Last Updated: February 1, 2023
Ever struggle to remember all the passwords you need for all the social media accounts and other websites you use on a daily basis? Does it make you resort to unsafe practices like reusing or creating weak passwords? A password manager might be the answer to all your problems. Although you’ve probably heard of them before, you might be wondering—how do password managers work?
In this guide, we’ll answer all of your questions, such as:
- What are password managers?
- How do different types of password managers work?
- Is it safe to use password managers?
- Should you use a password manager?
- And other FAQs.
What Are Password Managers?
Simply put, a password manager is a tool for managing multiple passwords in a single safe location. Usually, great password managers use different types of encryption to securely store passwords so they’re difficult to steal or uncover. Your password manager account, in turn, is usually secured using a single master password.
The goal is to make it easier to access a large number of strong passwords users need for all their different accounts online. All you need to do is log in to the password manager and look for the specific password you need.
|DID YOU KNOW: According to the 2019 Verizon Data Breach Investigations Report, 80% of all data breaches are caused by compromised, weak, and reused passwords. Password managers not only protect but they may also give you password ideas that are hard to crack.
How Do Password Managers Work?
First of all, it’s important to know there are three different types of password managers. While different types of password managers will work somewhat differently, different products of the same type will work mostly the same.
The three most commonly used types of password managers are:
- Locally installed/offline
Locally Installed/Offline Password Managers
This is an app or software that you physically download and store on your device. Passwords are usually protected using encryption in an “encrypted vault.” For most commercial purposes, you can find tools that use 256-bit AES encryption to encrypt data.
If you’re wondering how do password managers work, these are the typical steps for this kind:
1. Run the software and log into it using your master password.
2. Manually enter the password. Most password managers also allow you to add the name, URL, and description of the website or app the password is for.
3. When you want to log into a website, you open the app again, log in, and search for the password in question. You then manually type it into the website login page.
Of course, offline password managers appeal to privacy-concerned individuals not keen on storing passwords in a database not controlled by them, like the cloud or an external server. This is one of the safest ways to store your passwords because unless your physical device is hacked, no one will be able to steal your passwords.
However, the biggest downside to this type of software is that if you lose your device, you lose the passwords with it. That’s why many of these services allow you to download the app on different devices (e.g., PC, Android, iOS) and sync passwords across all apps associated with your account.
In addition, offline apps might still be vulnerable to keylogger malware.
- Secure your passwords by storing them offline
- Many software are free or very cheap
- May lose passwords if you lose your device
- You need to manually type your passwords into apps/websites
Web-Based Password Managers
Web-based (or cloud-based) password managers store your passwords online in the cloud or on a public internet server. Just like local password managers, web-based ones also protect your passwords using encryption. However, because they’re online, the question “can password managers be hacked?” often refers to this type of manager.
Web-based password managers come in a number of different forms—a simple website portal, browser extension, desktop-based app, or mobile app. In the case of the latter two examples, the difference between locally installed and web-based password managers can become blurry.
Browser extensions are particularly popular and convenient, as they can detect when you’re logging into a website for which you have a password stored and prompt you to use the extension to auto-fill passwords.
This saves you the trouble of having to go back and forth between the app and the website and type in your password manually.
Of course, as the opposite of locally installed password managers, the main problem is that some feel uncomfortable with password vaulting taking place online. Users are also more concerned about their accounts, browsers, or extensions being hacked than with offline desktop-based apps.
That’s why some web-based password managers use what’s called zero-knowledge technology, which actually never saves your actual username/password combinations, only the cryptographic keys that contain the encrypted information. Many of these services also use a physical app, which would require you to create an entry for your login information on your device, e.g. PC, to then be encrypted and uploaded to the server.
So, if you’re really worried about whether are password managers safe, you should look for a zero-knowledge web-based password manager.
One of the main benefits of web-based password managers is that you can access your passwords from anywhere, at any time, and from any device, as long as you have the master password for your password manager account.
- Access passwords from anywhere and on all devices
- Benefit from auto-fill-in
- Subscriptions are usually cheap
- No need to download and install software
- Some will prefer a once-off purchase over a subscription
- Less secure than an offline vault
- You need an internet connection to access passwords
This is by far a much less common type of password manager, and a method not a lot of people will be familiar with. Additionally, it turns the traditional concept of how are passwords stored on its head. Using this approach, you effectively turn an external storage device like a USB into your personal password manager.
To do this, you install token-based authentication software on the USB, which basically turns it into a secure vault for your credentials. The software can also be installed on SD cards or smart cards.
With token-based authentication, the user doesn’t actually input their username and password to access a particular website, server, or resource. Instead, the authentication service installed on the device generates a token containing all the information necessary to identify you by the resource you’re connecting to.
So, where are passwords stored with this type of password manager? Well, as this type of authentication is “stateless,” your passwords aren’t technically stored anywhere—the token is all you need! This makes it impossible for hackers to steal your passwords unless they know your master password.
The tokens are cryptographically signed so they can’t be tampered with, and they have a certain period of validity as determined by the authentication service.
Usually, token-based authentication systems are open source or based on open-source standards, like JSON Web Tokens (JWT) and Security Assertion Markup Language (SAML), for example. So, they’re usually free, and can be downloaded and installed by anyone.
The main catch is that whatever server you want to log in to also needs to use that particular authentication service. So, this is only suitable as a password management solution in specific circumstances, like when connecting to a work server, which certainly doesn’t fit the typical password manager definition.
