A password manager is a program that stores passwords and other data, such as bank card numbers, notes or document images, in an encrypted storage.
This is convenient because it allows you to come up with and then not remember by heart complex and really strong passwords (or even generated automatically). You only need to know one master password that gives access to all saved data.
Remember! The data stored in the password manager can only be accessed by the master password. If you forget it, access to all data will be lost.
Local password managers
Local password managers Store data on the user’s device and do not send it anywhere else. They do not depend on external servers to store or manage passwords, so a permanent Internet connection is not required.
Local password managers are presented as a desktop program for installation on a computer, a portable program for storage on a flash drive or as a browser extension. The plus of such managers is in their safety.
The encrypted password file is stored only on your device and is not sent anywhere. If you’re a little paranoid and don’t want any of your critical data to get to other people’s computers, a local password manager is your choice.
The minus is also obvious: if the device breaks or gets lost or the password database file is accidentally deleted or damaged, all passwords will also be lost. Therefore, it is important to make backups of such things – at least just copy the data file to the flash drive.
Online password managers
Online or a cloud password manager stores data on a server that provides such a service for free or by subscription.
Cloud password managers are presented in the form of desktop programs and mobile applications, as well as browser extensions. The main advantage of cloud password managers is accessibility from any device if there is Internet.
The data security directly depends on the service. If the server is hacked, attackers will have access to all the data you store there.
It is clear that if password files are protected by a master password, it will also need to be hacked, but sometimes it also happens that the data within the service may not be protected. So it is important to select the service carefully from reliable providers.
How do password managers work?
Any password manager is based on data encryption: everything is stored in encrypted form.
When you enter the password manager, the following usually happens:
- You enter a master password to access your password store.
- If the master password is entered correctly and has been successfully verified, the password manager decrypts the entire database with your passwords with it.
Now more about how it works.
When you enter the master password, it is converted to an encryption key using, for example, the cryptographic key acquisition function PBKDF2 (Password-Based Key Derivation Function 2) or Argon2.
The PBKDF2 function takes your password and adds “salt” to it – a random sequence of characters that makes the process more secure. Then PBKDF2 repeats the encryption process many times – the more iterations, the more difficult it is to find the key.
This is done in order to complicate the task for hackers who are trying to guess the password by the method of selection.
The generated key is then used to decrypt the encrypted data. Encrypted data is downloaded from the storage, and the key is used to decrypt it.
Passwords themselves are usually encrypted using the AES (Advanced Encryption Standard) symmetric algorithm, one of the most common methods of data encryption. AES was selected by the National Institute of Standards and Technology (NIST) in 2001 as the standard for protecting data privacy.
In local managers, all data is stored and encrypted on the user’s device itself. Data decryption and use also occur only on this device.
In online managers, data is encrypted locally, but then sent and stored on the server. This allows you to synchronize passwords between different user devices through cloud storage.
Online managers use zero-knowledge technology: that is, the master password and encryption keys never leave your device and the provider does not have the technical ability to decrypt your data. The provider stores only the encrypted version of the data and does not have access to the original information.
To access the password, the password manager regenerates the encryption key using the same master password, the same salt and the same iteration parameters. The result is the same encryption key that was used for the initial password encryption.
What are password managers good for?
Password managers can generate strong passwords themselves. They use the built-in algorithm to generate a random password based on the specified criteria. Cryptographically resistant random number generators (CSPRNG) are used for cryptographic security, which provide a high degree of unpredictability.
As a result, we get a password with the parameters we need, which can also be changed in the settings: length, presence of uppercase and lowercase letters, numbers and special characters.
And if you use a weak password somewhere, the manager will offer to replace it with a more reliable one.
Another convenient thing of such password managers is the automatic substitution of data on sites. When you visit the site or application again, managers automatically fill in the fields for entering the login and password. This protects the user from keyloggers that can intercept the password.
Let’s Sum Up
Despite all levels of protection, no password manager guarantees 100% security. Hacking the servers of the password manager provider can lead to the leakage of encrypted data, as was the case, for example, with the LastPass password manager in 2022.
Any password manager has a weak point – a master password. All security depends on one master password, and if attackers recognize it, they will have access to all the data.
If you forget your master password, it will most likely not be possible to access your saved passwords, since most secure password managers do not allow you to recover your master password.
Therefore, back up more often and use two-factor authentication (2FA) for additional security.