Password Manager Security

The cluster discusses the security risks and benefits of password managers like 1Password, LastPass, and KeePass, debating single points of failure, master password theft, client-side encryption, and breach resilience.

📉 Falling 0.2x Security

5,719

Comments

Years Active

Top Authors

#9810

Topic ID

Activity Over Time

2007

2008

2009

2010

101

2011

168

2012

236

2013

371

2014

229

2015

329

2016

350

2017

454

2018

345

2019

319

2020

320

2021

442

2022

778

2023

626

2024

309

2025

267

2026

Top Contributors

tptacek (28) lxgr (24) aborsy (21) peterwwillis (19) gruez (17)

Keywords

twimg.com AFAIK TFA DB bitwarden.com OSX LastPass U2F KP E2E password passwords password manager master manager key encrypted compromised 1password security

Sample Comments

mattcoles • Feb 25, 2017 • View on HN

It's still a single point of failure if the password manager is compromised.

wordyskeleton • Mar 7, 2023 • View on HN

You're assuming a compromised password == compromised 1Password vault which is clearly not going to be the case most of the time

unattended • Jun 27, 2011 • View on HN

The possibility of a site getting hacked or being attacked may be low but not unexpected. Many of these services don't know your actual passwords, they just have a file that's cryptographically secure with your passwords in there which in the case of an actual breach, only you (the owner/creator of said password list) has the keys to get into it. You just have to be responsible enough to know where your keys are to get at that list or it's lost for good. The likelihood of someone actually cracki

strictfp • Sep 21, 2016 • View on HN

Unless someone steals the password to your password manager...

_bxg1 • Jul 13, 2018 • View on HN

As long as they encrypt the stored passwords and you don't use your master password anywhere else, there's not much that can go wrong.

winstonewert • Apr 24, 2016 • View on HN

This strikes me as less secure then a password manager that stores passwords. Here, if someone gets my master password all is lost. With stored passwords, they'd have to get both my master password and the encrypted passwords.

meribold • Dec 22, 2020 • View on HN

This seems no better than a password manager that stores encrypted passwords but not the decryption key.

chillaxtian • Aug 28, 2016 • View on HN

a security breach on the server wouldn't mean that your passwords are compromised.with the subscription model, they're protected by both your master password, and your account key (128? bit key generated at account creation).neither of those leave your computer.

AkshatM • Dec 25, 2021 • View on HN

It sounds like you're worried about theft of master password or theft of password database once gathered in one place.For the former, use auth app-based 2FA against your master password to guard against unwarranted access, preferably using a physical key.For the latter, review the security protocols your third-party provider specifies for how they protect your data. That should give you confidence about the likelihood of database leakage. If even that doesn't give you confidence,

ttoinou • Feb 24, 2019 • View on HN

Okay, but still, your pwd manager could get hacked