Note that most of the signers are from companies which collect substantial consumer information for revenue purposes. Hence the emphasis on "updating". And the absence of "turn up browser security levels to max" or "get a good ad blocker".
Also, any password manager that's "cloud based" is potentially a security hole. Yeah, they say the server is secure. Right.
> Also, any password manager that's "cloud based" is potentially a security hole. Yeah, they say the server is secure. Right.
The entire point of end-to-end encryption is that you don't need to trust the server. If your password manager has access to your secrets (i.e. you don't control the secret key/password itself), then you have bigger problems than a potentially untrustworthy host.
We use 1Passwodr at work, at my suggestion from 10-12 years ago where it was an app on your device with an encrypted on device file you could chose to store on iCloud/Dropbox/GoogleDrive/wherever.
Then they changed to the web app and implemented teams, which is what we use today.
Work has decided the risk of 1Password going rogue is acceptable - but that's in the full knowledge that since they are serving the Javascript that's doing the client side encryption/decryption, there's no guarantee they can't serve (or be coerced into serving) malicious JavaScript that decrypts and exfiltrates all credentials and secrets any user has access to.
Pragmatically, I'm (mostly) OK with accepting that. If we have a threat model that realistically includes the sort of state level actor who could coerce a company like 1Password to launch an exploit against us - then we've lost already. Like James Mikkens said "YOU'RE STILL GONNA BE MOSSAD'D UPON!!!"
One of my hobbies is recreational paranoia though. So I use something else (KeyPass) for my personal stuff now.
To be fair, this letter is about information security, not privacy.
Maximizing privacy is a somewhat different goal, and recommendations for how to do so would differ from person to person. Some people really don't care about privacy. And for some other people, adblocker and tracking-blocker software is sufficient for their privacy needs. Whereas for certain people in certain parts of the world, literally the only way they can browse the Web safely is with Tor running on a temporary TailsOS drive.
A significant fraction of every high-profile industry security person I know has signed this thing. There are people on that list that I'm not super impressed with, but also people everybody is impressed with. No argument that this thing is motivated by commercial interests is going to survive, and a lot of this is advice that security cool kids have been giving for upwards of 10 years.
Max browser security levels and a good ad-blocker will not prevent you from getting phished or hacked more than an encryption-audited cloud-based zero-knowledge vault, where server compromise is irrelevant. All competent #1 cloud-based password managers are like that.
> All competent #1 cloud-based password managers are like that.
If you say so...
Sadly there could potentially also be a supply chain attack that happens to make its way into the client you use to view your supposedly secure vault. Odds are they use npm, btw.
Phish resistant MFA is worth mentioning. You and all your staff with access to critical credentials should have something like YubiKeys, so you can't (as easily) get tricked into entering some TOTP (or email/sms) code into a fraudulent website.
At least that ups the threshold to "someone who can not only poison your dns or MITM your network, but can also generate trusted TLS certs for the website domain they're phishing for".
And SMS should be retired completely for authentication, not simply deprecated as NIST did in SP 800-63B with companies like banks assuming full liability for losses to others if they continue with this unacceptably insecure mechanism.
"The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction."
Updating software is good advice. Do you realize how many CVEs are reported on a daily basis? Once you've got a password manager you're largely protected against phishing, so the biggest target becomes your computer, and the most likely way to compromise that would be through outdated software with public vulnerabilities.
What do you expect your browser security levels to the max to do? Browsers are designed to be secure from default settings.
Almost all CVEs are basically irrelevant to everyone that doesn't have some obligation to keep on top of patching them. Meanwhile, auto-updates are RCE by default.
Indeed. I'm far more worried about picking up a supply-chain hack via updates than I am that some low-profile denial-of-service attack will actually affect me; the updates themselves historically have caused me far more actual denials of service than they fix.
Case in point: “[Print] To meet security goals and support new print capabilities, this update transitions Windows printing components from MSVCRT to a modern Universal C Runtime Library.
As a result of this change, print clients running versions of Windows prior to Windows 10, version 2004 and Windows Server, version 2004 (Build number 19041) will intentionally fail to print to remote print servers running Windows 11, versions 24H2 or 25H2, and Windows Server 2025, that have installed this update, or later updates. Attempting to print from an unsupported print client to an updated print server will fail with one of the following errors: […]”
CVEs are better viewed as "a uniform numbering system that ensures we are talking about the same bug" today. But updating software is good anyway.
> Browsers are designed to be secure from default settings.
Not quite. They are usually designed to be both fast and safe, but neither goal is considered "done" yet in modern ones. If you want max security, you'll likely have to disable all performance boosts like JS JIT.
The LastPass hack is a good example of that happening. Weak master passwords and a smaller number of KDF rounds, made the situation worse.
Realistically, most users benefit from using a reputable cloud-based password manager, and should focus on securing it with a strong password and MFA. You should also change your passwords if your password manager is breached.
