Open Source Security Applications for Password Management
There are several open source security applications for password management that can be used to fix a common weakness in security defenses – the use of weak passwords by employees. Here we explain the problem with passwords, how a password manager solves these problems, and why it is best to use open source security applications for password management.
The Problem with Passwords
One of the easiest ways for a hacker to gain the required foothold in a network is to guess a password. If every employee sets a complex, unique password for every account, it would be very difficult for a password to be guessed. If 2-factor authentication was also configured for all accounts, even if a complex password was guessed or otherwise obtained, it would be difficult for the password to be used for unauthorized access.
The problem is that while businesses often have password policies that require strong passwords to be created, employees often get around the restrictions to make their passwords easy to remember, and by doing so make their passwords easily guessable. Employees are forced to set passwords of the required length and must include all the necessary characters such as upper- and lower-case letters, numbers, and special characters; however, PaS$w0rd! meets the complexity requirements but could be guessed using brute force tactics in seconds.
The main reasons why employees choose weak passwords is because it is difficult to think of new complex passwords and even harder to remember them, especially when unique passwords should be created for each account. If you make employees change their passwords frequently, it makes it even more likely that shortcuts will be taken (i.e., PaS$w0rd!for2021 > PaS$w0rd!for2022).
One of the easiest solutions to implement to help solve the problem is a password manager. A password manager solves the problem in two ways. First, it includes a secure password generator that will generate a random complex password with a click of a mouse. Second, employees will never have to remember the generated passwords as they are stored securely in an encrypted vault and the login credentials auto-filled when the employee visits a site for which a password has been saved. All that is required is a single complex password for the user’s password vault, and if that is a passphrase of 16 characters or more, that password is essentially unguessable.
An analysis by Hive Systems suggests an 8-character password of numbers, upper- and lower-case letters and symbols, that is truly random, could be cracked by a hacker in around 8 hours, whereas a 16 character password that consists of just lowercase letters would take around 34K years to crack.
Open Source vs Proprietary Security Software
There are arguments for and against open source security applications. One of the benefits of open source is that it is easier for vulnerabilities to be identified and fixed; as, by making the code open source, there are likely to be many eyes looking at the code. If there is a bug bounty program, security researchers are also financially encouraged to search for vulnerabilities and to follow responsible disclosure practices to get those bugs fixed.
The counter argument against open source security applications is that if the code is public, hackers could also look for vulnerabilities to exploit. The reality is that hackers do not tend to check code for vulnerabilities, as there are far easier and less time-consuming ways to achieve their objectives – such as attacking companies that have failed to patch promptly when fixes for vulnerabilities have been released, or by conducting brute force attacks to guess weak passwords.
Can Open Source be Trusted for Password Management?
There is a good argument why open source security applications for password management should be trusted more than proprietary solutions whose code is kept secret. By making the code open source, the developer is showing they have nothing to hide.
Making code open source means the code is available for review, but that does not mean that the code has actually been reviewed, nor that it has been reviewed by individuals with the necessary skills to find exploitable vulnerabilities. For greater peace of mind, you should look for open source security applications for password management that have undergone an independent code review and that have an active community – and preferably a bug bounty program in place – to encourage security researchers to continue to review the code.
For More Control You Can Self Host Password Vaults
A common concern with password managers is having to store passwords in the cloud on the password manager provider’s servers. For many providers of these solutions, password management is their sole business, and as such, they have gone to great lengths to make sure passwords vaults are secure and always available.
One option available with many password management solutions is to host the password vaults locally, where IT security professionals feel they have greater control and can better protect them. If you fall into that camp and feel more comfortable protecting your own vaults, there are open source security applications that have the option of self-hosting.
Best Open Source Security Applications for Password Management
There are many open source security applications that can be used to generate and securely store passwords. Here we list three of the most popular open source security applications that will help you eliminate password vulnerabilities and keep your organization’s passwords secure.
Bitwarden is one of the most popular open source security applications for password management, with one of the most comprehensive free tiers for personal users and competitively-priced premium options for individuals, families, and businesses of all sizes.
Bitwarden operates under the zero-knowledge model, so the company cannot access the content of users´ password vaults. The software has undergone an independent code review and there is a bug bounty program on HackerOne. Depending on the subscription level, Bitwarden includes a secure password generator, end-to-end encryption with AES-256, hashed passwords (PBKDF2), health reports of password vaults, detailed event logging to track access to sensitive data, 2-factor authentication with YubiKey, and flexible integrations using SSO authentication, directory services, or powerful APIs. Password vaults are cloud-hosted but there is the option of self-hosting for greater control. Bitwarden can be used on all devices and operating systems, and there are easy-to-use desktop and mobile apps with cross-platform syncing.
KeePass was one of the first open source security applications for password management, with the first solution made available for Windows XP. This is a lightweight password manager with a secure password generator, and it boasts excellent security – with end-to-end encryption using AES-256 or Twofish, SHA-256 password hashing, and AES-KDF and Argon2 salting. The solution also encrypts the entire database, including usernames, URLs, and notes, and has two-factor authentication with the option of an encrypted key file. The solution underwent an independent security audit in 2016.
KeePass is free and is provided as a standalone app with local storage. The solution can be a little trickier to set up than other “plug and play” solutions and the user interface could do with improvement. To use it as a team password manager, you need to store the database locally where it can be accessed by all members of the team and give the administrator permissions to change the file. KeepPass is primarily Windows-based but can be used on other platforms. Browser integrations are possible through plugins with Google Chrome and Firefox.
Psono is one of a small number of open source security applications for password management that was created by a single developer. The solution was released in 2017 and differs from many of the others in terms of how passwords are encrypted. Instead, the solution uses modern, open-source cryptographic principles. While most password managers use AES-256 to encrypt passwords and RSA to secure the TLS connection, Psono does not use these NIST-approved algorithms – instead using client-side, end-to-end encryption via Curve25519 and Salsa20, which use the NaCl cryptographic library. That does not make the solution any less secure, it is just a different way of achieving the same security objectives.
The solution has an impressive free tier for individuals and a choice of enterprise options for businesses. The solution has an easy-to-use Python-based web-based client, with multi-browser support, password synching for multiple devices, two-factor authentication, a secure password generator, file sharing and link sharing, and autofill, and a password capture feature. It is important to be aware that most Psono options are self-hosted, with only the premium enterprise option available as a hosted service. Basic support is provided, although professional support will cost extra.