Password managers are one of the best options to manage account information. The two major flavors they come in are local storage and remote storage solutions which both offer advantages and disadvantages.
Local storage solutions like KeePass or Enpass keep the encrypted password database file on the local system thus removing cloud storage and network traffic as an attack vector. Remote storage solutions like LastPass or Dashlane on the other hand make things easier if you use multiple devices, and they may make information on the Internet via a web-based interface as well.
Both rely on encrypted password databases that are unlocked by a user's master password.
There is a third kind of password manager that rose to prominence fairly recently: those that don't store passwords at all. These are called stateless or deterministic password managers.
Password managers like Master Password App don't store passwords, but generate them on the fly whenever they are needed.
For this particular app for instance, passwords are generated using a name, the site the password is for, and a master password.
Here is how this works in greater detail:
Forgiva extends this basic approach by adding visual pattern confirmations, different key-derivation algorithms, and a certification system.
Both have in common that passwords are generated using information that is either entered by the user, or created during initial setup.
The main advantage they offer over conventional password managers is that attackers cannot dump the password manager database file either by attacking a local device or a company that stores the data in the cloud.
Also, since passwords are not stored in a database, there is no syncing involved to gain access to passwords across devices. All that is needed is access to the application, the master password, and maybe other data depending on the product, to gain access to all information.
While deterministic password managers do away with storage, they are as susceptible to certain attack forms than regular password managers.
Since users need to somehow get the password displayed in the programs and enter them on a website or application, it means that they will either be copied to the clipboard, or entered manually using the keyboard.
Depending on the level of complexity of the service, getting hold of the master password may give you access to all password unless the product users other security precautions (like Forgiva does).
Password renewal may also be an issue if the service does not offer an option to do so. Additionally, depending on functionality, these password managers may not offer options to store additional data, security question answers for instance.
Deterministic password managers offer an interesting approach to password management. While they do away with password storage, they are not immune to attacks and may be limited in terms of what other data -- if any -- can be saved by them.
Now You: Do you use a password manager? If so which, and why?Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.