I once worked in highly regulated environments and needed a way to recall dozens of complex passwords that changed frequently. I tried to use a password manager, but could not due to the burdens and insecurity of some common design flaws. I wrote a Deterministic Password Generator DPG to address this.
If after reading this you still wish to use a traditional password manager, I suggest that you put your passwords into a plain text file and symmetrically encrypt it with GnuPG or use Password Safe. I have no relation with either.
Here are three common design flaws in password managers:
- Password storage
- Reliance on remote systems
- Web browser integration
When passwords are stored, they must be encrypted and then retrieved later when needed. Storage, of any type, is a burden. Users are required to backup stored passwords, synchronize them across devices and implement measures to protect them.
Users must also devise a master password to unlock the encrypted passwords stored by the password manager. This is similar to a master key. It is generally accepted that master keyed locks are less secure than non-master keyed locks. If the master password is exposed, then confidence (in all the passwords that it unlocks) is lost.
And, are we certain that the encryption used to store the passwords is implemented correctly? Has the encryption been externally validated? Some password managers are closed-source and proprietary and cannot be examined.
Encryption is hard. Even respected, expert developers with many years of experience (who seldom make mistakes) do make mistakes that render encryption weak or in some cases almost useless.
Reliance on remote systems
Ironically, password managers rely on remote systems largely because they store passwords. The first design flaw causes the second.
Remote systems are outside the user’s control. They are opaque and cannot be examined and should not be trusted with password management. These systems may not be available when needed. They may not be storing or transmitting passwords correctly.
Externally, the systems may seem correct (strong HTTPS, reasonable CSP) but behind the scenes, no one really knows what’s going on. How are the passwords being transmitted, generated and stored internally? Who has access to them?
Several popular cloud-based password managers have reported security breaches: 1, 2, 3.
Web browser integration
Web browsers today have “everything but the kitchen sink” capabilities built-in and are becoming more and more complex each year. They are turning into whole platforms that have browser plug-ins and extensions for every possible need known to humankind.
While many of these add-ons are handy and useful, we should not trust them with password management. Browsers are just too complex and have far too much going on.
I wrote DPG (The Deterministic Password Generator) around 2010 to address the design flaws described above. Here are its key concepts.
- Never store passwords. Rather, generate them as needed based on user input. The need to backup, synchronize and properly encrypt passwords is removed. There is no master password that immediately unlocks all of the other passwords. There is nothing to become lost, stolen or corrupt.
- Only run locally on end-use devices. No reliance on remote systems or web browsers.
- DPG is open-source and has several implementations. The passwords it generates can be verified and validated by external implementations in multiple programming languages.
DPG removes many of the flaws that I have experienced with traditional password managers over the years. Try it. You may like it. I hope you find it as useful as I have.