How to make sure a password manager is as secure as it claims?

Discussion in 'Community Discussion' started by Cubytus, Nov 30, 2012.

  1. Cubytus macrumors 65816

    Mar 2, 2007
    Hello all,

    until now, I resisted making the jump to a password manager for different reasons, the main ones being that I can't be quite sure of their true security and I may need to get access to a given website on a computer where I may just couldn't install or run any software. I can't do much about the latter except using a net-synchronizable software, typically paid-for, which still brings me back to the first question.

    As much as I like open-source, it seems that the most praised password managers (LastPass and 1Password) are closed-source and as such, considering their waxing popularity will probably expose them to attacks themselves, with potentially much more serious consequences than an attack against a given website.

    As closed-source applications, how can a prospective user be so sure about their boasted security? I am especially concerned about the ones that do sync passwords with secure servers, as these servers may be located in countries that don't provide any legal protection for privacy. I just remembered about Skype, claiming to be encrypted... unless someone high enough requests a tap.

    On the other hand, there's SpiderOak. Ok, it's not a password management software, but even with a warrant, they claim they would be completely unable to decipher what a user has stored, as they don't hold the keys...

    So, how can we know is these managers are as secure as they claim?

Share This Page