How Does a Password Manager Work?

Why Trust Tech Report

Tech Report is one of the oldest hardware, news, and tech review sites on the internet. We write helpful technology guides, unbiased product reviews, and report on the latest tech and crypto news. We maintain editorial independence and consider content quality and factual accuracy to be non-negotiable.

In this article, we’ll answer the question, ‘How do password managers work?’, explain their uses, guide you on getting started with them, and reveal why they’re the best way to store passwords.

Most of us have hundreds of accounts today, and keeping track of all those passwords is virtually impossible. Hence, we reuse passwords for our accounts or keep them in a notebook.

This is where password managers come in – they store all your passwords securely and conveniently. They also generate strong passwords automatically and offer autofill capabilities for increased protection and ease of use.

Below, we’ll show you how to use a password manager and help you make an informed decision about your online safety.

What Is a Password Manager And What Does It Do?

A password manager generates complex passwords and stores them securely, but that’s typically not all they do. Let’s explore their capabilities below:

Why Use a Password Manager?

A password manager helps you transition from reusing passwords and notebooks to a unified workspace that you can access quickly. This brings convenience to an otherwise tedious process.

However, storing passwords digitally without using a password manager introduces new attack vectors, such as phishing, unauthorized access, and malware. So, how can a password manager guard against these threats?

It encrypts your passwords in a zero-knowledge ecosystem where only you can decrypt and access your personal information.

If you’re used to keeping passwords in a notebook, why would you switch to a password manager? Let’s see why below.

1. Password Generator

This lets you create more complex passwords, making your accounts more secure. And most password managers today have a password generator feature.

You can add uppercase and lowercase letters, symbols, and numbers to make the password unique and virtually impossible to guess. Password managers give you a lot of scope. For example, NordPass gives you 60 characters to play with for auto-generated passwords.

The longer and more random a password is, the harder it is to crack.

And best of all, you don’t have to know or remember it or even know what it is. The password manager does that for you.

2. Multi-Factor Authentication

Most password managers offer multi-factor authentication (MFA) functionality, locking your passwords behind additional security for extra protection.

These could be SMS codes, authenticator apps, or hardware keys. While they’re not all equally secure, they’re significantly better than no MFA.

Even if someone finds your master password (the password for your password manager account), MFA will stop them from accessing your password manager, protecting you from unauthorized access.

The golden standard of MFA is a security key (like a Yubikey or Titan), a physical token impervious to phishing attacks.

3. Auto-Fill Functionality

Password managers let you auto-fill credentials on websites by using browser extensions. This makes it highly convenient to log into services and platforms.

For instance, 1Password’s extension shows a dropdown list with your credentials when logging into an account for which you’ve saved a password.

Select the account data you want to fill in, and the password manager does the rest. With this, you can log into an account in mere seconds.

4. Support Across Multiple Platforms

Password managers typically support Windows computers, Macs, Linux, iPhones, and Android devices. They also work on various browsers like Chrome, Firefox, and Opera.

Even when you’re on the go, the mobile apps are robust enough to offer a seamless experience by giving you access to all the password manager’s core features.

How Do Password Managers Work?

A good password manager does much more than store your passwords. It offers a suite of services that improve your overall personal security and convenience.

Let’s talk about how password managers secure your accounts below:

1. Zero-Knowledge Ecosystem

It means no one can access or decrypt what you store in the password manager – not even the app developers.

All the data is encrypted locally. This includes passwords, files, and personal information.

Even when the data leaves your device (for cloud sync), it is natively encrypted during transit. It only becomes readable on your device (which holds the decryption key) when you want to retrieve account credentials.

All the well-known password managers, such as NordPass, 1Password, and Dashlane, do this. So, it’s not a novelty feature as much as an expectation.

2. Password Sharing

Instead of copy-pasting the password to your friend’s chat, you can create a share link from within a password manager.

You can customize the expiration date, access parameters, and whether the link can only be viewed once or multiple times.

This adds significant privacy and security when sharing passwords. And it puts you, instead of the receiving party, in control of the situation.

