other hand make things easier if you use multiple devices, and they may make information on the Internet via a web-based interface as well.

Both rely on encrypted password databases that are unlocked by a user's master password.

There is a third kind of password manager that rose to prominence fairly recently: those that don't store passwords at all. These are called stateless or deterministic password managers.

Examples are Master Password App, available for various desktop and mobile operating systems, and a web app, and Forgiva, a commercial password solution for various desktop operating systems.

Password Managers that don't store passwords

password managers no storage

Password managers like Master Password App don't store passwords, but generate them on the fly whenever they are needed.

For this particular app for instance, passwords are generated using a name, the site the password is for, and a master password.

Here is how this works in greater detail:

  1. You enter your name and master password to sign in to the password manager.
  2. The password generation and look up interface is identical. Basically, to create or display a password you simply enter the site name -- or any other name for that matter.
  3. You can then copy the password over to the site to sign in to your account, or register for an account.

Forgiva extends this basic approach by adding visual pattern confirmations, different key-derivation algorithms, and a certification system.

Both have in common that passwords are generated using information that is either entered by the user, or created during initial setup.

The main advantage they offer over conventional password managers is that attackers cannot dump the password manager database file either by attacking a local device or a company that stores the data in the cloud.

Also, since passwords are not stored in a database, there is no syncing involved to gain access to passwords across devices. All that is needed is access to the application, the master password, and maybe other data depending on the product, to gain access to all information.

Caveats

While deterministic password managers do away with storage, they are as susceptible to certain attack forms than regular password managers.

Since users need to somehow get the password displayed in the programs and enter them on a website or application, it means that they will either be copied to the clipboard, or entered manually using the keyboard.

Depending on the level of complexity of the service, getting hold of the master password may give you access to all password unless the product users other security precautions (like Forgiva does).

Password renewal may also be an issue if the service does not offer an option to do so. Additionally, depending on functionality, these password managers may not offer options to store additional data, security question answers for instance.

Closing Words

Deterministic password managers offer an interesting approach to password management. While they do away with password storage, they are not immune to attacks and may be limited in terms of what other data -- if any -- can be saved by them.

Now You: Do you use a password manager? If so which, and why?

Summary
Password Managers that don't store passwords
Article Name
Password Managers that don't store passwords
Description
The article gives a brief overview of how password managers that don't store passwords (also known as deterministic password managers) work.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. George said on October 9, 2016 at 3:37 pm
    Reply

    Sticky Password here, switched from LastPass after they ditched Pale Moon support in their troubled LastPass v4 version (and following their subsequent hacks and LogMeIn acquisition). Works well for my Windows + Android usage and is quite safe.

    There’s actually a nice Ghacks deal right now: https://www.ghacks.net/2016/10/04/ghacks-deals-sticky-password-premium-lifetime-subscription/

  2. Anders said on October 6, 2016 at 2:08 pm
    Reply

    I use both Keepass and LastPass, the former for more sensitive data like bank details and software keys, the latter for online memberships and other not-so-important memberships.

  3. ozone333 said on October 5, 2016 at 1:27 am
    Reply

    I gave LastPass a try and then they got hacked. Ever since that hack I went back to KeePass and have never looked back. I never liked the idea of my passwords being in the cloud and LastPass proved to me that it was a bad idea right after they got hacked.

    1. RobAllen said on October 24, 2016 at 10:58 pm
      Reply

      LastPass detected unauthorized access to its servers, but your passwords are still just as protected as they were before. LastPass stores only your /encrypted/ password vault, so it DOESN’T MATTER if someone breaks into LastPass and steals your vault. That’s the WHOLE POINT of the LastPass paradigm. A thief gets only an encrypted blob, NOT your passwords.

      With LastPass, you aren’t depending upon the company to protect your database, but are instead depending upon your master password. Any truly /random/ set of 14 or more ASCII characters is effectively unguessable. LastPass /tries/ to keep your database private (and they’ve done a good job), but it’s up to YOU to make it secure by using a strong password.

      It’s fine to use a non-cloud solution that it right for you, but LastPass has proven themselves to be an extremely responsible company. Yahoo lost 500 million account credentials in 2014 and kept it a secret until someone /else/ discovered it just recently. LastPass saw one instance of after-hours server activity and immediately told the world.

