Password Managers - Criteria

Passwords are ubiquitous. Users are required to use them to identify themselves to every digital services. Their concept is not new, yet few take great care of them. Many have terribly insecure passwords, easily guessable and reused everywhere, leading to stolen information in subsequent data breaches.

Passwords should be long, random and unique. Unfortunately humans are generally not good at creating so many passwords, remembering and storing them securely.

This less than ideal situation is avoidable as secure and convenient solutions exist. Passwords managers are encrypted databases containing lists of securely generated passwords that users do not have to remember at the exception of one used to decrypt the vault.

This master key does not have to be hard to memorize but needs to sustain dictionary and bruteforce attacks. The passphrase can be generated using the diceware method, which consist in using multiples dices (4 or 5) to find a word index in a word-list and concatenating at least 6 of them. Its security can then be enhanced by the use of two-factor authentication (2FA).

Free and Open Source

For something as important as password managers where trust is primordial Free and Open Source software is a requirement. It is in no way a security guarantee but a mere necessary condition.

Secure

Their design should be sound, their implementation built by people with a proven track record at creating secure systems and further verified by the community or third-party audits. With clear communication and lack of security breaches acting as additional positive indicators.

The encryption algorithm should be AES-256bits or Chacha20 and AES-KDF, Argon2d or Argon2id for the key derivation function.

Offline / Online & Self-hostable

Users may choose between two types offline or online ones; the former being more secure and the latter more convenient for syncing between devices. Users wanting both control and convenience should consider self-hosted options.

Cross platform

To avoid complexity they should be available on different platforms or have their vault readable by multiple ones.

Data Import / Export

And provide data import and export to avoid platform lock-in and allow easy transfers between alternatives.

The text is available under the license Creative Commons Attribution-ShareAlike 4.0