3. Dark Web Monitoring & Security Alerts

Some password managers (like 1Password and NordPass) actively scan the dark web, searching for data breaches where your personal data was compromised.

If they find anything, they’ll alert you and recommend that you change your password or email address.

Best of all, you don’t have to enable this feature – it runs passively in the background.

Simultaneously, your password manager scans your passwords’ strength and repeatability (if you use the same password for multiple accounts).

If it identifies an issue, it sends a security alert that shows the problem and what you should do to mitigate the risk.

4. Single Sign-On

Single sign-on (SSO) lets business teams access a password manager using pre-existing credentials.

These credentials can typically also give access to several other business-related tools. For instance, a company may enable SSO on Slack, NordPass, and Monday, allowing employees to log into all three platforms using the same credentials.

If a hacker obtains access to an SSO account, they also gain access to all accounts linked to the SSO credentials.

5. Two-Factor Authentication

Two-factor authentication (2FA) lets you add additional authentication factors (like SMS or email codes) to your password manager account.

Not all password managers offer the same 2FA options, though. NordPass offers three: authenticator, security keys, and backup codes.

1Password, on the other hand, offers only two: authenticator and security keys. However, the Secret Key also counts as a 2FA, even though it’s not marketed as such.

2FA mitigates the risk of unauthorized access to your password manager – even if someone knows your email and password, they still need the 2FA codes or security token. Without them, they can’t access the account.

2FA is irrelevant on devices or browsers on which you’re already connected to your password manager or you’ve connected to them in the past (recognized devices).

So, if anyone steals your phone and knows your password manager’s default credentials (username and password), they’ll be able to access your account unimpeded.

However, if someone tries to access your account from an unrecognized device, 2FA kicks in and keeps them out.

6. Cloud Sync for All Devices

An online password manager syncs your password vaults across all your devices, making accessing your accounts from anywhere easier.

Most password managers do this automatically when you install the app on your devices. For instance, installing NordPass on your desktop, laptop, and mobile device means you can add entries (like passwords) on one device and access them from the other two in real time.

With NordPass’ XChaCha20 encryption mechanism, synched data is virtually impregnable to external attacks.

Types of Password Managers

Each has pros, cons, and use cases for specific needs. Below, we’ll explain each password manager type and help you make an informed decision about which one may be right for you.

1. Offline Password Managers

Unlike online (cloud) password managers, offline ones save passwords and other data on your devices (locally) and don’t require an internet connection.

Technically, they’re much safer and more private than cloud-based password managers because you control your data flow.

There’s no intermediary between you and your password manager.

Offline password managers include KeePassXC, Pass, and Enpass, with the latter considered one of the best offline password managers available today.

However, offline password managers are less convenient to use – device synchronization is a hassle (if at all possible in some cases), and you have to keep the app up to date manually.

Using an outdated version could have devastating consequences due to unpatched security vulnerabilities.

Here’s an overview of offline password managers:

2. Online Password Managers

You’re probably most familiar with online or cloud-based password managers – 1Password, NordPass, and LastPass are a few examples.

Online password managers typically operate in a zero-knowledge environment, which means they can’t access or decrypt your passwords.

Only the user has the means (master password) to access and decrypt their vault. Most password managers also ensure your master password never touches their servers in an unencrypted form.

Even though online password managers take every security precaution to keep their users safe, your data is still stored online (on the cloud).

This includes passwords, number of vaults, usernames, and sites you have an account with.

If you’re privacy-conscious, you may prefer an offline password manager without all the bells and whistles of online password managers.

But if you favor convenience and comfort, you’ll compromise on the extra privacy to get the seamless experience of an online password manager.

Here are the pros and cons of online password managers:

3. Stateless Password Managers

Stateless or token-based password managers don’t save your passwords anywhere. There’s no database of passwords, online or offline.

These password managers typically require three things to create and ‘retrieve’ passwords:

When you first create a password for an account, you enter the website URL, your username, and the master password.

Using these details, the stateless password manager creates a unique and seemingly random password. You use that password for that account, and it’s not stored anywhere.

