Password Manager

What is a Password Manager?

A password manager is a computer program that allows a user to manage their login credentials for multiple websites and apps with a single master password.

Advertisements

The most effective password managers store usernames and passwords in an encrypted database that is protected by the master password and two-factor authentication (2FA). The encrypted database can be stored either on the user’s device or on a remote server, depending on the type of password manager and the user’s preferences.

How Does a Password Manager Work?

When a user first sets up a password manager, they will be asked to create a master password that follows best practices for strong passwords. A master password is a single, strong passphrase that acts as an encryption/decryption key.

Once the master password has been created, the password manager will generate a secure password vault to store the user’s other passwords. The next time the user accesses a website or app that requires them to log in, the password manager will ask if it should save the credentials the user enters.

If the user says yes, the password manager will automatically encrypt the credentials and store them in the password vault. On subsequent visits, the password manager will recognize the website or app and automatically fill in the user’s login credentials.

Can Master Passwords Be Reset?

If the user forgets their master password, this is a problem because master passwords typically do not have a password reset mechanism. This design choice is intentional; it ensures that even if the password manager provider’s servers are compromised, the attacker will only be able to steal encrypted passwords — and encrypted passwords are useless without the master password and the user’s second authentication factor.

As a backup, some password managers allow users to grant one or two trusted individuals “emergency access rights” to their password vault. This feature typically comes with safeguards, such as a “wait period,” during which time the primary user can deny access.

Types of Password Managers

Different types of password managers have different price points, advantages, and disadvantages, and the choice of password management app depends on the user’s cybersecurity requirements and personal preferences.

For convenience and safety, many users take a hybrid approach and use browser-based managers for non-critical logins — and downloadable or cloud-based password managers to store passwords that require higher security levels.

Browser-Based Password Managers
Browser-based password managers are free and easy to use, but their convenience means they are not well-suited for storing passwords that require a high level of security.

Chrome’s password manager, for example, is tied to the user’s Google account. This is handy because it allows users to manage passwords from any device logged into the user’s Google account. This is risky, however, because if an attacker is able to compromise the user’s Google account, they can view the user’s passwords in plain text through the browser’s settings.

Downloadable Password Managers
Downloadable password managers are third-party software applications that are installed locally on a single device. This type of password manager typically has more robust encryption, can manage a vast number of passwords across various sites, and often includes additional security features for password generation and organization.

Downloadable password managers typically have zero knowledge regarding master passwords. This security feature can be a double-edged sword, however, because if the user forgets their master password, the vendor has no way of helping them recover their passwords.

Cloud-Based Password Managers
Cloud-based password managers are third-party Software-as-a-Service (SaaS) applications hosted on the provider’s servers and accessed through a web interface. Some cloud-based password managers can be acquired for free, but the free versions are often limited in some way – for instance, they might only be able to store a limited number of passwords.

To reduce the risk of using a cloud-based password manager for business, most providers adopt zero-knowledge principles for master passwords. This enhances security because it prevents the service provider from accessing user data.

To ensure continuity in emergencies, however, many providers offer emergency access options that will grant designated individuals access to the password vault under specific conditions.

Hardware-Based Password Managers
YubiKey security token

Hardware-based password managers are physical security tokens that can be used to store passwords offline on a secure chip. To retrieve and use their passwords, the user must connect the token to a computing device and enter their master password. To provide an additional layer of security, some hardware-based password managers use multi-factor authentication (MFA) strategies that require the user to enter an additional one-time password (OTP) generated by a web-based authentication app or the token itself.

YubiKey hardware tokens are often used to give compatible password managers an additional layer of security. Even if an attacker is able to use social engineering tactics and steal a master password, they will still need physical access to the correct  YubiKey to unlock the password manager’s secure vault.

Popular Password Manager Features

To choose the right password manager, it’s important to consider the price point and compare features such as encryption strength, user-friendliness, and the provider’s reputation for security and customer support.

Popular password managers typically offer the following options:

  • Cross-device and cross-platform access: Many of the most popular password management apps can encrypt and store login credentials from multiple devices and operating systems. A synchronization feature ensures that changes made on one device will automatically be applied to the user’s other connected devices.
  • Password Generation: The most versatile password managers include a mechanism for generating strong passwords that can’t be cracked in a reasonable amount of time.
  • Auto-Capture: This feature will automatically capture new login credentials as they’re entered.
  • Auto-Fill: This feature can automatically populate login fields after the first visit.
  • Biometric Login: Some password managers allow users to designate biometric authentication factors that can be used either in place of – or in addition to – the master password.
  • AES Encryption: Most personal and business password managers use NIST’s Advanced Encryption Standard (AES) with either 128-bit, 192-bit, or 256-bit key lengths. In theory, the longer the key length, the more secure the password manager.
  • Secure File Storage: Some managers offer encrypted storage space for additional sensitive information like credit card details.
  • Offline Access: Many password managers store an encrypted version of the password database locally on the user’s device. This allows users to look up their passwords even when they are not connected to the internet.
  • Password Health Check: This feature evaluates the strength and age of stored passwords and flags passwords that should be updated because they are vulnerable to password cracking software applications.
  • Audit Trails: Some password managers for business allow administrators to review when passwords were created, accessed, shared, or changed.
  • Breach Notifications: This feature will alert users if their stored credentials have been involved in a known data breach.
  • Emergency Access: Some password managers allow designated individuals to request access to the user’s password vault in case of emergencies.
Advertisements

Related Questions

Related Terms

Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.