ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Open source vs proprietary password managers

Nowadays, we all have huge numbers of subscriptions to online accounts and services. For those accounts to be secure, each one of them must have a unique, robust password. What’s more, truly strong passwords must be complicated, which means that they are extremely difficult to remember.

Password Manager Lock

The best solution is a password manager specifically designed to remember all your passwords on your behalf. By using a password manager, you can set up strong unique passwords for each and every online account without the difficulty of having to remember them all.

However, not every password manager was created equal, and there are some important things to consider when it comes to picking a service.

Password managers - can they be trusted?

When it comes to selecting a password manager, there are some primary considerations that make those services more or less desirable than each other. One of the most important of these is whether the software is closed or open source.

Closed source software is proprietary and is licensed (copyright protected) in such a way that nobody is permitted to use, modify, or distribute it. In addition, closed source software is locked-up in such a way that it is impossible to analyze the code (without being granted direct access by the developer).

If the code for a password manager is closed source, no third party audit can take place, and it is impossible to verify any claims made by its developer. This means that you must trust the password manager’s developer when it tells you how data is stored or transmitted by the password manager.

Any time that a password manager is closed source, you simply do not know whether the service is as secure as the developer claims, and it could be putting your privacy and security at risk.

Check out our favourite password managers.

Open source - the gold standard

Although it is possible to publish the source code for any program online (on Github, for example) this makes the code available but not necessarily "open source”. Open source software must not just be available to audit, it must also have an open source license that complies with the Open Source Definition.

Software that complies with those strict standards must be free to redistribute, must provide unlimited access to the source code, and must adhere to all ten of the definitions that characterize source code as "open source.” Software that adheres to those standards, and for which the creator has wavered all their rights with a Creative Commons License (CCL) is truly open source.

Open source software can be audited by any third party. This is vital for privacy and security because it means that security experts (or anybody who wants to) can analyze the code and verify that there are no mistakes, vulnerabilities, or deliberate backdoors. It also means that any claims about encryption standards, key management, how data is transmitted to company servers, or how data is synchronized across devices - is actually verifiable.

It is also worth noting that while publicly available code is not necessarily "open source” in the strictest definition of the term - it is still satisfactory for security and privacy purposes. This is because it does still permit security professionals to analyze and verify the source code for the service.

Other important considerations

As you can see, open source Vs. closed source is an important consideration when it comes to selecting any privacy software. However, when it comes to password managers, there is arguably something else that is just as important (and is inextricably linked to the closed source/open source debate).

Password managers come in two varieties; services where you encrypt your own passwords and only you can decrypt them. And services where you entrust a third party to encrypt your passwords for you (and for which the third party holds the key used to decrypt the passwords on your behalf).

Storing your passwords online is considered excellent in terms of User Experience - because it allows passwords to be accessible from any device. And, if those passwords are stored with end-to-end encryption, then this implementation is considered secure because only the user has the power to decrypt their passwords.

Of course, if your passwords are stored on company servers this does slightly increase the risk that they could be hacked (for example, a hacker could simply guess your master password). However, this risk is extremely minimal as long as your master password is both unique and complex, and/or you use a key file or another form of Two Factor Authentication (2FA).

It is worth noting that if a password manager provides true End-to-End Encryption (E2EE), then your account will never be recoverable. This is because only you have the power to access your passwords with your master key. If you lose your master key, you will be locked out of your passwords forever. This might be concerning to some users - who fear losing or forgetting their master password. However, it is actually a sign of a better password manager.

Anybody who desires a truly secure password manager is better off opting for a service that can never be recovered and for which only they hold the master key. In addition, to be truly trustworthy, a password manager’s software ought to be open source.

As previously explained, it is impossible to verify whether a password manager is either of the previously mentioned kinds if it is closed source. As a result, it is impossible to verify that a closed source password manager isn’t secretly sharing your master key with a third party.

Any closed source password manager that claims to have E2EE could theoretically by compiling every user’s’ password collection on behalf of the NSA. Even if this might seem unlikely - it is a possibility - if the password manager is closed source.

Closed source VS Open source password managers

Below we have compiled a list of popular password managers so that you can see whether they are closed or open source. Many of the closed source password managers on this list have got excellent reputations, and some may be a good option for you depending on your threat model.

However, we still recommend unrecoverable open source managers to anybody who wants the very best levels of security available.

