What is a Password Manager?
A password manager is a computer program that allows a user to manage their login credentials for multiple websites and apps with a single master password.
Key Takeaways
- Password managers can be software-based, hardware-based, or browser-based.
- Browser-based password managers are generally considered to be the least secure option.
- The most effective password managers store usernames and passwords in an encrypted database that is protected by a master password and two-factor authentication (2FA).
- The encrypted database can be stored either on the user’s device or on a remote server, depending on the type of password manager and the user’s preferences.
- If the user forgets their master password, they may not be able to recover their stored passwords.
- Show Full Guide
How Does a Password Manager Work?
When a user first sets up a password manager, they will be asked to create a master password that follows best practices for strong passwords. A master password is a single, strong passphrase that acts as an encryption/decryption key.
Once the master password has been created, the password manager will generate a secure password vault to store the user’s other passwords. The next time the user accesses a website or app that requires them to log in, the password manager will ask if it should save the credentials the user enters.
If the user says yes, the password manager will automatically encrypt the credentials and store them in the password vault. On subsequent visits, the password manager will recognize the website or app and automatically fill in the user’s login credentials.
Why Do You Need a Password Manager?
It’s important to use strong passwords, but it can be challenging to generate and remember them. When you use a password manager, you only need to remember one password to access all your accounts.
Can Master Passwords Be Reset?
If the user forgets their master password, this is a problem because master passwords typically do not have a password reset mechanism. This design choice is intentional; it ensures that even if the password manager provider’s servers are compromised, the attacker will only be able to steal encrypted passwords – and encrypted passwords are useless without the master password and the user’s second authentication factor.
As a backup, some password managers allow users to grant one or two trusted individuals “emergency access rights” to their password vault. This feature typically comes with safeguards, such as a “wait period,” during which time the primary user can deny access.
Types of Password Managers
Different types of password managers have different price points, advantages, and disadvantages, and the choice of password management app depends on the user’s cybersecurity requirements and personal preferences.
For convenience and safety, many users take a hybrid approach and use browser-based managers for non-critical logins – and downloadable or cloud-based password managers to store passwords that require higher security levels.
Browser-based password managers are free and easy to use, but they are not well-suited for organizations that require a high level of security. It’s important to review the browser’s privacy policy and terms of service (ToS) to avoid concerns about data collection and data privacy.
Chrome’s password manager is tied to the user’s Google account. This is handy because it allows users to manage passwords from any device logged into the user’s Google account. This is risky, however, because if an attacker is able to compromise the user’s Google account, they can view the user’s passwords in plain text through the browser’s settings.
Downloadable password managers are third-party software applications that are installed locally on a single device. This type of password manager typically has robust encryption, can manage a vast number of passwords across multiple sites, and will generate passwords that even the best password crackers can’t guess.
Password manager apps often include additional security features that will audit saved passwords, check for weaknesses, and remind you when it’s time to update a password. Some will even send an alert if one of your passwords has been exposed to a data breach.
Cloud-based password managers are third-party Software-as-a-Service (SaaS) applications hosted on the provider’s servers and accessed through a web interface. Some cloud-based password managers can be acquired for free, but the free versions are often limited in some way – for instance, they might only be able to store a limited number of passwords.
To reduce the risk of using a cloud-based password manager for business, most providers adopt zero-knowledge principles for master passwords. This enhances security because it prevents the service provider from accessing user data. To ensure continuity in emergencies, many providers offer access options that can grant designated individuals access to the password vault under specific conditions.
Hardware-based password managers are physical security tokens that can be used to store passwords offline on a secure chip. To retrieve and use their passwords, the user must connect the token to a computing device and enter their master password.
Some hardware tokens like YubiKey are used in multifactor authentication to give compatible password managers an additional layer of security. Even if an attacker uses social engineering tactics to steal the master password, they’ll still need physical access to the right token.
Popular Password Manager Features
To choose the right password manager, it’s important to consider the price point and compare features such as encryption strength, user-friendliness, and the provider’s reputation for security and customer support.
Popular password managers typically offer the following options:
5 Best Practices to Follow When Using a Password Manager
The following best practices can make using a password manager significantly safer than reusing passwords or writing them down.
Create a strong, unique master password.
This will be the key to your password vault, so make sure your master password is strong and unique. Consider using a passphrase that consists of a combination of random words, numbers, and symbols to make your master password easy to remember but impossible to guess.Enable two-factor authentication (2FA)
Add an extra layer of security to your password manager account by requiring a second verification factor, like a one-time password (OTP) or biometric fingerprint scan.Use strong, unique passwords for each account
Let your password manager generate complex, random passwords for each of your accounts.Update passwords for compromised accounts immediately
If you receive a notification about a data breach or suspect an account has been compromised, change the password for that account (and any others where you used the same password) as soon as you can.Configure your password manager to log you out automatically after a short period of inactivity
Set a short inactivity timeout to prevent unauthorized access if you step away from your device.
Benefits of Using a Password Manager
Password managers have several important benefits.
They can:
- Securely store login credentials.
- Generate complex passwords with one click.
- Autofill credential fields.
Some password managers have additional capabilities that allow you to:
- Sync one-time passwords across multiple devices.
- Share passwords with family members.
Challenges of Using a Password Manager
It can be challenging for users to trust password manager tools and save all their passwords in a single location – especially if that location is managed by a third party.
Many password manager vendors regularly conduct security audits to identify and fix vulnerabilities and then share the results publicly.
The Bottom Line
Password manager definitions may vary slightly in terms of form factor and features, but they are all designed to encrypt and store login credentials.