Alternatives to Password Pig for all platforms with any license

Platforms

Show 35 less popular platforms

Password Pig Comments

Be skeptical: Password Pig are new, and leave out key details.

Comment by JohnFastman
about Password Pig and Encryptr, LastPass, SpiderOak Mar 2017

Password Pig are a newcomer to the password management scene. So it's worth being very skeptical and looking really carefully at how they do things before you trust your most valuable data to them.

One thing that makes me immediately suspicious is this from their Terms & Conditions (6th March 2017):

Unlike some other Password Applications, Password Pig does allow a user to recover from a lost Master Password situation. The Master Password can be reset with a new one as long as the user knows (and maintains) the email address used to register and has set a security question and answer.

The reason password recovery isn't possible on other password applications is a good one. Your password encrypts your database. No one at the service should have access to this. At most, they should have some hashed and salted derivative of your password which they can't use to access your data. This follows the zero-knowledge model, which means that you and only you can access your data. It's the way every reputable service that offers encryption works (e.g. Spideroak, Tresorit, Protonmail, Encryptr). If Password Pig can reset your password, they can do this only if they have access to it, which means they either have access to your data or they have to wipe your data when they reset your password. There's no other way round it. Until they very carefully and in detail describe what they are talking about when they say they can reset your password, I wouldn't trust them. For comparison, see how a company like Spideroak describe what they offer.

Another reason to be very skeptical is that they say they use "the latest encryption technologies" and then tell you they use AES-256. There's nothing wrong with AES-256 but it's not the latest anything. It was developed in the 1990s, even it if is unbreakable. Password Pig also offers nothing about what measures they take to protect your data from brute force attack in the even that hackers do steal your password database (and that happens to the best of services).

I also wouldn't trust them because I don't trust any non-open source encryption applications. If it's not open source, and Password Pig isn't, then I can't see how they've written the code and how they implement their security. Which means I can't check that everything is done right. Open source applications have the advantage that bugs are quickly spotted.

Strangely, at the time of writing this, Password Pig don't mention anything about their pricing on the website. They only say that the first 30 days are free and then the app costs the same as a cup of coffee for a year. How much is that? It's only on their Android app site that I found this means £2.49. It's very strange not to say how much the app costs.

For someone seeking my trust with the most important data I have, I expect a lot more detail than Password Pig offer about security, encryption and pricing. I'm also not going to be their customer because they have no Linux app, but that's another matter.


On 6th March 2017 I sent Password Pig the following questions. Let's see what they say:

I have some important questions about your security/level of trustworthiness, which I feel you should explicitly address on your site. I will probably post the questions and your answers to them on a publicly visible post/forum because I think potential customers should know the answers:

No other password management app that uses zero-knowledge is able to reset users' passwords, and for good reasons. Doesn't the fact that you are able to reset users' master password mean you have access to users' passwords/data - even in principle? Or, otherwise, how do you maintain zero knowledge and the ability to reset passwords? Does it mean that when you reset a master password you also wipe the database? This deserves to be explicitly addressed in ample detail on your site, both in the "About the App" section and the FAQs.

Additionally, could you please provide information about how you host the data? Are you using your own servers? In which case, what makes you confident you'll succeed in defending them against attacks of the kind Lastpass has already suffered? Or are you using third-party solutions, like AWS (or similar)? In which case, what implications are there for users' privacy? E.g. do US or UK laws apply? Can the 3rd party log my IP address when I login to Password Pig?

If hackers were to steal users' databases, what precautions are you taking against brute-force attacks? Other companies are much more explicit about this; you say nothing about it on your site.

On a similar note, do you offer 2nd factor authentication?

The LastPass CLI reveals that user data is encrypted not in its entirety, but field-by-field, and this doesn't include the URLs of user accounts. That is to say, Lastpass are able to read which websites people have accounts with. Can Password Pig? Please be explicit: is every field in the user database encrypted to the same level and is that zero-knowledge?

Reply