Security Technology Explained

How Password Managers Keep Your Passwords Safe

Michael McConnell 06-04-2016

It goes without saying that everyone needs to use stronger passwords, and the best way to do that is with a password manager You Need to Start Using a Password Manager Right Now By now, everyone should be using a password manager. In fact, not using a password manager puts you at greater risk of being hacked! Read More . The truth is, passwords that are hard to hack are just as hard to remember, yet even so, you really do need long and complex passwords 7 Password Mistakes That Will Likely Get You Hacked The worst passwords of 2015 have been released, and they're quite worrying. But they show that it's absolutely critical to strengthen your weak passwords, with just a few simple tweaks. Read More .


That’s where password managers come in handy. There are all kinds of password managers out there, including some as basic as your browser’s rudimentary list of saved passwords list and some as elaborate as entire cloud systems that work across multiple devices and platforms.

All of these models have some basics in common: they store your passwords, they auto-fill details on login forms, and they keep your passwords encrypted in databases. The differences are where those databases are kept, the types of encryption and recovery options available.

Weaponized Math: Encrypted Passwords

Your browser can save passwords, but that often isn’t very secure How to View Google Chrome's Saved Passwords (And Prevent Others From Peeking) Think Google Chrome's password manager uses encryption? Nope! Your passwords can be viewed by anyone. Here's how to prevent it. Read More . One of the main appeals of a password manager is that it saves all of your passwords behind one password in a single database.

Of course putting all your plain text passwords in one place isn’t much of a security measure in and of itself. Instead, your passwords must be encrypted, which secures your passwords. But since the amount of control over password databases can vary, you’ll want to figure out which model works best for you.



When boiled down, encryption is the use of math to disguise your data. The key used to transform the plaintext is randomly generated, the strength of the encryption is based on this key size in bits. In layman’s terms: the more bits, the more security. This is because the more compelx the key, the more complex the resulting output is.

Depending on the algorithm, that substitution is repeated. In certain cases, they key is transformed to further obscure the output. This process is creates what’s called a hash, which often has added salt—additional randomization added to the hashing process. This ensures the original value is completely obscured without the correct starting input, key, and salt.

There are additional factors like block size, initialization vectors, and other more advanced concepts. If you’re interested in the gory details, check out our detailed breakdown of encryption How Does Encryption Work, and Is It Really Safe? Read More .

Local Safes: Keeping Control

The best way to keep a secret is to never tell anyone. If you don’t want your passwords anywhere other than on your hard drive, a local password manager is your best option. This keeps your data on a device that you physically control, leaving your security directly in your own hands.


One of the more popular password managers is KeePass KeePass Password Safe – The Ultimate Encrypted Password System [Windows, Portable] Securely store your passwords. Complete with encryption and a decent password generator – not to mention plugins for Chrome and Firefox – KeePass just might be the best password management system out there. If you... Read More , an open source Windows solution with ports on Mac and Linux. It offers a lot of flexibility and control, including the ability to select between multiple encryption algorithms.

And if you’re looking for a complete escape from passwords, you can even use key files to unlock your passwords. (You put key files on a USB drive or other portable storage, then use the physical device as a key to authenticate with the machine.)


The downside to KeePass is the same as its strengths: you control the keys to the kingdom, so if you lose your key files or master password, you’re out of luck. In such a case, your only option would be to start over from scratch and set up every password again.


Your file is also limited to where you save it, so you’re responsible for any backups you want to maintain. If you want mobile sync, you’re going to need to do it manually (or with a separate syncing service like Dropbox) and a compatible reader on your tablet/phone. And if something goes wrong, you’re on your own.

Local managers give you a lot of security and control, but you lose a rescue plan and out-of-the-box portability.

Syncing Systems: Multiple Devices

If you’re juggling multiple devices with many passwords, keeping a master file locked on a PC somewhere is not the best solution — especially if you’re trying to log into Amazon on your phone or check your bank balance on your tablet. Don’t weaken the password just to make it more memorable!

That’s where hybrid approaches like 1Password Let 1Password for Mac Manage Your Passwords & Secure Data Despite the new iCloud Keychain feature in OS X Mavericks, I still prefer the power of managing my passwords in AgileBits's classic and popular 1Password, now in its 4th version. Read More come in, which uses Dropbox or your local network to automatically sync your password between devices. This gives you the ability to keep everything working across devices, but you are still the only one with the key to your data.


But you lose some of the crunchier options, such as multiple encryption algorithms and key file logins.


This fixes a lot of the downsides of the local-only option, as you can keep your phone, tablet, and computer all in sync. You’ll also need to trust Dropbox as a cloud host, though 1Password does add an extra layer of security on top with its own strong encryption, so you can rest assured of any security worries.

If you’re really worried about interceptors and other vectors of attack, you can just use your local network to synchronize your passwords across devices. You won’t have any hope of recovering a lost master password if you choose this route, but it does ensure that 1Password won’t have access either.

