How do password managers work?
Being behind major reports like The Mother of All Breaches and WhatsApp Data Leak, our in-house cybersecurity experts conduct independent, unbiased testing and thorough analysis of password managers, helping users confidently manage their credentials and sensitive information.
We prioritize transparency by openly sharing detailed descriptions of our in-house testing procedures and methodologies.
Learn more
Signing up for online accounts is annoying, and creating strong passwords for each one makes it even worse. That’s why so many people reuse the same password across different accounts. But this can be dangerous. If a password gets leaked, all your other accounts could be at risk too.
Luckily, there’s an easy fix. Password managers can create strong and unique passwords for you and store them safely so you don’t have to remember them. Many password managers offer free tiers, although they usually have some limitations, like no advanced features.
My personal favorite is NordPass. It’s simple to use, packed with useful features, and helps keep your accounts secure.
How to create a strong password?
What is a password manager?
A password manager is a program that stores your passwords in a secure vault and automatically fills in your login details when you have to log in. It means you don't have to remember any of your passwords, allowing you to use complex and unique passwords for all of your accounts. Password managers also include password generators to help with that. Most of them also let you store credit card information, personal details and even attach files.
For even more security and convenience, the best password managers also support biometric data (fingerprint or face) instead of your master password. You can also share selected information with your family and friends without copy-pasting it into an email or instant message.
Therefore, instead of memorizing all the login information you use for each site, you only have to remember 1 master password when using a password manager. Thanks to the autosave and autofill features, you can connect to all your accounts in just a few clicks.
How do password managers secure your passwords?
There are multiple ways to categorize password managers. However, this time, I want to present 3 technologies and explain how they work. Keep in mind that some providers offer multiple methods to keep your data safe. Most of them require you to use a master password to protect your vault.
Here are the 3 types of password managers:
- Locally installed or offline password managers
- Web-based or online password managers
- Stateless or token-based password managers
Let's explore each of them more thoroughly.
Locally installed or offline password managers
As the name implies, locally installed password managers, also known as offline password managers, store your data on your device. It can be your computer or a smartphone, depending on your preference. You can find your passwords in an encrypted file, separately from the password manager itself. Some managers also allow storing each password in a separate file, greatly increasing overall security.
As always, you need a master password to access your offline vault. If it’s a strong one, there’s minimal chance that either the government or some malicious hackers will break into your local database. That’s because brute-forcing new-gen encryption requires a significant amount of time. What’s more, if you keep that device with all passwords offline, there’s no way to access it without seizing it.
Naturally, offline password managers have some inherent flaws. For starters, using them on multiple devices might prove challenging. There’s only one location, and other devices somehow have to sync with the one that has the vault. It usually means having your device with the locally installed password manager online, which can become accessible to third parties. Finally, if the device with your offline password manager breaks down and you have no backup, be ready for some manual labor.
If you have an offline or locally installed password manager, then your passwords are stored locally. To be more precise, it’s the device that you’ve chosen for your vault. However, there’s a possibility to synchronize the passwords between multiple devices, which means all of them must be online. If you want even more security, you can save your passwords on different files, requiring a unique key for each.
Web-based or online password manager services
The most popular type is the web-based password manager. It stores your passwords on a cloud, which is usually the provider’s server. This type of setup means that you can access your passwords from anywhere, anytime, without the need to install the online password manager software.
Since all reputable online password managers use zero-knowledge technology, they can't access your password themselves. It means that they encrypt your data on your device before sending it to the server.
Finally, you should expect to pay for a web-based password manager. There are great free versions to choose from, but some features like device limit or dark web scanning will most likely be a premium feature. That said, most paid online password managers aren’t expensive, especially if you commit long-term.
Try out NordPass commitment-free using the free plan. Premium plan starts at $1.38/month.
Get NordPassNeedless to say, if you choose an online (or web-based) password manager, your passwords are stored online. Your vault is on the provider’s server, available 24/7 to you from anywhere, as long as you have the master password. Most of the time, you don’t even need to install the password manager client and a browser extension is enough. Sometimes, you can access the vault via a web application available on the provider’s website.
Stateless or token-based password managers
Last on the list are token-based or stateless password managers. In this scenario, a local piece of hardware, such as a flash USB device, contains a key to unlock your account. There’s also no such thing as a password vault because the password manager generates them anew every time you log in. For additional safety, use the token and your master password at the same time. This way, you are automatically implementing 2FA.
Stateless password managers don’t require synchronization between your devices because there’s no database in the first place. In a way, that’s also safer because there’s no place where a hacker can find all your passwords. Although, someone can hack token-based passwords if they know the master password.
Contrary to online password managers, these are usually free and open-source. That’s why they are not particularly recommended for beginner users because all the support they can get are forums and knowledge bases. On top of that, you need a smart card reader or a USB stick to generate tokens.
Moreover, if you find yourself using a token-based password manager, that means your passwords are not stored anywhere. As the name implies, there’s no password vault, only token generation, whenever you access a specific account. You can generate a token on an external device, such as a USB stick.
