How Do Password Managers Work? 3 Methods Explained
Whatsapp Pinterest
Advertisement

Do you have three or four passwords that you recycle across all of your websites? Uh oh, that’s asking for trouble. At the rate data breaches happen these days, there’s a decent chance someone already has your password.

Even if you haven’t yet been compromised, better safe than sorry. It’s time to use a password manager. Not only will this make your online accounts more secure, but it will make them easier to manage. The question is, which type should you use, and which are the most secure?

1. Offline Password Managers

KeePassXC password manager on Ubuntu Linux

A password manager app running on your PC has to save your passwords somewhere. One approach is to place that information in a single file on your computer. Since this file contains very sensitive data, any decent password manager will be sure to encrypt the file.

Encrypted data is not uncrackable, but it’s a difficult task for most people to undertake. Plus it takes a really long time. Most thieves won’t bother going through the effort. Even police departments and government agencies can find the task daunting. But with enough time and will, there’s a way.

So while your data isn’t impenetrable, it’s likely safe unless you do something to make yourself a target that’s worth the effort.

How do you get to your data? The simplest approach is a master password. Your password manager will ask you to create a password that’s needed to decrypt the file, which may be known as a vault or a database, that contains all of your other passwords.

You can make the vault harder to break into by requiring a key, which is a file that exists somewhere hidden on your computer or on a separate device such as a USB stick.

Pros:

  • Provide the most control and flexibility
  • Only you know where you store your data

Cons:

  • Can require more technical knowledge
  • Least suited for multiple devices

When you keep all your passwords in one place, you create what security professionals refer to as a single point of failure. If you store all of your cash in one vault, someone only needs to target one place to walk away with your entire fortune. If you store your passwords in more than one file, then that increases the amount of work it takes to access all of your data.

You can make the job even more frustrating by encrypting and storing each password in its own file. You can do so using the Pass password manager How to Use Pass, the Ultimate Open-Source Password Manager How to Use Pass, the Ultimate Open-Source Password Manager Looking a password manager for Linux or Mac OS X that's open source? Well, you're in luck, because Pass is free, based on sturdy encryption standards, and super easy to use! Read More .

Offline password managers tend to be free to use. Some may have features that require an additional payment. Enpass is the only option below that does.

Download: Keypass (Free)

Download: Password Safe (Free)

Download: Enpass (Free, in-app transactions)

Download: Pass (Free)

2. Online Password Managers

Password managers have been around for a long time, but the way we get online has changed in the past decade. Many of us no longer have one primary computer that we always use for the internet. Now we have numerous devices. We’re as likely to sign into our bank account from a phone as from a laptop.

With multiple devices, a password manager can pose a challenge. If your passphrases are all stored on one computer and randomly generated, you can neither access them on another device nor remember them to type in manually. In some cases you can sync your passwords, but you may be out of luck if a compatible mobile app doesn’t exist.

Enter online password managers The Best Password Managers for Every Occasion The Best Password Managers for Every Occasion Struggling to remember your increasingly elaborate passwords? It's time to rely on one of these free or paid password managers! Read More . These services store your credentials online, where you can access them from more than one device.

Internet-based password managers come with one big vulnerability. Your passwords to everything are now available online. If someone can get access to that data, they can impersonate you, take control of your accounts, and steal both your money and your identity. It’s about as bad as someone getting their hands on your house keys, your wallet, and your social security card.

Password Encryption

To reduce the risk, services encrypt the passwords on your device first before uploading the data online. But the services don’t all handle protecting that data the same way. Do they have the ability to reset your master password if you forget it? How do they handle security questions?

For convenience, it’s great for the site to be able to help you regain access to your data. But if the people working at the company are able to do so, that means options are available for an intruder to do so as well. These companies also often add extra features to entice users that can ultimately put your data at greater risk, such as automatically signing into sites.

Pros:

  • Most simple to use
  • Syncing is automatic
  • Supports the widest number of devices

Cons:

  • Your data is stored online
  • Some convenience features make you less secure
  • Many features cost money

Online password managers are the most commercial. While many are free to use, they usually reserve certain features for paid subscriptions. Some services require a subscription to use at all.

