Password Managers - Criteria
Passwords are ubiquitous. Users are required to use them to identify themselves to every digital
services. Their concept is not new, yet few take great care of them. Many have terribly insecure
passwords, easily guessable and reused everywhere, leading to stolen information in subsequent data
breaches.
Passwords should be long, random and unique. Unfortunately humans are generally not good at creating
so many passwords, remembering and storing them securely.
This less than ideal situation is avoidable as secure and convenient solutions exist. Passwords
managers are encrypted databases containing lists of securely generated passwords that users do not
have to remember at the exception of one used to decrypt the vault.
This master key does not have to be hard to memorize but needs to sustain dictionary and bruteforce
attacks. The passphrase can be generated using the diceware method, which consist in using multiples
dices (4 or 5) to find a word index in a word-list and concatenating at least 6 of them. Its
security can then be enhanced by the use of two-factor authentication (2FA).
Free and Open Source
For something as important as password managers where trust is primordial Free and Open Source
software is a requirement. It is in no way a security guarantee but a mere necessary condition.
Secure
Their design should be sound, their implementation built by people with a proven track record at
creating secure systems and further verified by the community or third-party audits. With clear
communication and lack of security breaches acting as additional positive indicators.
The encryption algorithm should be AES-256bits or Chacha20 and AES-KDF, Argon2d or Argon2id for the
key derivation function.
Offline / Online & Self-hostable
Users may choose between two types offline or online ones; the former being more secure and the
latter more convenient for syncing between devices. Users wanting both control and convenience
should consider self-hosted options.
Cross platform
To avoid complexity they should be available on different platforms or have their vault readable by
multiple ones.
Data Import / Export
And provide data import and export to avoid platform lock-in and allow easy transfers between
alternatives.