How to make sure a password manager is as secure as it claims?

Discussion in 'Community Discussion' started by Cubytus, Nov 30, 2012.

  1. Cubytus
    Expand Collapse
    macrumors 65816

    Mar 2, 2007
    Hello all,

    until now, I resisted making the jump to a password manager for different reasons, the main ones being that I can't be quite sure of their true security and I may need to get access to a given website on a computer where I may just couldn't install or run any software. I can't do much about the latter except using a net-synchronizable software, typically paid-for, which still brings me back to the first question.

    As much as I like open-source, it seems that the most praised password managers (LastPass and 1Password) are closed-source and as such, considering their waxing popularity will probably expose them to attacks themselves, with potentially much more serious consequences than an attack against a given website.

    As closed-source applications, how can a prospective user be so sure about their boasted security? I am especially concerned about the ones that do sync passwords with secure servers, as these servers may be located in countries that don't provide any legal protection for privacy. I just remembered about Skype, claiming to be encrypted... unless someone high enough requests a tap.

    On the other hand, there's SpiderOak. Ok, it's not a password management software, but even with a warrant, they claim they would be completely unable to decipher what a user has stored, as they don't hold the keys...

    So, how can we know is these managers are as secure as they claim?

Share This Page