Yeah - but where does the code doing the encryption/decryption come from? 1Password serves me the Javascript that encrypts/decrypts my vault every time I open my work 1PW webapp.
It's not reasonable to assume their server is "secure" not just from evil-hakzors and script kiddies, but also from government agencies with things like Technical Capability Notices and secret FISA warrants and NSLs with gag orders (or whatever their jurisdictional equivalents are), and also from threats like offensive cybersecurity firms with clients like disgruntled royalty in nepotistic moncharcy nations states who send bonesaw murder teams after dissident journalists.
I (mostly) trust AES (assuming it's properly implemented, and I exclude the NSA from that, and the equivalent agencies in at least a handful of other major nation states).
I have a lot less trust in owners and executives at my password vault vendor or their cloud hosting company or their software supply chain. If I were them, I'm pretty sure I wouldn't be able to stick up for my users the way Ladar Levison and Lavabit did. There's no doubt that the right federal agency could apply enough pressure on me and my family/friends to make me give up all my users unencrypted vaults. Sorry, but true.
The update thing struck me as slightly out of touch; if I were to make a list of my top 10 most used consumer products that can be updated, probably 8-9 of them have abused updates to make things worse.
We spend so much time training people that if you hit update, it’s going to suck: you’re going to suddenly get ads in your favorite app, or some new feature is going to get paywalled, or the UI is going to completely change with no warning. It seems counterproductive to accept that our industry does this stuff and then publish an open letter finger-wagging people for not updating.
Password managers are one of those things I am still stunned is staying popular for advice, even though it's nearly akin to "use one password for everything". I assume a big part of it is the affiliate deals subscription password managers have with infosec influencers.
There are absolutely valid use cases, but they are much fewer and further between than people claim.
It's quite different from use one password everywhere. My threat vector I wish to protect against that some random website I signup to will mismanage passwords and end up with them leaked, causing every website using that password to be compromised. Remembering hundreds of unique passwords is unreasonable, thus, password manager.
Considering the amount of times my email has ended up in a leaked dataset, and the only accounts I've ever had visibly compromised were ones I did not use a password manager for, this seams to be the correct mindset.
No. If a shitty service stores your password in plain and leaks it, this won't affect your other accounts, unless you reuse passwords.
I simply can't remember dozens of passwords, so a pw manager is the best I can do realistically. Yes, it's a single point of failure, but so is using the same pw everywhere.
It's completely the opposite of "use one password for everything". When you do that any single compromise of a website you have an account on means all your accounts are likely compromised. With a password manager you have a long random password for every single website, meaning a compromise is siloed to just that site.
Even if your password vault is stored on the cloud you're likely using a very secure passphrase for it that has 0 reuse anywhere else, so even if your password vault is stolen it's impossible to brute force.
For a hacker to comprise your password vault it would likely involve hacking your computer, which if you're keeping your software updated is a very difficult task these days without the target user's active help.
Depends on your threat model. I went all in on 1Password when I realized that realistically the most likely attack vector for me is phishing, which it absolutely protects against (won't be duped by a fake site and auto fill password).
It would be interesting to do a study (if one hasn't already been done) on whether password manager use reduces the number of compromises an individual has or not.
I think if used correctly they can be a net benefit, but the question is how many users actually use them correctly. Isn't the security they offer based on a user only having to remember a single complex and unique password for the manager, and then let it handle unique and complex passwords for everything else. The question is, however, how many users just set the password manager password to 'ImSecure123!' and use it to autofill the same old reused passwords they've always used?
This is why all the top/good password managers will alert you of: 1) password reuse between sites and 2) weak passwords. One can hope that the users will listen to those suggestions. In an organization, you can enforce compliance.
> even though it's nearly akin to "use one password for everything"
It's not at all akin to that.
Firstly, every respectable password manager requires multi-factor authentication to log in to. Someone finding out the password to your manager is almost never sufficient. They would probably need to find it out as well as gain physical access to a device of yours which has the manager installed.
Secondly, the whole issue of "use one password for everything" is that if one site gets hacked and they store passwords insecurely (or, indeed, if the people who run the site are themselves malicious), then someone can use that same password to access all of your other accounts. So you have to trust the security of every single site you make an account with.
Using a password manager doesn't have that problem, since each site is being provided with a different password. So then you don't have to trust any website, you only have to trust the password manager itself. And you don't have to use a big cloud-hosted one if you distrust them - there are many password managers that you can just run locally on your computer (though without the cloud benefits of backup / disaster recovery). You can also just use a notebook with a padlock or something - frankly it doesn't really matter how you track your passwords, as long as nobody can get to it but you, and you use a different password for everything, and you have some plan for disaster recovery. That's the idea.
Also, any password manager that's "cloud based" is potentially a security hole. Yeah, they say the server is secure. Right.