Download: LastPass (Free)

Download: Bitwarden (Free)

Download: Dashlane (Free)

Download: 1Password (Free trial, subscription required)

3. Stateless Password Managers

Even with encryption, using either of the above methods means creating a record of your passwords that didn’t previously exist. This isn’t the only risk you may take with a password manager Are You Making These 6 Password Manager Security Mistakes? Are You Making These 6 Password Manager Security Mistakes? Password managers can only be as secure as you want them to be, and if you're making any of these six basic mistakes, you're going to end up compromising your online security. Read More , either. Such factors can make the idea of using a password manager particularly off-putting.

But there are password managers out there that don’t keep encrypted copies of your passwords lying around. Instead, they generate passwords based on simple, easy to remember variables. One common approach is to create a password using a combination of your master password and a website’s name.

Every time you enter this information, you get the same password.

Even if a hacker knows which program you use and the underlying algorithm, they still need your master password, the website name, and the length of the password in order to replicate your security key. On the other hand, if someone cracks one account and figures out your master password, it’s possible for them to work out all of your others without needing to crack into any sort of vault.

Pros:

  • No password vault to protect
  • No need to sync data

Cons:

  • No way to note websites with unusual password requirements
  • No easy way to handle websites whose passwords you’ve had to change

Stateless password managers tend to be open source projects that you can download for free. No subscriptions are required.

Download: PwdHash (Free)

Download: SuperGenPass (Free)

Download: LessPass (Free)

Download: HashPass (Free)

Which Password Manager System Is Best?

A password manager that only exists on your desktop is great, but if you take shortcuts to login from your phone or at the library, you may be poking holes in your own security. An online password manager may be more convenient and intuitive, but you still have to trust your passwords in someone else’s hands. What do you do?

There’s no such thing as perfect security. If you’re working under the most secretive of conditions, maybe you should save separate password vaults, all secured by key files on different USB sticks. Sound like too much hassle? Even if your technical experience ends at knowing how to use email and social media, you can figure out LastPass or 1Password.

Any one of these options is more secure than reusing the same few passwords. Once you start using a password manager, however, you’re already fighting back against cybercriminals. Now take the next step: here’s how to protect yourself from data breaches How to Counter Data Breaches: 3 Simple Ways to Protect Your Data How to Counter Data Breaches: 3 Simple Ways to Protect Your Data Data breaches don't only hit share prices and government department budgets. What should you do when news of a breach strikes? Read More .

Explore more about: Encryption, Online Security, Password Manager.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. bluzdogs
    July 14, 2019 at 11:15 pm

    Thanks for the helpful info! I've been using LastPass "premium" for about 3 years now. At $12 a year it's kind of a no-brainer.

    Up until recently I've been extremely satisfied with the service. I've recommended it to all of my customers. But in the last few months I've started to encounter sync issues with LastPass.

    Especially with certain accounts like Microsoft. I've mistakenly changed the password on one device only to find that my other devices don't pick up the change until I restart each device. Annoying.

    It took me a while to trust the app. Part of the reason is that I used another manager (the name escapes me now). After I'd gotten comfortable using it, the company was bought out by Intel. Needless to say, the transition failed miserably and all my passwords were lost. "Whoops! We're so sorry." WTH?

    The other part is that, with a few vital exceptions, I've gotten lazy and let LastPass generate all my passwords so I'm screwed if they go under.

    Still, I feel much more secure with a password manager than without one.

  2. Tim
    May 26, 2019 at 6:30 am

    I prefer a hybrid implementation. Take an "offline" password manager like KeePass and choose to save your database in a consumer cloud like Dropbox or Google drive. Throw in a locally stored key file and the password database is both highly available and well protected.

  3. dragonmouth
    May 24, 2019 at 2:59 pm

    Another "con" for online password managers is that if, for some reason, you lose access to online storage, you lose the ability to access any site that require a password.

  4. ReadandShare
    May 24, 2019 at 9:52 am

    The two "cons" listed under 'stateless passwords' managers seem like show stoppers to me? Given that password managers can generate/memorize the most random and complicated of passwords effortlessly, what is 'stateless' bringing to the table? What's the big plus about sticking with a rigid ("one trick") formula that requires all your passwords to be created using your master password and the particular website names?

    • ReadandShare
      May 24, 2019 at 9:55 am

      Also, with the rigid master password and website name combination, what will you do when a website notifies you that it's been breached and you need to change your password? Select a slightly different website name and memorize that as an exception to the rule? A couple more website breaches and then you will be finding yourself memorizing multitude different exceptions!?!