Are open-source password managers safe to use?

a login window with username and password fields
(Image credit: Getty Images)

With so many online services and SaaS (software as a service) platforms now available—for everything from planning your work schedule to automating your accounts—the number of passwords you need to remember is growing. As a result, password managers are becoming increasingly popular.

The best password managers enable users to log on to countless platforms with a single click via mobile or desktop apps. However, not all password managers are the same. Open-source password managers are publicly accessible, meaning the source code can be modified by third parties.

This level of transparency has inevitably led to questions about the security of a password manager that operates on an open source level. Read on to find out if these concerns are justified, or whether open-source password managers could actually be safer than closed-source alternatives.

What’s the difference between closed and open-source password managers?

A list of poorly-constructed passwords on a notepad

There are distinct differences between open- and closed-source software services (Image credit: Shutterstock)

Password managers can be free or paid-for, but they can also be defined as open-source or proprietary services. And there are distinct differences between the two.

Proprietary, or closed-source software, is not publicly available. This means it can't be altered or distributed by unlicensed users. Unless you are provided direct developer access, it's also impossible to view or edit the source code. This means that when you use a proprietary password manager, you are dependent on the centralised company that owns the rights to the code to manage it safely.

Open-source password managers, on the other hand, can be freely distributed, and the source code is accessible by anyone that wishes to view it. Anyone can find issues that need improving upon and fix them. Another difference is that open-source software is customisable, and can be hosted independently.

The majority of users are likely to opt for a standard proprietary password manager. They can be easier to use and, when it comes to onboarding, the processes are very straightforward. The extra services provided by open-source alternatives can be a little niche, but the security gains could be enough to sway some people.

Should I use an open-source password manager?

So is it safe to use open-source password managers? In short, yes, it is. In fact, in many cases, it could be safer than a proprietary alternative. The trouble is, closed-source password managers don't enable a user to audit the source code independently. This means that users are entirely reliant on the integrity of the original developers to ensure the safety of their passwords.

Of course, it’s unlikely a development team would be dishonest about the measures put in place to protect their password management platform. But using an open-source infrastructure enables others to check these claims, and look for errors in the storage and password sending process.

Everyone can make mistakes, so having source code open for third-party public auditing can actually make it safer, because any potential vulnerabilities are more likely to be rooted out. On top of this, with open-source software, any promises of particular encryption protocols and secure delivery systems can be checked and verified—something that can't be done with proprietary software architecture.

People may hear the words “open source” and think the worst. However, open doesn’t mean unsecured. The same measures that are used to secure proprietary managers are used in open-source password managers too. The difference is, these measures can be checked and verified, and users don’t just have to take the developers’ word for it.

Are open-source password managers vulnerable to cyberattacks?

security breach alerts on a mobile

Both closed- and open-source password managers aim to prevent hacking of your accounts (Image credit: Shutterstock)

All password managers that are hosted on the internet are vulnerable to attack from cyber crooks. However, the best password managers—both closed and open-source—go to great lengths to make this outcome almost impossible. The first line of attack is your master password.

A good password manager will force you to use a complicated master password that is very difficult to crack. The next level up is 2FA, a security measure that all password managers should be using.

Master passwords are kept on your device, so theoretically, unless someone logs onto it, they won’t be able to access your data. However, with closed-source software, there’s no telling if this protocol changes. And if it does, it's almost impossible to find out how, when, and why—unless the company decides to reveal the information independently.

When it comes to encryption standards, the top password managers use protocols such as AES-256, which are virtually impossible to overcome. Some password managers even enable biometric unlocking.

Your data is encrypted before being loaded onto a password manager’s cloud server, and this provides an incredibly strong line of defence. But open-source password manager users have an extra layer of armour. They can configure the software to store their passwords on a server of their choice.

The most important thing to consider is that if any of these key security measures are missing with your chosen password manager, then you should probably look elsewhere. The internet can be a lawless place, and your passwords are the most lucrative data a cyber thief can find, so the more layers of protection you have, the better.

Although password manager technology is overall very safe, this doesn’t mean you should neglect your personal security responsibilities. You need to make sure that your devices are secure, and that nobody can snoop on your sessions through a complex key logger or other similar attacks.

Keeping your antivirus and anti-malware software up to date, and following best practices when it comes to staying safe online, will likely give you all the security you require.

Open-source password managers: Conclusion

It’s easy to understand why some users might be put off by open-source password managers. However, the reality is that they’re generally more trustworthy and safe than closed-source alternatives.

When you enable multiple users to audit the code, you can be more confident that anything that may have been missed is identified. This extra level of scrutiny leaves users less open to vulnerabilities. Although you can never fully guarantee the security of a password manager, they most certainly encourage better practices, like not using the same credentials for multiple accounts and creating more complex passwords.

However, open or closed source is just one thing to consider. Before you make a decision, do your research to ensure you’re choosing one of the best password managers for you and your needs.

Further reading on password managers

Check out our guides to the best free password managers and the best password managers for business. It's also worth looking at our top five things to consider before buying a password manager.

Should the worst happen and you need to recover a lost password, ensure you're using one of the best password recovery tools to do so. If you've got a new password but don't know if it's strong enough, try out some free platforms to test password strength.

Kieron Allen

Kieron is a freelance science and technology journalist with more than a decade of experience writing for magazines in print and online. Today, his focus is on cybersecurity, blockchain, and emerging tech.