I heard one of the more ignorant things last week: A guy told me that he preferred a closed-source, commercial password manager instead of an open source one “because [he doesn’t] trust open source software”.
Amusingly, he was saying this about the same time that the news that commercial password manager OneLogin was hacked and potentially stole sensitive user data.
I tend to trust open source (and community-supported) software more for two basic reasons:
- The source code is available, and I could examine and compile it myself.
- Practical experience – most notably the experience I had with seeing how fast patches for Heartbleed rolled out in 2015 compared to patches for Stagefright for Android.
Additionally, this is the risk you run whenever you store sensitive information “in the cloud” (and remember, “in the cloud” simply means “on someone else’s computer”). Yes, this includes the syncing that both Chrome and Firefox can do.
My advice on making your online life more secure is still valid five years on. I still use KeepassX (Win/Mac/Linux) quite happily. You can sync the password database to your phone using a commercial service such as Dropbox (using DropSync) or a self-hosted one like OwnCloud (use FolderSync) and then use the app Keepass2Android (offline version) to open that local file.
Why is that better than trusting it all to a company like OneLogin? Simple. If my OwnCloud/Dropbox gets hacked, there’s another completely separate password that’s locked my password data file.
I’m not going to tell you that you have to use KeepassX. You should use whatever works with your workflow. But you should make sure that you take your own responsibility for your online security.
One more addition that I’ll make to my recommendations: Your password manager should have a “notes” area. Use that so that your “security questions” can be completely random answers and still be accessible from your phone if you need them.