What Are Zero Knowledge Password Managers?

Many password managers advertise themselves as zero knowledge password managers, claiming that end-to-end encryption prevents vendors and their employees from knowing what credentials are maintained in users’ password vaults. But what are zero knowledge password managers? And what are the advantages and disadvantages of zero knowledge?

Possibly the primary benefit of using a password manager is that it can generate and store complex passwords, and auto-fill login credentials when you visit an online website for which a password has been saved. The process enables you to have a unique password for each online account without having to remember them or keep them in a less secure location (i.e., a desktop spreadsheet).

But how secure is the password manager? Who else might have access to the information stored in the password manager? And what might they be able to do with the information? To address these concerns, many password managers are built on a “zero knowledge architecture” which – unless you are an expert in cryptography – is possibly one of the most confusing things on earth.

As most people are not experts in cryptography, we aim to explain what zero knowledge password managers are in plain English. However, it is important to be aware that not all password managers are the same; and, although the concept of zero knowledge may be the same, the technical specifications may be different when you look at them in greater detail. So, let’s get started.

How Password Managers Protect Against External Attackers

Whatever type of password manager you use, you are required to create an account that consists of a username and a password. Thereafter, whenever you want to use the password manager to generate, store, or autofill passwords, you have to log into the password manager or have the “remember me” feature activated. Some password managers (i.e., Chrome) have the “remember me” feature activated by default – which is why you should always PIN lock every device you use.

External attackers can only access data within your password manager if they know your username (most often your email address) and your password. Consequently, it is important that you choose a complex password for your password manager that is difficult to hack using “brute force” software. It is also a best practice to enable two-factor authentication on your password manager in order to add an extra layer of security – especially on mobile devices and shared workstations.

With a complex password and two-factor authentication, it is virtually impossible (although not totally impossible) for an external attacker to access data within your password manager. But, how about the provider of the password manager? How can you be sure that nobody from Google, Apple, Microsoft, or any of the commercial password manager vendors (i.e., Bitwarden, 1Password, or Dashlane) can access your password manager and the credentials saved in it?

How Password Managers Protect Against Internal Attackers

Most (but not all) password managers store user data “in the cloud”. This means your passwords, credit card details, and any other information saved in your password manager is kept on servers managed by the service providers (Google, Apple, Bitwarden, etc.). Because they are stored in the cloud, you can access your passwords from any Internet-connected device – with limits if you use a browser-based password manager (i.e., Chrome) or an OS-based password manager (i.e., Keychain).

To prevent anybody with access to the service providers’ servers from accessing your passwords, all the data in your password manager is encrypted before being sent to the cloud. The encryption “key” (the technology used to encrypt your data) is derived from the username and password you used to create your account and the key stays on your device. It is not transmitted to the service providers’ servers, so if anybody was to access the servers, all they would see is worthless ciphertext.

“But wait a minute. Doesn’t the service provider know my username and password from when I created an account?” Yes, but when you create an account, the password is “one way” hashed and salted so it cannot be reverse-engineered and recreated. When you subsequently log into your password manager, the same hashing and salting process authenticates you as the authorized user. This process ensures nobody at the service provider’s end – or between you and the service provider – can decrypt the contents of your password manager.

The Advantages and Disadvantages of Zero Knowledge Password Managers

The advantages of zero knowledge password managers are fairly obvious. Provided you use a complex password when you create an account with a vendor, your passwords are protected against both external and internal attackers. You can add an extra layer of security by enabling two-factor authentication, and some providers also recommend using a unique email address to create an account. You can do this retrospectively with some vault-based password managers.

With regards to the disadvantages of zero knowledge password managers, these occur if you forget your password or lose the device on which you receive One-Time Passcodes for two-factor authentication. This is because nobody at the vendor’s end has knowledge of your password. Nor can they reset your password because of the zero knowledge architecture. For the same reason, nobody at the vendor’s end can access your account to disable two-factor authentication.

The way around these disadvantages is to write down your password and keep it somewhere safe. If enabling two-factor authentication, you should also make a note of the one-time-use recovery code which will disable two-factor authentication for your password manager only (i.e., not for any other 2FA-enabled accounts). Please note, you cannot use the recovery code without logging into the password manager – so you will need to know (or have) your password with you at the time.

Most Password Managers Use Zero Knowledge Architectures

Decisions on which password manager is most suitable for your requirements should not only be based on whether or not the password manager is built on a zero knowledge architecture. There are many other considerations to take into account. Factors such as cross-platform synchronization, the ease of deployment and management, the end-user experience, and cost should also be taken into account. For this reason, we rate Bitwarden as the leading zero knowledge password manager.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news