Why Your Passwords Are Safe With (Certain) Password Managers

November 29, 20171,258 words

This post explains how certain password managers and other encrypted apps keep your sensitive information locked away from everyone except you. Password manager bitwarden is used as an example and a recommendation. Other encrypted apps are listed at the end.

A Quick, Completely Non-Technical Summary

If you use the applications and services I suggest, your data is 100% safe from anyone who doesn’t know your password. I promise.

And: Please use a password manager!

bitwarden and Data Security

The cloud-based password manager bitwarden is a good example of convenient and proper data security as a service. bitwarden provides the tools and remote storage to securely store and access your passwords on almost any device. When you store your passwords with bitwarden, only you can access them — not even bitwarden can use their own system to access your passwords. Furthermore, all aspects of bitwarden are open source which is key to validating their security claims.

So, how do bitwarden and other encrypted services actually work? To understand that, I will detail two key processes: the encryption of your data, and another process that allows it all to work online.

Password-Based Encryption: Locking Away Your Data

When you enter and store your login information for a site on bitwarden, it is encrypted before it is sent to bitwarden's servers. Because the only person who will ever need to see your password is you, bitwarden can actually use a pretty simple encryption scheme*. Using the master password you set to log into your password vault, it generates a cipher for each username, password, and so on for every site you enter. That uncrackable cipher is stored on the server then sent back to your computer when you need to access that login information.

A cipher is basically your login information turned into gibberish using your master password (now considered a "key") and complex math such that your master password can also be used to reverse the math and reproduce the information. For example, a key like "1234" could be used on "hello" to turn it into "rd025#ST03056CT," then the key could be used again to do the encyption math in reverse and turn "rd025#ST03056CT" into "hello."

This encryption and decryption only ever occurs on your computer or phone so bitwarden -- or anyone snooping on your WiFi transmissions -- cannot see your unencrypted info.

The encryption protocols bitwarden and many other apps use are the same, open standards that institutions like, say, the US Government use. The main standard used is AES-256 and is thouroughly vetted. The only way to crack it is to try to decrypt your data with every possible key (or master password) until it returns non-gibberish which would take an impossibly long time. I can't give you a relative time frame because it can't even be measured in units of the universe's age -- it's unimaginably longer than that.

That is, of course, unless you master password is something like "password". That would be one of the first keys the cracking algorithm would try. Hopefully you know how to come up with secure and memorable passwords to use as your master password.

Hashes, or, Why Doesn’t bitwarden Know My Master Password?

"I typed my password into bitwarden’s website and hit submit when I created my account so don’t they have my password? Can't they just use that to decrypt everything?"

No, their system is designed so they never see your master password, even when you create your account. How? By hashing it.

A hash is a lot like the encryption described above, except the math used to create the cipher - now a hash - is completely irreversible. When you create your account, your password is encrypted/hashed using your email/username as the key which cannot then be used to decrypt the hash. That is the hash which is sent to bitwarden's servers to be stored. Why do they store it? That way, when you log in later, they can compare the hash generated from your login to the stored hash and validate your identy. If the hashes match, they know to send all of your stored and encrypted information on their servers to your device.

Once your receive the encrypted data from the bitwarden servers, then the local program uses your non-hashed master password to decrypt that data. Your master password never leaves your computer or phone! Neat!

How Can I Trust That These People Aren’t Just Lying to Me About Their Encryption????

Why should we trust that bitwarden actually hashes our password on our computer before sending it to the servers? Or that they encrypt our login information at all?

This is why open source software is always preferred/required in secure and private apps. That way, knowledgeable programmers can (and will) examine the code to validate a service’s claims. Many services also commission security audits from specialist firms and publish the results.

bitwarden and the other apps I suggest below are well-vetted.

Now You Just Have to Protect Your One Password

The crux of all this is that you need to create a very strong but memorable password and keep it safe. Your main threat now is probably your password being captured by a keylogger, which would capture and store your password when you type it out. Keyloggers could be installed on a public computer or on your computer through malware.** Phones are generally much safer from this type of threat, I believe. Other than that, the easiest and most likely ways someone would get access to your data is by stealing your computer or phone while you were logged in to bitwarden (or whatever encrypted apps you use).

Now that you understand that,

uh, please use a password manager!!!!

Secure and Private Apps

Do you find encryption as interesting and fun [and necessary] as I do? Consider these apps and services!

  • bitwarden: a secure password manager, as discussed above.
  • Standard Notes: an encrypted, cross-platform, and open source note taking app that I used to write and publish this.
  • KeePassXC: an open source, local password manager that doesn’t require trust in anyone! But it is a hassle to maintain yourself.
  • Duplicati: open-source, encrypted backup utility. You gotta back up your data!
  • 7zip: create encrypted zip folders to store or pass on files securely.
  • Veracrypt: encrypt your hard drive or create encrypted virtual drives to secure just some of your data.
  • Cryptomator: Like Veracrypt, but more simple and geared towards cloud storage use.
  • Wire, Signal: Popular and open source communication apps that use public and private encryption keys (PGP encryption***) to send information privately between two or more parties.
  • ProtonMail: Emails are inherently insecure but they can be conveniently encrypted under very specific circumstances, like between two ProtonMail accounts.
  • ProtonVPN : VPNs are a whole other topic about internet privacy but know they use encryption to protect you on public WiFi networks (among other ways).

*Well, bitwarden does allow for password sharing but then that uses another process that isn't relevant to you, Person Who Should Use a Password Manager for Their Many Personal Passwords.

**You can protect against keyloggers and someone acquiring your password with two-factor authentication (2FA). It’s another thing to manage (and explain ;) ) but I suggest it.

***PGP encryption is a whole other fascinating encryption process and you can look a basic code example here. Not that you will, but I just wanted to show off some cool code I wrote. 8-)