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

8 Comments

everwanna
on July 8, 2020
Hello, I disagree with the opinion. When it comes to security, open source is far from the gold standard. > I am an expert on password manager. Actually, I write ID Guard Offline, an offline password manager. Just as AI said, open source can have flaws. Security design is much much more important. I list some here. - The attack surface exposed. Minimal attack surface is always better, no matter open source or not. - Online or offline? Offline is better, because the attack surface is small. - Encryption design. Yes, almost all password managers use AES/PBKDF2. But how do they protect the secret(encryption key or master password)? Some password managers might store master password in file. Check out this https://team-sik.org/sik-2016-022/ - How to harden the attack surface exposed. Autofill, for example, an exposed attack surface, is a common feature for password managers now. But how do the password managers prevent phishing or unintended filling? In my opinion, it needs very innovative technology to improve the security of password managers. Open source does not attack those issues directly.
https://cdn.proprivacy.com/storage/images/2022/06/ray-walshpng-avatar_image-small_webp.webp
Ray Walsh replied to everwanna
on July 9, 2020
This is true, and our reviews of individual password managers do look at these kinds of security aspects - which are important. However, it is open source that allows all of these kinds of issues to be checked properly by independent security auditors; which means that these things will all be checked to see if vulnerabilities exist. If the password manager is closed source, you will have to trust that all of the above is secure - and you will never get an independent auditor's opinion on the matter. Thus, whether the platform is open source and has been scrutinized; preferably by multiple different people - is highly important. If the platform is closed source, you will have to trust what it tells you and it could even potentially be doing nefarious things you will never get to find out about.
everwanna replied to Ray Walsh
on July 9, 2020
Open source can help verify the issues. But it is not the only method. For example, offline or online. We can check the app permission in Android. If it is a true offline app, it does not have 'full network access' permission. Another one, our password manager uses security chip to protect password. If we clone the app data to another phone with a system migration tool, our app can never decrypt the stored passwords, but lots of password managers do. To verify other claims might need some sophisticated skills, but it is not possible. Team SIK guys found those issues without source code. Of course, we can fairly say that open source can make it easier.
Gina Ferrari
on January 14, 2020
Just a question, if you would. Why, in the list of Password Managers at the bottom of the article, is Bitwarden the only one with a hyperlink?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Gina Ferrari
on January 16, 2020
Hi Gina. We're not quite sure how that happened, so thanks for picking us up on it. Fixed now.
Al Martinsen
on January 11, 2020
I don't agree with this article. It implies that open source is always safer than closed one and that's not really true: closed source can be really good and open source can also be badly done or have flaws. I'm not against open source, actually I'm very much pro open source software. Specially governments should implement and use it everywhere but I would like to explain my point with a few examples: Closed software CAN BE audited, actually serious companies like 1Password (closed software) periodically audit their software to try to test its security and to find any issues: https://support.1password.com/security-assessments/ Open Source software HAS vulnerabilities too. As an example, the very own Linux Kernel has had some pretty serious vulnerabilities over the years: https://resources.whitesourcesoftware.com/blog-whitesource/top-10-linux-kernel-vulnerabilities It's when somebody finds a vulnerability that it gets resolved, and hopefully it's found first by "the good guys" (white hat hackers, audits, etc.) but it can happen to both. Open Source software it's a very interesting and useful movement, but it's not safer per se. It depends really on the number of people checking the code or testing its flaws.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Al Martinsen
on January 13, 2020
Hi Al. Thing is, open source is no perfect by any means, but it is the only way we can know for sure that companies are telling the truth about their software. And what we learned courtesy of Edward Snowden is that tech companies simply cannot be trusted to tell the truth. The NSA (and almost certainly other alphabet agencies) have their toe in just about everything, and most companies will compromise their users' privacy to keep them happy... or at least that's what we have to assume, because unless the code is open source we simply have no way of knowing that is really going on.
Al Martinsen replied to Douglas Crawford
on January 13, 2020
That's certainly true. I just wanted to point out that your point is true if we think about a "perfect software". I mean: if we have a perfectly safe closed software, the only way to access the data is by things like NSA and such (in case the software developer can decrypt your personal data stored on their servers. And if the open source software is perfectly safe, then we have a winner for our privacy. But, what if this open source software has a flaw or a brute-force attack by a malicious person (or government) gives access to your data there? Again, just for clarification, I support and prefer the open source approach, but just because it's open it doesn't mean it's safer like the article implies. The risks are simply different. Anyway, thanks for your website, it's very useful and interesting :)

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: