How Does a Password Manager Work?
Tech Report is one of the oldest hardware, news, and tech review sites on the internet. We write helpful technology guides, unbiased product reviews, and report on the latest tech and crypto news. We maintain editorial independence and consider content quality and factual accuracy to be non-negotiable.
In this article, we’ll answer the question, ‘How do password managers work?’, explain their uses, guide you on getting started with them, and reveal why they’re the best way to store passwords.
Most of us have hundreds of accounts today, and keeping track of all those passwords is virtually impossible. Hence, we reuse passwords for our accounts or keep them in a notebook.
This is where password managers come in – they store all your passwords securely and conveniently. They also generate strong passwords automatically and offer autofill capabilities for increased protection and ease of use.
Below, we’ll show you how to use a password manager and help you make an informed decision about your online safety.
-
-
What Is a Password Manager And What Does It Do?
A password manager generates complex passwords and stores them securely, but that’s typically not all they do. Let’s explore their capabilities below:
They Can
- Store your account credentials (username and password)
- Encrypt your passwords to prevent unauthorized access
- Auto-generate complex passwords
- Sync your passwords to all your devices
- Offer password-sharing mechanisms
- Send security alerts for breached accounts and vulnerable passwords
- Auto-fill account credentials on websites
- Store PDFs, API keys, and other sensitive documents
They Can’t
- Prevent malware from infecting your devices
- Protect against keyloggers
- Monitor your browsing activities
- Detect spyware on your devices
- Completely protect against user negligence
Why Use a Password Manager?
A password manager helps you transition from reusing passwords and notebooks to a unified workspace that you can access quickly. This brings convenience to an otherwise tedious process.
However, storing passwords digitally without using a password manager introduces new attack vectors, such as phishing, unauthorized access, and malware. So, how can a password manager guard against these threats?
It encrypts your passwords in a zero-knowledge ecosystem where only you can decrypt and access your personal information.
If you’re used to keeping passwords in a notebook, why would you switch to a password manager? Let’s see why below.
1. Password Generator
The biggest advantage of password managers is you don’t have to remember all your passwords anymore.This lets you create more complex passwords, making your accounts more secure. And most password managers today have a password generator feature.
You can add uppercase and lowercase letters, symbols, and numbers to make the password unique and virtually impossible to guess. Password managers give you a lot of scope. For example, NordPass gives you 60 characters to play with for auto-generated passwords.
The longer and more random a password is, the harder it is to crack.
And best of all, you don’t have to know or remember it or even know what it is. The password manager does that for you.
2. Multi-Factor Authentication
Most password managers offer multi-factor authentication (MFA) functionality, locking your passwords behind additional security for extra protection.
These could be SMS codes, authenticator apps, or hardware keys. While they’re not all equally secure, they’re significantly better than no MFA.
Even if someone finds your master password (the password for your password manager account), MFA will stop them from accessing your password manager, protecting you from unauthorized access.
The golden standard of MFA is a security key (like a Yubikey or Titan), a physical token impervious to phishing attacks.
3. Auto-Fill Functionality
Password managers let you auto-fill credentials on websites by using browser extensions. This makes it highly convenient to log into services and platforms.
For instance, 1Password’s extension shows a dropdown list with your credentials when logging into an account for which you’ve saved a password.
Select the account data you want to fill in, and the password manager does the rest. With this, you can log into an account in mere seconds.
4. Support Across Multiple Platforms
Password managers typically support Windows computers, Macs, Linux, iPhones, and Android devices. They also work on various browsers like Chrome, Firefox, and Opera.
Even when you’re on the go, the mobile apps are robust enough to offer a seamless experience by giving you access to all the password manager’s core features.
How Do Password Managers Work?
A good password manager does much more than store your passwords. It offers a suite of services that improve your overall personal security and convenience.
Let’s talk about how password managers secure your accounts below:
1. Zero-Knowledge Ecosystem
A zero-knowledge ecosystem is the hallmark of any worthwhile password manager.It means no one can access or decrypt what you store in the password manager – not even the app developers.
All the data is encrypted locally. This includes passwords, files, and personal information.
Even when the data leaves your device (for cloud sync), it is natively encrypted during transit. It only becomes readable on your device (which holds the decryption key) when you want to retrieve account credentials.
All the well-known password managers, such as NordPass, 1Password, and Dashlane, do this. So, it’s not a novelty feature as much as an expectation.
2. Password Sharing
Password managers let you share passwords in a more controlled manner.Instead of copy-pasting the password to your friend’s chat, you can create a share link from within a password manager.
You can customize the expiration date, access parameters, and whether the link can only be viewed once or multiple times.
This adds significant privacy and security when sharing passwords. And it puts you, instead of the receiving party, in control of the situation.
3. Dark Web Monitoring & Security Alerts
Some password managers (like 1Password and NordPass) actively scan the dark web, searching for data breaches where your personal data was compromised.
If they find anything, they’ll alert you and recommend that you change your password or email address.
Best of all, you don’t have to enable this feature – it runs passively in the background.
Simultaneously, your password manager scans your passwords’ strength and repeatability (if you use the same password for multiple accounts).
If it identifies an issue, it sends a security alert that shows the problem and what you should do to mitigate the risk.
4. Single Sign-On
Single sign-on (SSO) lets business teams access a password manager using pre-existing credentials.
These credentials can typically also give access to several other business-related tools. For instance, a company may enable SSO on Slack, NordPass, and Monday, allowing employees to log into all three platforms using the same credentials.
Most modern password managers allow SSO for business accounts because it’s a highly convenient feature despite introducing new security risks.If a hacker obtains access to an SSO account, they also gain access to all accounts linked to the SSO credentials.
5. Two-Factor Authentication
Two-factor authentication (2FA) lets you add additional authentication factors (like SMS or email codes) to your password manager account.
Not all password managers offer the same 2FA options, though. NordPass offers three: authenticator, security keys, and backup codes.
1Password, on the other hand, offers only two: authenticator and security keys. However, the Secret Key also counts as a 2FA, even though it’s not marketed as such.
2FA mitigates the risk of unauthorized access to your password manager – even if someone knows your email and password, they still need the 2FA codes or security token. Without them, they can’t access the account.
2FA only works on unrecognized devices/browsers.2FA is irrelevant on devices or browsers on which you’re already connected to your password manager or you’ve connected to them in the past (recognized devices).
So, if anyone steals your phone and knows your password manager’s default credentials (username and password), they’ll be able to access your account unimpeded.
However, if someone tries to access your account from an unrecognized device, 2FA kicks in and keeps them out.
6. Cloud Sync for All Devices
An online password manager syncs your password vaults across all your devices, making accessing your accounts from anywhere easier.
Most password managers do this automatically when you install the app on your devices. For instance, installing NordPass on your desktop, laptop, and mobile device means you can add entries (like passwords) on one device and access them from the other two in real time.
Your data is completely safe with NordPass online backup. It’s all encrypted on your device, so when the information reaches our servers, we have zero knowledge about the data you’re storing in NordPass.With NordPass’ XChaCha20 encryption mechanism, synched data is virtually impregnable to external attacks.
Types of Password Managers
There are three types of password managers – offline, online, and stateless or token-based.Each has pros, cons, and use cases for specific needs. Below, we’ll explain each password manager type and help you make an informed decision about which one may be right for you.
1. Offline Password Managers
Unlike online (cloud) password managers, offline ones save passwords and other data on your devices (locally) and don’t require an internet connection.
Technically, they’re much safer and more private than cloud-based password managers because you control your data flow.
There’s no intermediary between you and your password manager.
Offline password managers include KeePassXC, Pass, and Enpass, with the latter considered one of the best offline password managers available today.
However, offline password managers are less convenient to use – device synchronization is a hassle (if at all possible in some cases), and you have to keep the app up to date manually.
Using an outdated version could have devastating consequences due to unpatched security vulnerabilities.
Here’s an overview of offline password managers:
Pros
- Increased privacy compared to online password managers
- Typically free of charge
- Open source architecture
- Doesn’t require an internet connection
Cons
- Less convenient to use
- Limited synchronization options
- Harder to keep up to date
2. Online Password Managers
You’re probably most familiar with online or cloud-based password managers – 1Password, NordPass, and LastPass are a few examples.
They store your passwords on the cloud and use state-of-the-art encryption to secure them.Online password managers typically operate in a zero-knowledge environment, which means they can’t access or decrypt your passwords.
Only the user has the means (master password) to access and decrypt their vault. Most password managers also ensure your master password never touches their servers in an unencrypted form.
Even though online password managers take every security precaution to keep their users safe, your data is still stored online (on the cloud).
This includes passwords, number of vaults, usernames, and sites you have an account with.
More security typically leads to less convenience, though.If you’re privacy-conscious, you may prefer an offline password manager without all the bells and whistles of online password managers.
But if you favor convenience and comfort, you’ll compromise on the extra privacy to get the seamless experience of an online password manager.
Here are the pros and cons of online password managers:
Pros
- State-of-the-art encryption protocols
- Seamless cloud sync for all your devices
- Typically audited by external security organizations
- Password-sharing capabilities
- More scalable for business use
- Easy to keep up to date
- Faster security advancements
Cons
- Technically less private due to cloud-based storage
- Subscription-based (no one-time fee)
- Less control over your data
3. Stateless Password Managers
Stateless or token-based password managers don’t save your passwords anywhere. There’s no database of passwords, online or offline.
