How does a password manager work?

Wed Aug 28 2019 - 7 min read

Security practices suggest that protecting our online accounts requires nightmarishly long and complicated passwords that we can neither remember nor enter without typos. Yet it’s not baseless — hackers constantly find new ways to crack your passwords, so using your cat’s name is not enough anymore.

That’s why password managers are quickly becoming super popular. Whether it’s a built-in browser password manager or a dedicated tool, they make managing your accounts way easier and safer. They can help you keep track of your credentials, generate strong passwords, save the information for you and autofill it when needed.

But how do they actually work? And is it safe to store all your passwords in one place? While different password managers come with different features, here are some to keep in mind.

It’s all about convenience

You’ve probably used a password manager before — most of the major browsers have their own built-in password managers. Normally, you would enter your login details every time you want to access a website. But now the password manager does the heavy lifting for you. You don’t have to think about what email address, username, and password you used for the website since the manager enters them for you.

More advanced password managers have an additional function — password generators. Let’s say you’re registering for a new service online. Instead of you coming up with a new password yourself, the manager can generate a complicated, random string of characters for you. This way, you can be sure that the password you’ll be using is secure enough.

Some online password managers also allow you to store other types of data in a secure form — everything from credit card numbers to private notes. But is it safe to keep all your information in one place?.

Master password

Most of the dedicated password managers that allow storing your data in a vault secure it with a master password. It’s the first and probably the most important decision you will need to make with a password manager — coming up with your master password. It controls the access to your entire vault, so it has to be strong. It is the only password you’ll need to remember.

Forgetting your master password is bad news in most cases — it means you’re locked out of your vault forever. The only solution may be to reset all of your passwords, account by account, site by sit. So be sure to memorize it well.

Tip: When you create your master passphrase, write it down on a piece of paper and type it until you remember it. In addition, using two-factor authentication is an even more secure option for all your accounts.

Password storage

There are three main categories of password managers based on where they store your data: browser-based, stand-alone, and cloud-based. In other words, they store your passwords either locally or in the cloud. Depending on the manager you choose, your logins will be kept on your device or on the service provider’s servers.

This is definitely convenient since some password managers store your vault on their servers by default. That allows you to sync your data across devices easily. Plus, you won’t lose your logins if your computer crashes.

However, storing your most sensitive data on third-party servers may seem risky. After all, it may come down to how much you trust your service provider’s security protocols. This is where zero-knowledge architecture comes in.

Are your passwords safe?

It depends on the password manager — built-in managers often have weaker security than dedicated ones. However, the vast majority of cloud-based password managers use strong, zero-knowledge encryption protocols. Zero-knowledge means that even though your data is stored in the cloud, the service provider has no actual knowledge on what’s in your vault. That’s because all the information is encrypted on your device before being transferred to the cloud.

How does it work? Encryption scrambles data so that only those with authorized access can see the original content. Encryption includes thousands of rounds of authentication hashing. An algorithm converts a string of text into a longer string and so on, making it more difficult for hackers to crack the hashed text.

So even if a criminal got through the password manager’s defenses, your sensitive data would look like gibberish to them. In fact, if anyone were to ask your manager provider to give details about what’s in your vault, they would be unable to do it. Zero-knowledge architecture makes sure of that.

Choosing the password manager

With all of this in mind, how do you choose the best manager for your credentials? Well, it depends on what you’re looking for. Built-in password managers are convenient, but using one might be a bit risky. Some of them are not always forthcoming about what security standards they’re using. In the light of constant security breaches, it might not be worth the risk.

If you’re looking for a secure dedicated manager, here’s the criteria to look out for. First, check out how your passwords are stored — as we mentioned, zero-knowledge architecture is your best bet. NordPass uses XChaCha20 to encrypt your vault and Argon2 to derive keys. XChaCha20 is widely considered to be the future of encryption. It’s fast, reliable, and entirely software-based, which minimizes the risk of human error.

Second, pay attention to the authentication methods it offers. Many dedicated managers, including NordPass, use a master password. It’s the only password you will need to remember with a dedicated manager. Additionally, see if two-factor authentication is available — it provides an extra layer of security for your account.

Third, make sure it’s easy to use. There’s no point in having a dedicated password manager if it’s a hassle to manage it. Autofill, autosave, password sharing, and easy transition from and to other managers are good indicators. If you’re curious about what features NordPass provides, you can check them out here.

Chad Hammond
Verified author
Chad loves traveling and technology. His global view and open-mindedness add interesting angles to various security topics. Hehas already traveled to over 80 countries and is not planning to stop any time soon.
Subscribe to NordPass news