Password Managers that don’t store passwords

[Jordan]

Password Managers that don’t store passwords

 

Password managers are one of the best options to manage account information. The two major flavors they come in are local storage and remote storage solutions which both offer advantages and disadvantages.

 

Local storage solutions like KeePass keep the encrypted password database file on the local system thus removing cloud storage and network traffic as an attack vector. Remote storage solutions like LastPass, Enpass or Dashlane on the other hand make things easier if you use multiple devices, and they may make information on the Internet via a web-based interface as well.

 

Both rely on encrypted password databases that are unlocked by a user's master password.

There is a third kind of password manager that rose to prominence fairly recently: those that don't store passwords at all. These are called stateless or deterministic password managers.

 

Examples are Master Password App, available for various desktop and mobile operating systems, and a web app, and Forgiva, a commercial password solution for various desktop operating systems.

Password Managers that don't store passwords

 

Password managers like Master Password App don't store passwords, but generate them on the fly whenever they are needed.

For this particular app for instance, passwords are generated using a name, the site the password is for, and a master password.

 

Here is how this works in greater detail:

1. You enter your name and master password to sign in to the password manager.
2. The password generation and look up interface is identical. Basically, to create or display a password you simply enter the site name -- or any other name for that matter.
3. You can then copy the password over to the site to sign in to your account, or register for an account.

 

Forgiva extends this basic approach by adding visual pattern confirmations, different key-derivation algorithms, and a certification system.

Both have in common that passwords are generated using information that is either entered by the user, or created during initial setup.

The main advantage they offer over conventional password managers is that attackers cannot dump the password manager database file either by attacking a local device or a company that stores the data in the cloud.

 

Also, since passwords are not stored in a database, there is no syncing involved to gain access to passwords across devices. All that is needed is access to the application, the master password, and maybe other data depending on the product, to gain access to all information.

Caveats

While deterministic password managers do away with storage, they are as susceptible to certain attack forms than regular password managers.

Since users need to somehow get the password displayed in the programs and enter them on a website or application, it means that they will either be copied to the clipboard, or entered manually using the keyboard.

 

Depending on the level of complexity of the service, getting hold of the master password may give you access to all password unless the product users other security precautions (like Forgiva does).

 

Password renewal may also be an issue if the service does not offer an option to do so. Additionally, depending on functionality, these password managers may not offer options to store additional data, security question answers for instance.

Closing Words

Deterministic password managers offer an interesting approach to password management. While they do away with password storage, they are not immune to attacks and may be limited in terms of what other data -- if any -- can be saved by them.

 

 

SOURCE