I occasionally get asked “which password manager is the best?”
While I’m unqualified to answer that exact question, I’m happy to share why I choose to use KeePass.
Investigating the Design Choices
To explain my thinking, we need to look at the design of password managers, the features they provide, and where the risks are.
The simplest design for a password manager is an isolated, offline vault. The passwords are saved in a file and are only available on the system they are saved on. As an extra defence, almost all password managers have a master password, which is used to encrypt the vault. When I need to use a password, I need to unlock the vault with the master password, locate the relevant passwords, copy it to the clipboard, then paste it into the relevant website or application.
While this works, it is somewhat inconvenient. Most people have a desktop, laptop, tablet and phone – and need their passwords to be available on all devices. And the process of finding and copying a password feels laborious compared to having it auto filled into the correct input fields.
The Need for Convenience
So, password managers have gained features to support user convenience.
One part of this is a cloud-based element. Having a cloud vault allows passwords to be synchronised across multiple devices. This doesn’t need to be directly part of the password manager. KeePass doesn’t have a cloud element, but I use Google Drive to synchronise the password database.
Of course, the use of cloud services for sensitive data like passwords raises privacy questions. But here, the master password provides strong protection. Most managers are architected so that the cloud service only keeps an encrypted copy of the vault, letting clients handle the decryption locally, so the password never leaves the device. This provides good protection – assuming the master password is strong.
I find that memorising a strong master password is no problem. I can remember one just fine. The problem was having to remember dozens of strong passwords – that is what leads to poor password practices.
The other part is browser integration. The desired user experience is that when a login form is visited, the details are automatically populated, allowing single-click login.
But at What Cost?
However, this convenient experience carries considerable risk.
One concern is that if malicious code is running within a web site, for example, due to a cross-site scripting flaw. In this case, the malicious code can potentially open the login form, wait for the credentials to be auto filled, then exfiltrate the password. Modern browsers do have some mitigations against this. And, of course, web sites should fix their cross-site scripting vulnerabilities. But despite this, there remains some residual risk.
A more serious concern is attacks against the browser integration itself. There have been vulnerabilities that allow domain spoofing against the browser plugin, allowing a website to autofill credentials from another domain. Such vulnerabilities are extremely serious, and this is not a theoretical risk, there have been real-world examples, such as this bug.
A Prudent Defensive Feature
This is where an aspect of KeePass’s design provides an important defence.
The browser plugin and vault are separate components that communicate over a secure channel. The vault can be configured to require user confirmation before releasing a password. When this is enabled, it provides significant mitigation of the impact of browser plugin vulnerabilities. Any attempts to perform an unauthorised autofill will be unexpected by the user and (hopefully) blocked.
Most password managers appear not to have this feature, which is why I recommend KeePass.