These password managers typically require three things to create and ‘retrieve’ passwords:
- Master password
- Username
- Website URL
When you first create a password for an account, you enter the website URL, your username, and the master password.
Using these details, the stateless password manager creates a unique and seemingly random password. You use that password for that account, and it’s not stored anywhere.
The next time you connect to that account and enter the master password (always the same), username, and website URL into the password manager, it’ll mathematically compute the same password it originally created.That’s because every generated password is a hash built from the master password, website URL, and username. Applying the same mathematical function will always retrieve the same password.
Some stateless password managers allow token-based authentication as a 2FA for the stateless password generation process. This means security keys like Yubikey and Google Titan.
There’s a catch, though. A big catch.
Passwords generated with stateless password manager are deterministic, not random.
This means a hacker can technically reverse-determine your master password if they know any of the passwords generated from it.
A complex master password can alleviate this risk (mostly). Technically, however, there are as many ways to crack your master password as the number of passwords derived from it.
This problem doesn’t exist with offline or online password managers. Passwords generated with these are truly random.
To summarize the benefits and downsides of stateless password managers:
Pros
- Free and open-source
- Invulnerable to data leaks since there is no database
Cons
- Complicated, cumbersome, and inconvenient to use
- Requires you to remember the usernames for all accounts
- Changing your master password means changing all generated passwords
- Every compromised password can be used to brute-force your master password
- Your master password is the single point of failure for all generated passwords
- Cannot store additional data like documents, API keys, or security questions
How to Choose a Good Password Manager?
Choosing a good password manager is no easy feat, with so many alternatives on the market. Here are several key features to look for in a good password manager:
- Good device compatibility
- Solid encryption (AES-256 + SRP)
- A zero-knowledge ecosystem
- Secure file storage (like PDFs and API keys)
- Customizable password generator
- Automated sync between devices
- Vault health reporting (like password strength indicators)
- Auto-fill capabilities
- Multi-factor authentication (like SMS codes and security keys)
- Ease of use and intuitive interface
We’ve tested and reviewed many password managers, so we know what to look for and the common issues they tend to have.
To help you decide, we’ve made a list of our top picks.
Password Manager Top Choice For Starting Price (/month) Free Trial Standout Features NordPass XChaCha20 encryption $2.16 Yes (browser extension only) – Passkey compatibility
– Autofill capabilities
– Data breach monitoring
– Strong password generator1Password Secret key encryption $2.99 No – Password tags
– WatchtowerDashlane Unlimited password sharing $4.99 Yes (browser extension only) – Dark web monitoring
– Single sign-onKeeper Emergency access $2.92 Yes – 24/7 customer support
– Unlimited devicesRoboform TOTP authenticator $2.49 Free plan – Passkey support
– 1-click loginNordPass stands out with its XChaCha20 encryption, which is less resource-intensive than AES-256 (currently used by all other password managers) and has a higher safety margin.
1Password is another great choice due to its Secret Key encryption, and Keeper offers emergency access in case you lose your password. Roboform is also the only password manager on our list with a free plan.
Check out our list of the best Android password managers for a more in-depth analysis of password managers.
How to Setup a Password Manager
Setting up a password manager only takes a few minutes. We’ll use 1Password to show you how it’s done.
1. Select the Free Trial Option
Go to 1Password, select ‘Get started’ on the homepage, and then select a free trial option.
2. Create an Account
Fill in your name and email address, and select ‘Next’ to create your 1Password account.
1Password will send a code to your email. Enter it in the next window to proceed.
Create your 1Password master password and select ‘Next.’ Remember that if you forget the password, you lose access to your account.
3. Select a Payment Method
Select ‘Add a payment method’ and fill in your credit card information, or select ‘Create Account and add a payment method later.’
4. Save Your Secret Key
1Password will now create (locally) the Secret Key, the crux of its encryption protocols. Select ‘Save PDF’ and save the file someplace safe.
The PDF contains instructions on how to use the Emergency Kit. It will also have a copy of your Secret Key and another field for your password.
Remember, you can’t reset your master password using the Secret Key. The latter only functions as additional security for your account.
5. Install the Apps
Once you access your account, select ‘Get the apps’ to install the desktop and mobile apps.
Select an OS option below, depending on which apps you want to install.
After installing the apps, log into your account using your email, master password, and Secret Key.
6. Create a New Entry
We’ll use the desktop app for this part. Once you open it, select ‘New item’ in the top-right corner. Then, select ‘Login.’ This is the most common type of entry for login information in 1Password.
Alternatively, you can select other options, such as ‘Document’ or ‘API Credential,’ to add different entries.
Change the name of the entry in Step 1, then enter your username in Step 2 and the password in Step 3. To use the password generator, select ‘Create a New Password.’