- Nearly impossible for hackers to steal your passwords
- It can be inconvenient to have to use an external device
- You can lose access to your passwords with your device
- It’s more difficult to set up
- Proprietary software can be quite expensive
|DID YOU KNOW: 65% of Americans still don’t trust a password manager. However, that’s much more common in older generations over 55 (37.4%), while only 26% under that age mistrust them. Among the 55+ group, many don’t even know what is a password manager.
|There are three main types of password managers: locally installed/offline, web-based, and stateless/token-based.
|Most proprietary password managers today offer a hybrid approach with offline apps, online cloud storage, browser extensions, and mobile apps.
|Users often need to decide the perfect balance between convenience and safety when managing their passwords, e.g., whether they want to use cloud or cross-device syncing.
|Password managers can also help you by generating secure passwords and providing some level of internet security.
Are Password Managers Safe?
The answer is that it depends—different password managers have different levels of security, depending on their type, brand, and how you use them. For example, even the most secure password manager isn’t very safe if your master password is weak.
Let’s see what are some of the security aspects to keep in mind regarding password managers.
Eliminating Unsafe Password Practices
The main reason why password managers are considered safe is that they prevent unsafe password practices like using easy-to-guess or simple passwords because they’re easier to keep track of or reusing a single password for all your accounts. So, yes—according to our password manager definition, they’re safer than relying on these alternatives.
Storing Passwords in Different Ways
Password security also depends on the type of password manager you use. Most proprietary password managers today like LastPass, KeePass, or Dashlane store and access your passwords in various ways. While some password managers like LastPass offer a website portal, browser extension, desktop-based app, and mobile app for storing your passwords on the cloud in encrypted form and syncing them to all your devices, others differ in how are passwords stored.
For example, KeePass gives you the option of only storing passwords locally on your devices. You’ll have to manually sync them on all devices, but you have the peace of mind that they aren’t stored online. Dashlane is another option that lets you choose whether to only store your passwords locally or on the cloud as well.
So, users need to make the tradeoff between the convenience of having your passwords accessible anywhere and giving up a bit of security. As long as the password manager is reputable and uses encryption, cloud syncing shouldn’t be a deal-breaker.
Built-In Browser Password Managers
As the most popular web browser, many people want to know how safe is Google password manager. Many browsers today like Google Chrome, Firefox, and Microsoft Edge feature built-in password managers. These are probably the least secure, as most of them store passwords in unencrypted form. Firefox can encrypt your passwords, but can’t generate random passwords or sync them across devices.
If you want to use a specific browser, it’s probably best you get a password manager for it. There are many Google password managers available online or on the Extensionstore.
However, if not having your passwords accessible everywhere is going to make you use unsafe practices or weak passwords, it’s better to choose a more convenient option that offers cloud syncing.
|DID YOU KNOW: Despite the benefits, only 20% of Americans use a password manager, while 23% save passwords in a digital file and 24% in their browser.
Should You Use a Password Manager?
Let’s be real, if you’re like the average internet user, you probably have tens of accounts on all kinds of websites and online platforms—and although the human mind is great at many things, remembering a large number of passwords or even just a couple of complex passwords isn’t one of them.
If any of these statements apply to you, you should probably consider using a password manager:
- You have too many passwords to remember, and often forget them or lose access to your accounts as a result.
- You use a number of very basic or easy-to-guess passwords, or you use one password for multiple accounts.
Regardless of your answer or how do password managers store passwords, nearly everyone can benefit from using a password manager for the following reasons:
Random Password Generator
Conventional wisdom advises not to use passwords with real names or words, and to include numbers, capital letters, and special characters. Passwords should also be long. Some password managers will generate random, strong passwords for you so you don’t have to think up new ones.
Easy to Manage
Of course, the main point of a password manager is that it acts as a secure vault to store all your passwords. You can include information like your username, email, or other login credentials as well as the site or app a particular password is for. If you’re wondering how do password managers work across devices, we explain it all above—all you need to access and manage your passwords is a single master password.
Secure Password Storage
Instead of just listing your passwords in a plain text document, most good password managers securely encrypt your passwords and information, making it much harder to steal your information. It’s important to check whether cloud providers store passwords in a safe location.
Modern password management tools usually let you install apps on various devices so you can sync your passwords across all your devices. Some, especially browser extensions, even have autofill and autosave capabilities so you can provide your credentials with just a click.
Some password managers, especially browser extensions, have some built-in security features like being able to tell when a particular set of credentials or a website you use has been hacked. They can also alert you of suspicious or potentially malicious websites. You can also usually secure your account with two-factor authentication.
If you’re having concerns, you can usually reach out to customer support to find out where are passwords stored. This is important because the only one real disadvantage to using password managers and is that all your passwords are stored in one place, enabling anyone who manages to hack your account to access all your passwords. So, your master password needs to be very secure, and you need to make sure you use a reputable password manager.
|DID YOU KNOW: 13% of people use the same password for all accounts, 52% reuse the same passwords for multiple accounts, and only 35% have a different password for each account.
You should now be able to answer how does a password manager work with confidence. Password managers are essential tools for anyone that’s struggling to manage using secure passwords for a huge number of accounts. Today’s best password managers aren’t just for storing passwords—they also provide a bunch of tools to make your life easier, such as a random password generator, cross-device syncing, and even autofill or autosave. They’re the perfect tools for those who want to behave more securely without a lot of inconveniences.
Most people should use a password manager. The only downside is that all your passwords are stored in one place, so it may not be the ideal solution if multiple users have access to your computer. Also, if your password manager account gets hacked, they’ll get access to all your passwords.
Although there are plenty of decent free password managers, most paid password managers come with handy features like cross-device syncing, a higher device limit, browser extensions, password sharing, dark web scanning, etc. Usually, password managers are quite affordable (under $5/month), so it’s worth it for most people.
Above, we describe how do password managers work for every type of password manager. However, the main idea is that password managers act as an encrypted vault where you can store multiple passwords securely using a master password. If you need a password, you just log in to your account and look for it in your list of passwords.