Cloud Services: Any Device, Anywhere

Keeping all of your passwords in the cloud requires a certain amount of trust in a company to do things the right way. Then again, some users couldn’t care less about that. Even after a big hacking incident LastPass Is Breached: Do You Need To Change Your Master Password? If you're a LastPass users you may feel less secure knowing that on June 15th, the company announced they detected an intrusion into their servers. Is it time to change your master password? Read More , a lot of people still use LastPass The Complete Guide to Simplifying and Securing Your Life with LastPass and Xmarks While the cloud means you can easily access your important information wherever you are, it also means that you have a lot of passwords to keep track of. That's why LastPass was created. Read More . Go figure.

LastPass keeps an encrypted copy of your password database in the cloud, making it available on almost every platform and browser imaginable. You will need a premium membership LastPass Premium: Treat Yourself To The Best Password Management Ever [Rewards] If you've never heard of LastPass, I'm sorry to say that you have been living under a rock. However, you are reading this article, so you've already made a step in the right direction. LastPass... Read More for several of their features, but the basics are there for free.


Your devices do all of the encryption and decryption, ensuring that your master password is not on LastPass’s servers. If you don’t have access to the Web, a copy is cached locally so you can still unlock. There is an additional layer of protection in two-step verification LastPass Brings 2FA to Everything, Apple Watch Could Save Your Life... [Tech News Digest] LastPass makes two-factor authentication easier, Apple Watch saves heart attack victim, Instagram jumbles up your feed, YouTube was originally an online dating site, and Siri helps the Cookie Monster bake cookies. Read More  as well.

You have to trust their security is as robust as promised, as LastPass makes for an obvious target for hackers. However, with a good master password and two-step verification enabled, you should be confident about the security of your password safe. And if you ever forget your password, you can recover your safe.

Literally the Least You Can Do

If you’re a Mac and/or iOS user, you already have access to a password manager built into your operating system: iCloud Keychain iCloud Keychain: Why You Want It & How To Use It iCloud Keychain is a secure password manager for both OS X Mavericks and iOS 7 for iPhone and iPad. Use it to quickly and easily log into websites, Wi-Fi networks, Internet accounts, and more. Read More . This is an extension of the OS X keychain that uses iCloud to keep all of your passwords synced across devices.

Windows has a similar feature called Credential Manager, but it does not have the same cross-device syncing.


This is pretty comparable in terms of security to LastPass, but it’s limited to Apple devices. Unless you’re only running exclusively on Apple products, you’re going to be missing your passwords on some of your other devices, which can be a huge nuisance.

Yet even if you’re a big Apple fan, you still may not want to lock yourself into the platform because you never know what kind of other devices you may get in the future.

You Really Need a Password Manager

Unless you have an iron-clad memory, using different passwords across all of your accounts is going to prove difficult. Doing so with hard-to-crack passwords? Near impossible. Getting a password manager ensures that you can keep all of your accounts safe and secure using a single master password.

Find the model that works best with you and find the product that works best for your devices. Almost every manager has a free trial or free tier that you can try out. Once you’ve made your choice, go through all of your online accounts and update the passwords to be more complex. That’s really all there is to it.

If we overlooked your favorite password manager let us know what it is and why it’s your favorite in the comments.

Image Credit: Bank Vault Door by KEG via Shutterstock, Ljupco Smokovski via Shutterstock, R. Mackay Photography, LLC via Shutterstockhigyou via ShutterstockPlus69 via Shutterstock, Stephane Bidouze via Shutterstock

Related topics: LastPass, Password, Password Manager.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anon
    October 4, 2017 at 1:19 am

    Slim pickens for desktops. It looks like Authy may be my only choice, but not until they loose their dependence on google, which it looks like they are working on. You'd think if it was so important, it would be available on more platforms.

  2. Linda Rust
    December 3, 2016 at 2:09 pm

    Password Safe ( designed by Bruce Schneier. It's available on Windows, Android and iOS. It can be synced via several cloud services (I've used Dropbox successfully for years). It's free though on iOS there's a $1 upgrade for Dropbox syncing and another $1 or $2 for touchID to work in opening the password safe ( a VERY nice feature). It's rarely mentioned in password manager roundup articles and I can't for the life of me understand that given it's pedigree.

    • Michael McConnell
      December 7, 2016 at 4:36 am

      I've used that one in the past on Windows, it's not too bad. Never tried it on a phone though. I like the way that people are using Dropbox to create low tech cloud syncing, it's a clever idea.

  3. Anonymous
    April 9, 2016 at 11:56 pm

    I hope there is a new better method for security in future.

    • Michael McConnell
      April 10, 2016 at 1:27 am

      Password do seem to be the best, worst solution.