The password generator will pop up, and you can customize the length and composition of your new password. When you’re happy with it, select ‘Use’ to fill it in.
Don’t forget to click ‘Save’ at the bottom to save your entry.
7. Share a Password
To share a password, select ‘Share’ in the top-right corner and ‘Get Link to Share’ in the pop-up window. This will copy a share link to your clipboard.
Paste it to your friend’s chat to share it with them.
If you choose ‘Can be viewed only 1 time,’ the link will expire after the receiving party accesses it once.
This lets you control password sharing and avoid unauthorized access from links you forgot you shared. NordPass also has this feature.
Should You Use a Password Manager?
Keeping passwords in a password manager database is crucial nowadays, especially with cybercriminals getting more sophisticated.
Without a password manager, we often reuse passwords, compromise on password complexity, or record our login details in a notebook. The first is like asking to be breached; the rest are not ideal.
A password manager like NordPass saves you from all this hassle and secures your online life with state-of-the-art encryption and zero-knowledge principles.
FAQs
Is it a good idea to use a password manager?
Yes, it’s a good idea to use a password manager to secure your accounts. That’s because you can create more complex (and unique) passwords you don’t have to remember. Read more in ‘Why Use a Password Manager?’
Do password managers change your passwords?
Password managers can change your passwords using a password generator. This lets you create random and unique passwords with custom parameters like the number of characters, symbols, and numbers. Learn more about this in ‘1. Password Generator.’
What disadvantages of password managers do you know?
A disadvantage of password managers is the theoretical security risk of ‘putting all your eggs in one basket.’ A hacker breaching your password manager can access your entire digital life. But encryption (mostly) mitigates that risk. Find more information in ‘How Do Password Managers Work?’
Do password managers know your passwords?
No, password managers don’t know your passwords. For instance, NordPass stores your passwords on the cloud in an encrypted vault that only you can access. Your passwords never exit the vault unencrypted, and not even NordPass can see inside the vault. To learn more, go to ‘How do Password Managers Work?’ and ‘Zero-Knowledge Ecosystem.’
References
- What is zero-knowledge architecture? (NordPass)
- How Does Single Sign-On Work? (One Login)
- Securing your data with cutting-edge encryption (NordPass)
- What is Hashing? (Sentinel One)
- Single Point of Failure (AVI Networks)
- Why You Should Use AES 256 Encryption to Secure Your Data (Progress)
- What is Secure Remote Password (SRP) and How to use it to protect users’ passwords (UNIAUTH)
- XChaCha20 Encryption vs AES-256: What’s the Difference? (NordPass)
Our Editorial Process
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.Alex Popa Crypto & Tech Content Writer
View all posts by Alex PopaAlex is a content writer passionate about data privacy, cybersecurity, and crypto. You’ll often find him geeking out on the latest security key, password manager, or the hottest crypto presale, looking for that one digital currency to rule them all.
With over six years of freelance writing under his belt, Alex fell in love with the process. From researching data and brainstorming topics to comparing cryptocurrency whitepapers and digging deep into crypto roadmaps, it’s all in the keyboard. Ideally, a mechanical one with brown switches.
Alex is an eternal learner who knows that continuous improvement is the best way to remain relevant. Currently, he's brushing up his E-E-A-T and SEO skills, but who knows what comes next?
In his spare time, he enjoys video games, horror movies, and going to the gym, which sometimes conflicts with his gourmand nature. Oh, well, you can't have them all.
Follow Alex on LinkedIn
More Password Manager Guides GuidesView all
Latest News
Elon Musk to Move X and SpaceX Headquarters from California to Texas
On Tuesday (July 16), Elon Musk announced that he’s moving the headquarters of his companies X and SpaceX from California to Texas. While SpaceX is moving to Starbase (a company...
AI Startup Anthropic and Menlo Ventures Join Hands to Launch a $100 Million Startup Fund
AI startup Anthropic and its biggest investor Menlo Ventures are launching a $100 million startup fund that will be used to back new startups. Menlo will supply the cash to invest...
REGULATION & HIGH RISK INVESTMENT WARNING: Trading Forex, CFDs and Cryptocurrencies is highly speculative, carries a level of risk and may not be suitable for all investors. You may lose some or all of your invested capital, therefore you should not speculate with capital that you cannot afford to lose. The content on this site should not be considered investment advice. Investing is speculative. When investing your capital is at risk. Please note that we do receive advertising fees for directing users to open an account with the brokers/advertisers and/or for driving traffic to the advertiser website.
Crypto promotions on this site do not comply with the UK Financial Promotions Regime and is not intended for UK consumers.
© Copyright 2024 The Tech Report Inc. All Rights Reserved.
Scroll Up