How to manage passwords with a password manager: video review
Want to know more about password managers? Watch this comprehensive video explanation about password managers and how they work.
How do password managers encrypt passwords?
256-bit AES encryption is a new-gen cipher used to encrypt and decrypt data so only authorized parties can access it. The NSA and major corporations adopted it in 2005, and it soon became the standard for VPNs, firewalls, and password managers.
While AES is the encryption standard, 256-bit is the key. Encryption keys are random strings of zeroes and ones. In this case, it means there are 2^256 combinations available. The more combinations, the harder it is to brute-force the right one.
AES 256-bit is a so-called symmetric or private key encryption algorithm. The key is used both for encrypting and decrypting data, so both parties must know it. In contrast, asymmetric or public-key encryption uses a public key for encryption and a private key for decryption. In contrast, the private key doesn’t have to leave your device, increasing security.
Not all password managers use AES-256 encryption. Some use the less secure, AES 128-bit standard. Usually, these are free and open-source password managers that get less-frequent updates.
However, there's already better encryption than AES 256-bit that goes by the name of XChaCha20. So far, only NordPass has implemented this next-gen cipher among all premium password managers. It comes with Argon2 for key derivation, while XChaCha20 encrypts your password vault.
Why use a password manager?
Here are the reasons why you should use a password manager:
- Password generators. You don’t need to spend 15 minutes to come up with a new and unique password. Most password managers allow you to generate a safe password with varying complexity. Not only does this save you time, but it also comes up with complex passwords that are nearly impossible to crack.
- Easy password management. Password managers not only help create safe passwords but also allow you to administrate all your logins from one application. A lifesaver for those using a multitude of websites and platforms.
- Autosave and autofill. Most password managers have a built-in feature that allows you to autofill passwords and other recurring information. It extends to your payment details or personal information.
- Secure password sharing. Many people are sharing accounts with their friends and family. Netflix even allows different users to log in with the same password. Password manager allows users to securely share passwords with other users without revealing the actual password itself.
-
Cross-platform support. As applications, password managers are not at all complicated and do not require a lot of resources. It means that it’s much easier to develop them for a variety of platforms like web browsers or smartphone apps. For the end-user, this means an ability to get the same password vault no matter what’s your preferred method of connection.
Your passwords are keys to your entire online identity. Don't let data breaches scare you – use a password manager and stay protected.
Get NordPassPassword manager setup
Since the web-based password managers are the most user-friendly, I will use them as an example. Below are the key steps in setting up a password manager
- Install your chosen password manager. There are plenty of free and paid versions to choose from, but I recommend using NordPass. You should check what features are available on the free version (if any) and whether the added perks justify the price. Afterward, make sure it supports your OS and browser. If you're planning to import your current vault, check if it's possible first; however most password managers provide support password importing.
- Create a secure master password. Even if your selected password manager allows master password recovery, you should still choose one that's memorable but hard to guess. To fulfill the last requirement, it may be a good idea to use a passphrase containing 4-5 randomly chosen words.
- Enable two-factor authentication (2FA). Adding 2FA to the mix greatly improves your account security. While the second factor can be something that you have, which is probably your smartphone, I recommend using biometrics. Depending on your device, it can either be a fingerprint or also a face scan. What's more, you can use 2FA instead of the master password, which significantly improves usability on touchscreen devices.
- Add your passwords. Before you get used to your new password manager, and while you still cannot remember your master password that well, you may want to enter less important passwords first. A good idea is to generate a strong password for the email that you use to recover the master password. Otherwise, a threat actor can easily get a hold of your database after breaking into your mailbox.
-
Consider adding other data. The majority of password managers let you save credit card details and secure notes as well. If you shop online often, having the payment info in autofill can save quite some time. Moreover, you can securely store important files there, such as a copy of your ID or driver's license.
Can password managers work on multiple devices and phone apps?
Not all password managers can work on multiple devices. A stateless password manager is based on the idea that only one device can generate passwords for your accounts. Locally installed password managers are also not suited for multiple devices. That's because you are saving your database on a single device. While syncing between all devices is possible, it's quite a hassle.
Online password managers support cross-sync and work on multiple devices. Many also offer web applications accessible from the provider's website. Your vault is stored in the cloud, meaning your data can be easily accessed on any device you install the password manager to.
FAQ
What are the disadvantages of a password manager?
The major disadvantage of a password manager is that you’re keeping all passwords in one place. If a malicious hacker manages to get inside your vault, they could access all of your accounts. However, if your vault is protected with reliable encryption and requires multiple factors to grant entry, you should be safe.
Can password managers work on multiple devices?
Yes, most password managers work cross-platform and support many operating systems. It means that you can access your most important credentials on the go, whichever device you’re currently using. I recommend using NordPass to keep your accounts safe on multiple devices.
How do password managers store passwords?
Password managers encrypt your credentials and store them only in an encrypted form. This means that even in case of a major data breach, a threat actor would only get the encrypted symbols that are useless without your master password.
