Password Manager

Why Trust Techopedia

What is a Password Manager?

A password manager is a computer program that allows a user to manage their login credentials for multiple websites and apps with a single master password.

Advertisements

What is a Password Manager? Definition, Types & Examples

Key Takeaways

  • Password managers can be software-based, hardware-based, or browser-based.
  • Browser-based password managers are generally considered to be the least secure option.
  • The most effective password managers store usernames and passwords in an encrypted database that is protected by a master password and two-factor authentication (2FA).
  • The encrypted database can be stored either on the user’s device or on a remote server, depending on the type of password manager and the user’s preferences.
  • If the user forgets their master password, they may not be able to recover their stored passwords.

How Does a Password Manager Work?

When a user first sets up a password manager, they will be asked to create a master password that follows best practices for strong passwords. A master password is a single, strong passphrase that acts as an encryption/decryption key.

Once the master password has been created, the password manager will generate a secure password vault to store the user’s other passwords. The next time the user accesses a website or app that requires them to log in, the password manager will ask if it should save the credentials the user enters.

If the user says yes, the password manager will automatically encrypt the credentials and store them in the password vault. On subsequent visits, the password manager will recognize the website or app and automatically fill in the user’s login credentials.

Why Do You Need a Password Manager?

It’s important to use strong passwords, but it can be challenging to generate and remember them. When you use a password manager, you only need to remember one password to access all your accounts.

Can Master Passwords Be Reset?

If the user forgets their master password, this is a problem because master passwords typically do not have a password reset mechanism. This design choice is intentional; it ensures that even if the password manager provider’s servers are compromised, the attacker will only be able to steal encrypted passwords – and encrypted passwords are useless without the master password and the user’s second authentication factor.

As a backup, some password managers allow users to grant one or two trusted individuals “emergency access rights” to their password vault. This feature typically comes with safeguards, such as a “wait period,” during which time the primary user can deny access.

Types of Password Managers

Types of Password Managers

Different types of password managers have different price points, advantages, and disadvantages, and the choice of password management app depends on the user’s cybersecurity requirements and personal preferences.

For convenience and safety, many users take a hybrid approach and use browser-based managers for non-critical logins – and downloadable or cloud-based password managers to store passwords that require higher security levels.

Browser-based password managersDownloadable password managersCloud-based password managersHardware-based password managers

Browser-based password managers are free and easy to use, but they are not well-suited for organizations that require a high level of security. It’s important to review the browser’s privacy policy and terms of service (ToS) to avoid concerns about data collection and data privacy.

Chrome’s password manager is tied to the user’s Google account. This is handy because it allows users to manage passwords from any device logged into the user’s Google account. This is risky, however, because if an attacker is able to compromise the user’s Google account, they can view the user’s passwords in plain text through the browser’s settings.

Downloadable password managers are third-party software applications that are installed locally on a single device. This type of password manager typically has robust encryption, can manage a vast number of passwords across multiple sites, and will generate passwords that even the best password crackers can’t guess.

Password manager apps often include additional security features that will audit saved passwords, check for weaknesses, and remind you when it’s time to update a password. Some will even send an alert if one of your passwords has been exposed to a data breach.

Cloud-based password managers are third-party Software-as-a-Service (SaaS) applications hosted on the provider’s servers and accessed through a web interface. Some cloud-based password managers can be acquired for free, but the free versions are often limited in some way – for instance, they might only be able to store a limited number of passwords.

To reduce the risk of using a cloud-based password manager for business, most providers adopt zero-knowledge principles for master passwords. This enhances security because it prevents the service provider from accessing user data. To ensure continuity in emergencies, many providers offer access options that can grant designated individuals access to the password vault under specific conditions.

Hardware-based password managers are physical security tokens that can be used to store passwords offline on a secure chip. To retrieve and use their passwords, the user must connect the token to a computing device and enter their master password.

Some hardware tokens like YubiKey are used in multifactor authentication to give compatible password managers an additional layer of security. Even if an attacker uses social engineering tactics to steal the master password, they’ll still need physical access to the right token.

Popular Password Manager Features

To choose the right password manager, it’s important to consider the price point and compare features such as encryption strength, user-friendliness, and the provider’s reputation for security and customer support.

Popular password managers typically offer the following options:

Cross-device and cross-platform access
Many of the most popular password management apps can encrypt, store and sync login credentials from multiple devices and operating systems
Password generation
The most versatile password managers include a mechanism for generating strong passwords that can’t be cracked in a reasonable amount of time.
Auto-capture
This feature will automatically capture new login credentials as they’re entered.
Autofill
This feature can automatically populate login fields after the first visit.
Biometric login
Some password managers allow users to designate biometric authentication factors that can be used either in place of – or in addition to – the master password.
AES encryption
Secure file storage
Some managers offer encrypted storage space for additional sensitive information like credit card details.
Offline access
Many password managers store an encrypted version of the password database locally on the user’s device.
Audit trails
Some password managers for business allow administrators to review when passwords were created, accessed, shared, or changed.
Password sharing
Some password managers allow a designated individual to access another user’s password vault.

5 Best Practices to Follow When Using a Password Manager

The following best practices can make using a password manager significantly safer than reusing passwords or writing them down.

  1. Create a strong, unique master password.

    This will be the key to your password vault, so make sure your master password is strong and unique. Consider using a passphrase that consists of a combination of random words, numbers, and symbols to make your master password easy to remember but impossible to guess.
  2. Enable two-factor authentication (2FA)

    Add an extra layer of security to your password manager account by requiring a second verification factor, like a one-time password (OTP) or biometric fingerprint scan.
  3. Use strong, unique passwords for each account

    Let your password manager generate complex, random passwords for each of your accounts.
  4. Update passwords for compromised accounts immediately

    If you receive a notification about a data breach or suspect an account has been compromised, change the password for that account (and any others where you used the same password) as soon as you can.
  5. Configure your password manager to log you out automatically after a short period of inactivity

    Set a short inactivity timeout to prevent unauthorized access if you step away from your device.

Benefits of Using a Password Manager

Password managers have several important benefits.

They can:

  • Securely store login credentials.
  • Generate complex passwords with one click.
  • Autofill credential fields.

Some password managers have additional capabilities that allow you to:

Challenges of Using a Password Manager

It can be challenging for users to trust password manager tools and save all their passwords in a single location – especially if that location is managed by a third party.

Many password manager vendors regularly conduct security audits to identify and fix vulnerabilities and then share the results publicly.

The Bottom Line

Password manager definitions may vary slightly in terms of form factor and features, but they are all designed to encrypt and store login credentials.

FAQs

What is a password manager in simple terms?

What does a password manager do?

Do I really need a password manager?

How do I find my password manager?

Are password managers safe?

How Does a Password Manager Secure Access to Passwords?

Advertisements

Related Questions

Related Terms

Margaret Rouse
Technology expert
Margaret Rouse
Technology expert

Margaret is an award-winning writer and educator known for her ability to explain complex technical topics to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles in the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret’s idea of ​​a fun day is to help IT and business professionals to learn to speak each other’s highly specialized languages.