      Breaches are inevitable. The question is what happens when a service is breached. Is it *designed* to remain secure even when breached? LastPass is. Does the service inform its users and take steps to prevent further breaches? LastPass does. KeePass users may never know if their database is stolen from Dropbox or their own device, but LastPass informs its users of potential breaches as soon as possible.

      I actually /hope/ that someone has already stolen my LastPass database and is currently wasting their time and money trying to brute force my password. Better me than someone with a weaker password.

  4. bill miller said on October 4, 2016 at 4:15 pm
    Reply

    I use Dashlane. It works fairly well With Windows, but is a pain in the fish with Android. But I’ve gotten so used to it, I was just totally lost trying to switch to LastPass.

  5. Patrick said on October 4, 2016 at 12:46 am
    Reply

    I use Keepass safe. V2. I also use Yubico Neo to protect the database. Keepass is being upgraded to a stronger defense against GPU/ASIC cracking attacks.

    http://keepass.info/help/kb/kdbx_4.html

  6. James Cone said on October 4, 2016 at 12:39 am
    Reply

    For those with MS Excel, my Free ‘Create Passwords’ workbook may be of interest.

    4 to 35 characters or random length with options for…
    alpha only
    alpha and numbers
    numbers and symbols
    alpha, numbers and symbols
    and…
    Write to worksheet
    Sort by length
    Reset
    Download from Dropbox: https://goo.gl/IUQUN2

  7. Kyle said on October 3, 2016 at 9:34 pm
    Reply

    I’ve been using bitwarden lately, which is similar to lastpass but free for unlimited devices to sync. I use it on my iPhone, iPad, and in Chrome on my laptop at home. It is also open source which is a nice benefit as well. https://bitwarden.com

  8. Ordinary_Brief_Rub said on October 3, 2016 at 8:04 pm
    Reply

    https://palant.de/2016/04/19/easy-passwords

    It’s best secure solution of this type

  9. otsola said on October 3, 2016 at 5:20 pm
    Reply

    I use Safe-in-cloud – on desktop and mobile (one-time fee instead of every year). My database passwords is automatically synchronized with my cloud account on Google Drive (or Dropbox, Yandex Disk, or OneDrive).

  10. Rocky said on October 3, 2016 at 4:15 pm
    Reply

    Forgive me if I’m being obtuse but if the password manager doesn’t store the password how is it retrieved when I revisi the site the next day ? Am I missing something here ?

    1. Zinc Whiskers said on October 4, 2016 at 12:48 am
      Reply

      I think what it does is generate the same password from scratch every time…based on 2 keys, your ID and the site name. The “copy and paste’ sounds clunky as hell for mobile.

      The reason I like LastPass is I can use complex passwords interchangeably between mobile and desktop with zero fuss.

    2. Martin Brinkmann said on October 3, 2016 at 4:19 pm
      Reply

      You enter/select the site name in the app, and get the password.

  11. riri said on October 3, 2016 at 3:34 pm
    Reply

    Dear Martin, please don’t confuse us readers with your failed reading.

    Enpass is offline by default, with online sync using popular online storage providers like Google Drive or One Drive as an option. In that sense it is the same as Keepass, which is offline by default but offers various plugins to sync online, also with popular online storage providers. Both are options, users can choose whether to use them or not, with the only difference being that Enpass online sync is integrated, where else Keepass needs one to download additional plugins.

  12. naveed said on October 3, 2016 at 3:25 pm
    Reply

    Nice idea, but I see 2 problems:
    1. Some sites have weird password requirements which might not work with the auto-generated password
    2. You need to be able to change passwords at times, how would you be able to do that with this approach?

  13. Michael said on October 3, 2016 at 3:12 pm
    Reply

    Basic problem with this way is that all of your passwords are derivatives of one single piece of information (your name and password). So if one of your passwords leaked, you cannot simply change it. You’ll have to change all of them.
    What about when websites change its domains/names? What about websites you have multiple accounts for?
    All these pieces of information needs to be stored in your head.

    This is a cool concept in general which might work for small amount of secrets, but anything above – just use a password manager with strong master password and safe yourself the hassle.

    1. Martin Brinkmann said on October 3, 2016 at 4:05 pm
      Reply

      Forgiva offers a solution for changing passwords, while Master Password App does not seem to.

  14. Hawk said on October 3, 2016 at 1:25 pm
    Reply

    I use KeePass for years. It is easy to use, lightweight, fast and free.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.