Password generation/safety software


One reason I've been skeptical of password generator software is the possibility that the provider might be hacked or otherwise compromised. This one seems different: Not being a master-hacker or crypto sophisticate, it looks promising. Any general thoughts or comments on these software packages in general and the one in the link, in particular?



It depends on what you mean by "hacked."

1Password is an easy to use password manager that allows you to backup your password and sync them across multiple devices, without disclosing your passwords to third parties. This works because your password archive is is encrypted end-to-end. Specifically, the archive is symmetrically encrypted/decrypted by the user on any of their end-point devices, using their "master password" as a AES-256 key.

However, since your passwords are stored with a third party (1Password), this makes them a very attractive target. Did they make a mistake in implementing their encryption scheme? If so, everyone's passwords could be made public in very short order. Is this likely? Not really. 1Password is made by AgileBits, a respected firm with a good security record. I usually recommend 1Password for most people because it's usable and reasonably secure.

Don't want to give your passwords to a third party, even if they're encrypted? OK, use KeePassX. You are responsible for backing up your passwords yourself. The interface is kinda 90s, but you're not uploading your encrypted passwords to a single provider. KeePassX is also an open source project.

Don't like either of these options? Generate your own passwords with diceware or this python script.


Thanks for yet another helpful and informative answer! For no other reason than it's possible, particularly if the password manager becomes the target of government hacking (ours or others), I'm disinclined to trust a password manager. I'm sure that even my limited understanding is lame, but what looked attractive to me for "Master Password" was that it appeared to run on the user's phone and/or computer. Somewhere else on the web site, I saw something about "an internet connection is required": that suggests I'm wrong. Any thoughts on that particular software package?

By the way, if this is a thread that should be off this board, let me know and I'll send you my email.



It's a great question, @KAC, and definitely belongs here.

I 100% agree with @ethannorth's response above… I'd add that with 1Password, you authenticate with (1) your password and (2) an account key associated with your devices. On top of your password, a remote attacker would have to get that corresponding key OR access to your device itself. That's much less likely than someone logging in with reused passwords, so I'd definitely recommend 1Password.

An internet connection is required to sync your encrypted password vault across devices.

I wrote a couple of guides on 1Password or KeePass, if you're looking for help getting started.


@mshelton's response is completely accurate. If you want a password manager where your passwords don't leave your device, even in encrypted form, then KeePassX would meet that requirement. I'm not familiar with the Master Password app.


Thanks, Ethan and Martin!