That’s because every generated password is a hash built from the master password, website URL, and username. Applying the same mathematical function will always retrieve the same password.

Some stateless password managers allow token-based authentication as a 2FA for the stateless password generation process. This means security keys like Yubikey and Google Titan.

There’s a catch, though. A big catch.

Passwords generated with stateless password manager are deterministic, not random.

This means a hacker can technically reverse-determine your master password if they know any of the passwords generated from it.

A complex master password can alleviate this risk (mostly). Technically, however, there are as many ways to crack your master password as the number of passwords derived from it.

This problem doesn’t exist with offline or online password managers. Passwords generated with these are truly random.

To summarize the benefits and downsides of stateless password managers:

How to Choose a Good Password Manager?

Choosing a good password manager is no easy feat, with so many alternatives on the market. Here are several key features to look for in a good password manager:

We’ve tested and reviewed many password managers, so we know what to look for and the common issues they tend to have.

To help you decide, we’ve made a list of our top picks.

NordPass stands out with its XChaCha20 encryption, which is less resource-intensive than AES-256 (currently used by all other password managers) and has a higher safety margin.

1Password is another great choice due to its Secret Key encryption, and Keeper offers emergency access in case you lose your password. Roboform is also the only password manager on our list with a free plan.

Check out our list of the best Android password managers for a more in-depth analysis of password managers.

How to Setup a Password Manager

Setting up a password manager only takes a few minutes. We’ll use 1Password to show you how it’s done.

1. Select the Free Trial Option

Go to 1Password, select ‘Get started’ on the homepage, and then select a free trial option.

2. Create an Account

Fill in your name and email address, and select ‘Next’ to create your 1Password account.

1Password will send a code to your email. Enter it in the next window to proceed.

Create your 1Password master password and select ‘Next.’ Remember that if you forget the password, you lose access to your account.

3. Select a Payment Method

Select ‘Add a payment method’ and fill in your credit card information, or select ‘Create Account and add a payment method later.’

4. Save Your Secret Key

1Password will now create (locally) the Secret Key, the crux of its encryption protocols. Select ‘Save PDF’ and save the file someplace safe.

The PDF contains instructions on how to use the Emergency Kit. It will also have a copy of your Secret Key and another field for your password.

Remember, you can’t reset your master password using the Secret Key. The latter only functions as additional security for your account.

5. Install the Apps

Once you access your account, select ‘Get the apps’ to install the desktop and mobile apps.

Select an OS option below, depending on which apps you want to install.

After installing the apps, log into your account using your email, master password, and Secret Key.

6. Create a New Entry

We’ll use the desktop app for this part. Once you open it, select ‘New item’ in the top-right corner. Then, select ‘Login.’ This is the most common type of entry for login information in 1Password.

Alternatively, you can select other options, such as ‘Document’ or ‘API Credential,’ to add different entries.

Change the name of the entry in Step 1, then enter your username in Step 2 and the password in Step 3. To use the password generator, select ‘Create a New Password.’

The password generator will pop up, and you can customize the length and composition of your new password. When you’re happy with it, select ‘Use’ to fill it in.

Don’t forget to click ‘Save’ at the bottom to save your entry.

7. Share a Password

To share a password, select ‘Share’ in the top-right corner and ‘Get Link to Share’ in the pop-up window. This will copy a share link to your clipboard.

Paste it to your friend’s chat to share it with them.

If you choose ‘Can be viewed only 1 time,’ the link will expire after the receiving party accesses it once.

This lets you control password sharing and avoid unauthorized access from links you forgot you shared. NordPass also has this feature.

Should You Use a Password Manager?

Keeping passwords in a password manager database is crucial nowadays, especially with cybercriminals getting more sophisticated.

Without a password manager, we often reuse passwords, compromise on password complexity, or record our login details in a notebook. The first is like asking to be breached; the rest are not ideal.

A password manager like NordPass saves you from all this hassle and secures your online life with state-of-the-art encryption and zero-knowledge principles.

FAQs