Why do we prefer offline password managers?


The previous post(How do password managers work? ) discussed how password managers work. They derive an encryption key from the user-set master password and encrypt user data with that key.

In this post, we will discuss two major types of password managers: offline(or local) and online(or cloud-based) password managers. The biggest difference between them is where they store the data, the vault. An offline password manager stores the encrypted vault on local storage like the user’s mobile phone, while a cloud-based one sends the vault into their cloud server.

Which one do you think is safer? Some of you might say “offline ” without hesitation since it is “offline”. Clever choice! But are online password managers safe? To answer this question, we need to know two things: unlock factors and attack surface.


Unlock factors

From the previous post, we know extracting passwords from password managers depends on two factors: the master password and the vault file.

But compared with the vault stored on local devices, it is much easier for bad guys to unlock the vault on the cloud servers. Storing vaults in cloud servers is equivalent to storing a safe in someone else’s home. It gives the administrators of cloud servers, the homeowners, access to the vault stored in cloud servers. What they need is the master password to unlock the vaults. In other words, storing data on local devices can effectively stop the administrators, especially some bad guys from unlocking your vault.


Attack surfaces

What about attack surfaces?

The attack surface of a software environment is the sum of the different points (for “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data into or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure.


In other words, attack surfaces are the windows for hackers to steal users’ master passwords or vaults. Now let’s figure out which kind of password manager has fewer attack surfaces.

Both online and offline password managers share the same attack surfaces on local devices. Hackers may steal the vault with malicious programs or copy the vault on a local storage device. And hackers may install bad software keyboards, and key-loggers can steal the master password when we type it.

Different from offline password managers, online password managers transport the vault among different devices on the Internet. To achieve this goal, it requires users’ information ( users’ names & the master passwords) and stores the vault on cloud serve. This whole process naturally exposes more attack surfaces. Let’s look into these attack surfaces one by one.

1. A flawed authentication process

When unlocking the password manager app, offline password managers just do the decryption process. But cloud-based password managers authenticate the user to make sure he/she accessing the right vault on the cloud. It is very subtle to verify the user by the master password without knowing the password. There is a standard protocol to do that.

However, do all the cloud-based password managers implement it or implement it flawlessly? The answer might be not, since it has been shown that some password manager developers might not have adequate security expertise.

2. Frequently transported vault online

Using online password managers means your data moves over many Internet routers to get to your computer, smartphone, or the cloud servers. The app uploads data to the cloud servers, when you save passwords in a cloud-based password manager app. This also happens when you log in to the app on another device.

This no doubt increases the rate of the vault being disclosed to the third-party routers when uploading to and downloading from cloud servers. Although many services adopt TLS connection to make it more secure, there still exist threats.

3. Risks of cloud storage

Besides the process of saving, uploading, and downloading the vault, there are at least 3 threats to cloud storage.

  • A bad employee can access the vaults. (see details on “unlock factors”)

  • A hacker breaks into the cloud servers.

Cloud storage is a magnet for hackers. Once they break the cloud storage, they can get many people’s high-value secret data at once! Cloud storage is every hacker’s dream place.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. 

The cloud infrastructure depends on hundreds or thousands of third-party components to keep it running. If one of the components is compromised and injected with malicious code, the component might be able to send vaults to the hacker.

4. Web-based access exposes attack surfaces

Many cloud-based password manager services offer web-based access. Users can access the vault anywhere with a browser and the master password. First, let’s figure out how web-based password managers work.

Browser downloads the web-based password manager app from the cloud (step 1). Then the web app asks the user for the username and the master password (step 2). Next, it authenticates the user and downloads the right vault from the cloud (step 3).

During the whole process, data might be attacked at least in three possible situations (see above).

  • Bad insiders

Web-based password manager app is stored on cloud servers. Bad administrators or hackers can break inside it, inject malicious code into the web app, and grab your master password and the vault. You are doomed. Cloud servers are always connected to the Internet and face attacks, but apps installed on the local device are not.

  • If the web app depends on third-party resources, such as ads, traffic analysis components, etc., it is possible to be compromised.

  • If you installed some malicious browser extension, it might be able to steal all your passwords.

5. Vulnerable browser extensions

Many cloud-based password managers offer extensions to help autofill passwords in browsers. But the extension API is based on WEB DOM technology. The attack surfaces of native applications are usually limited, but for extensions, it is not the case. The powerful DOM API can be accessed by any third-party javascript code, causing the attack surfaces uncontrollably. Sean Cassidy, a well-known security researcher, wrote in this post: Browser Extension Password Managers Should Not Be Used .

Here’s the thing: when you use a browser extension password manager, you’re giving attackers an API to interact with your password manager via JavaScript or the DOM. That’s how LastPass worked, and it’s how many of the new attacks work, too. Desktop-based password managers have no such access, as they require compromising the local machine first, which is much harder than visiting a webpage.


Privacy consideration

Most cloud-based password managers require users to be registered with an email address or phone number. The client includes tracker components that collect usage(user behavior) data for improving their products and services, or just for ads. Though some offline password managers do the same, many do not require registration nor collect usage data.

Overall, offline password managers have smaller attack surfaces than online password managers. Offline password managers also have less risk of leaking users’ privacy.