My Profile Photo

Sheogorath's Blog


Depending on the time of the day a friend, a colleague, a wise guy. The beauty of the world is its sense of humor to show humans their way by letting them search their own.


Cover image for this blog post

Why I use multiple password managers

You might saw my previous take on password managers where I mentioned that I used all four of the compared password managers. These days I reduced the number of password managers that I use a bit, but I still use two different password managers on a daily basis. Those password managers are pass and Bitwarden.

There are a number of reasons why I use multiple password managers and I recommend to think for yourself if you might want to use multiple yourself as well. It’s not ideal for everyone and if you just got started with password managers, it might not be the perfect idea. But when you enjoy using yours, it might be a good addition.

What password managers do I use

As already mentioned I use Bitwarden and pass and both have their very own pros and cons.

Bitwarden

Bitwarden is an free software password manager that is easy to use, provides integrations for all major browsers as well as a desktop, CLI, web and mobile clients. It’s synchronized using a cloud backend, that you can also host yourself and is highly recommended for everyone who wants to get started with using a password safe.

pass alias password store

pass is a CLI password manager written in bash using GnuPG and git to manage and synchronize passwords across multiple devices and is explicitly made for the use in UNIX programs. There are third-party extensions for your browser which allow integration of the password manager with any website and it has its own Ansible lookup plugin, which makes it awesome for usage in deployment scripts and machine management. There also third-party GUIs and plugins to make it a bit easier for beginners, but if you don’t feel home on the shell, I wouldn’t recommend this password manager for you.

Why I use two at once

Not every password is the same. And I’m not just talking about passwords not being literally the same, but also in the way they are. When the password to my forum account is leaked, that’s bad, but besides some laughers from my friends, that won’t hurt me that much. But when the password to my bank account is leaked, that a way bigger concern to me.

Not every password manager is the same. As you might read above, Bitwarden is easy to use, well-integrated into the browser and synchronizes all passwords with the cloud. I don’t suspect Bitwarden to be a malicious actor, but we see security issues in browsers very often and your browser is talking with random internet pages on a daily basis. There is definitely the chance of something malicious sneaking in there and starting to take those passwords with it. For my forum password, that’s a risk I’m willing to take in exchange for the convenience it provides. For my bank account not so much.

Also I synchronize my Bitwarden account to my smartphone and use it there on a regular basis. Is my phone the best place for my most sensitive secrets? No. It’s Android after all and while android itself employs amazing security within the system itself, the absence of security updates and the missing protection for your root filesystem when using a custom ROM like LineageOS makes it not the best place to store any sensitive information on it.

Why is pass my high security password manager

One might wonders why I consider pass more secure than Bitwarden. It’s definitely not because it uses more secure cryptography. But one important reason is the fact that pass is using GnuPG. And GnuPG allows my to store my decryption key on a smart card.

Smart cards are hardware devices which can store and use a secret without releasing it. It acts like a black box. You put something encrypted and a PIN into it, and if the PIN was correct, you get the decrypted version back. If you enter the wrong PIN too many times, the secret will be destroyed and no one will have access to the secret to decrypt things.

Also, other than Bitwarden pass doesn’t decrypt a password database containing all passwords at once. Each password is stored in a separate file, which means pass will only decrypt the password that I’m about to use and even with something dumping my memory at the moment, will only contain this single password.

How does this improve my Two-Factor-Authentication

If you ever setup 2FA (Two-Factor-Authentication) on a major provider, you’ll have seen those recovery codes, that they request you to write down, print or store securely. If you don’t want to print them but want to store them digitally, you might want to put them in a password manager. But by doing that, you basically defeat 2FA by making your password manager your single factor.

For this reason I store a lot of my passwords in Bitwarden and all recovery codes in pass. pass is perfect as a long term storage since it doesn’t decrypt those recovery codes unless I explicitly want it to decrypt them. And otherwise I have an TOTP app on my phone or use my YubiKey as FIDO2 key.

Conclusion

To wrap it up, I highly recommend to have more than one password manager. You sure want the convenience Bitwarden or a similar password manager provides you for the majority of your logins. But you might also want the better control and reduced attack surface of an offline password manager. You don’t need access to each and every password everywhere.

It helps to reduce the risk for high-value login credentials as well as allowing to store 2FA recovery codes in a secure way, separated from your regular username + password. It doesn’t have to be pass, maybe you feel more comfortable with KeePass or KeePassXC. There are so many password managers on the market, you are free to choose.

I wish for you, that your passwords always stay safe and secure.

Photo by Paolo Chiabrando on Unsplash