Password managing apps seem to have access to my passwords
Keeper used to be free so I had stored most of passwords on that app a few years ago from a past device. When I tried to access the passwords after five years, the app had turned into a subscription model and held my passwords as hostage. I had no choice, but to pay for their yearly subscription. I am in the process of moving my passwords out and looking for another app to use. (Currently leaning towards Samsung Pass)
However this had me thinking... For the apps to be able to recover my passwords saved from another device, they have to have the passwords in a two-way encryption model, which gives the company access to my passwords if they wanted to.
Usually passwords are stored via a one-way hash. However password management apps need to be able to show the passwords in plain-text to the user. So I'm guessing they use a local enc. key saved on the device or an enc. key saved on the cloud(via hash ofc) to encrypt the passwords. This way only I will be able to see those encrypted passwords via my local key or password key(which the server hashes).
However, here is the catch. If in the case I lose my device or forget my account password, I would still want to have access to my passwords. Google Password Manger & Keeper both have this functionality. In the case of local key, this scenario cannot work. So these products must have the encryption key hashed somewhere in their cloud. Then let's look at how the cloud version would work.
For simplicity let's say the enc. key is my Keeper password. And say I forgot my Keeper password. To be able to recover my password wallet that is encrypted with my forgotten Keeper password, you need the original Keeper password. There seems to be no way around it. However with Keeper, it lets you reconfigure your account's password and gives you access to my password wallet. This means Keeper stores that enc. key somewhere in their database via two-way hash(or god forbid plain-text).
The ability to retrieve your password wallet even after losing your device or losing your account's password only works if the company has access to your enc. key. That means the company can access all my passwords since they have the enc. key.
Am I missing something? Is there an encryption method that does not rely on a two-way encryption method for this to work?