Password Manager Feature Wishlist 2023

See all posts

It's 2023 and I am still on the journey how to improvepimp my password management system.

Motivation

Since the recent LastPass hack showed how crucial good cryptography choices are, I decided to write down my wishlist for features that I want in a great password manager.

The Wishlist

Here are my criteria:

• Must use state-of-the-art cryptography for password-based key derivation
• Must use state-of-the-art cryptography for encryption
• Needs to be available cross-platform between macOS and Linux
• Should require interaction with a hardware security key (e.g. YubiKey or Trezor)
• Online/sync capability should ideally be optional

Notice that I listed separate bullets for key derivation and encryption because I want to emphasize the importance of both these features. If you use "military-grade" (sigh) encryption via AES-256 but use PBKDF2 with poor parameters for the key generation, someone will make fun of you.

In fact, I will exclude every password manager that uses PBKDF2 instead of Argon2 or scrypt from my list of candidates that I would use or recommend to friends. 1Password is an exception to this rule because they sample an additional secret key as a second factor.

Give me modern Crypto

When it comes to pure cryptography, here is my wishlist of algorithm choices:

(Password-based) Key Derivation

Use either scrypt with N=16384, r=8, p=1 or Argon2d with a memory cost of 1024 MiB, ops cost of 4, and parallelism of 1. If you also fear side-channel attacks, consider using Argon2id instead of Argon2d.

Symmetric encryption

Pick either AES 256-bit or ChaCha20 256-bit. Both are good choices. Both were developed by Daniel J. Bernstein. ChaCha20 is said to be faster than AES and to have fewer timing channels.

Asymmetric encryption / hardware security key support

If your setup requires you to use asymmetric cryptography or you want to use a hardware security key, use X25519 (e.g. with Ed25519 keys). Please do not use RSA (even worse if you use 2048 bits or less) or obsolete PGP keys for password encryption.

Verdict

KeePassXC is what I use currently. It even lets you choose these options on your own (via "Database Settings" -> "Security" -> "Encryption Settings"):

However, I am tempted more and more to switch to passage which uses age as a backend, can be used with YubiKeys / Trezor and is developed by Filippo Valsorda, one of the most renowned cryptography engineers of our time.

The main advantage of using passage in conjunction with a hardware security key is to prevent / rate-limit password exfiltration, since it can be set up to require a physical touch of the hardware security key for each password decryption. For more information, check out his blog post.