Can password managers read my secure data? If no, how does sharing work under the hood?

This could be implemented in a way that the provider has no access to the password. For example, the password can be asymmetrically encrypted. If the password is encrypted using your public key, and it's encrypted using your friend's public key, only you two can read the password. And you can modify and re-encrypt the password using both public keys. The provider can't read the password.

I don't know whether Dashlane or other password managers actually do this, but it's certainly possible.


I work for 1Password. We cannot decrypt your data, but you can share it. I will describe how it is done in 1Password to be able to talk more specifically, but it should give you some idea of the kind of approach used by other password managers as well.

In the case of of 1Password, your data is organized into vaults. All of the items in a single vault are encrypted with the same symmetric key. The vault key, AES-256, is created by the user’s client on their own device when they create a vault. So when someone, say Patty, creates a vault a new vault key will be created, and that vault key will be used to encrypt any item Patry adds to that vault.

When another user, say, Molly, creates her account there are many things the 1Password client will do. And one of them is it will generate an asymmetric key pair (public key and private key). Again, this happens all on Molly’s machine. No one else every has her private key. The public and private keys are mathematically related to each other, in a way that allows someone to encrypt something with Molly’s public key that can only be decrypted with Molly’s private key.

So when Patty shares a vault with Molly, Patty encrypts the vault key using Molly’s public key. Molly (and only Molly) can then decrypt that vault key by using he private key.

I’ve skipped over a couple of steps and additional controls, but if you want many more details see the 1Password Security Design document. While the details will also differ from password manager to password manager, the general scheme is to use symmetric keys to encrypt the data and then using asymmetric cryptography for sharing the symmetric keys.