  4. Anonymous
    April 8, 2016 at 6:07 pm

    First, before I launch into my soliloquy, I've just discovered your blogs, this site and Wow-thanks to all of you! What a find ! I'm a PC user- stop laughing. I am also a long time, Norton/Symantec user, yeah, I know... it's like a bad drug: Highly addictive, once you've tried it a few times, whether you like it or not, you're hooked, provided you can afford it you're hooked for a lifetime. Which brings me to security and password protection programs- I've used NIS,which now includes IdentitySafe. How do you find it as a password protection program ? One PW to access 100's of logins which also provide the capability to enter additional, pertinent info. for each associated site, all info. saved in one place. I've set it up so that website info is *not* automatically logged-in nor are forms auto- completed on my behalf. I use it to remember logins and PWs but I enter everything manually. Yes, it's laborious but it's worth it to me especially when I'm accessing credit card banking sites. I make two exceptions: I do no save Online Banking info in IDS nor do I save Brokerage site info. anywhere except inside my pea-brain. I do have it backed- up but not to any drives. It's encrypted into my boy, Snoop Dogg's ,microchip. Not really but almost as secure. Admittedly, I've become a little lazy lately by allowing Chrome to "Save this login info ?" but i purge regularly regardless that those saved-site login's are not security risks & truthfully, an 8 year old could crack,anyway. In the past I've used Tor and other Onion, VPN's etc . for "alternative" shopping excursions until DPR's SR was shut down. Since then, I don't see a need for VPN nor Onion protection now that I only shop for normal stuff like cleaning supplies & pet food. Cloud protection ? Forgetabouit, it's never felt secure to me and it's since been proven that I'm not paranoid. I have enough trouble with my own brain cells struggling for survival in the clouds, I don't need to deal with Cyber-Clouds , too. The government cannot protect itself, we certainly cannot protect ourselves from the government, so how can we possibly be protected from any of the other unscrupulous organizations out there in The Cloud which are growing exponentially & by the minute as I type this ? .

    • Michael McConnell
      April 9, 2016 at 4:36 am

      That's why I went through the different types of managers, and their models. You'll have to find what you're comfortable with in terms of risk. There is a trade off to be made for sure, and you shouldn't use these for your work passwords unless your employer uses an enterprise version.

  5. Anonymous
    April 8, 2016 at 3:56 am

    Yeah, Right !

    No Such Services Were Ever Hacked.

    I Can Grab A Pen And A Piece Of Paper And Quickly Create And Remember Complex Individual Passwords For Every Site Or Situation.

    Trusting All Your Life Keys To A Third Party Software Or Service.

    What Could Possibly Go Wrong ?

    • Jean-Francois Messier
      April 8, 2016 at 2:12 pm

      I agree, writing on a paper, and memorizing passwords is the best way. However, the human nature will have a tendency to use the same password everywhere, and a complex random sequence of letters and digits (let alone the upper/lowercase) is not something that everyone can remember. This is why I think that a strong authentication (with 2FA) on a service or a secured device is a good compromise.

  6. Aditya
    April 7, 2016 at 3:23 pm

    Enpass anyone? It's similar to KeePass except that they have an Android app as well

    • Michael McConnell
      April 7, 2016 at 6:10 pm

      It looks pretty similar to Lastpass. Is sync done via their servers or device to device?

      • Aditya
        April 8, 2016 at 4:09 am

        Via cloud storage service of your choice. Although they also have an option to sync via your own server.

  7. Anonymous
    April 7, 2016 at 2:30 am

    If you forget your master password with LastPass you cannot get back in. This is as it should be. You should never trust a password manager that can unlock your password safe without the original password; if they can, it means there's a back door that they, or a hacker, can use to access your stuff.

    • Michael McConnell
      April 7, 2016 at 2:58 am

      They do have an account recovery process, though it does require knowing your *last* master password. You lose all access to changes made since you last changed your master password.

  8. Hildy J
    April 6, 2016 at 8:05 pm

    KeyPass automatically syncs if you store the password file on Dropbox, just like 1Password. Also, in this world of bankruptcies and buyouts, KeePass has been around since 2003.

    And before you jump on a cloud service, consider that if they can reset your password then hackers (governmental or private) can theoretically do the same and, in the case of US agencies, can force the cloud service to unlock your passwords without telling you.

    All in all, if you want a more secure solution than your browser, you want an encryption service that fails without recourse if you forget the master password. That's why I've used KeePass on many devices and many operating systems for many years.

    • Michael McConnell
      April 6, 2016 at 10:37 pm

      Keepass is really powerful and secure. It's definitely in the trust no one style of security.

  9. Nancy Kreider
    April 6, 2016 at 7:21 pm

    The password manager that I have been using for years is iAccounts but it got old and no updates so I went looking around and found the best password manager, it is called Tiny Password. It is having syncing problems between the iOS devices and the computer ut they are working on it. The customer service is awesome they get back to you right away. I love the way the program is set up. It will sync (backup & restore) to Dropbox or via Wifi.

    • Michael McConnell
      April 6, 2016 at 10:35 pm

      I haven't hear of that one, I'll have to check it out.

  10. Anonymous
    April 6, 2016 at 5:49 pm

    The shortcoming of any password manager comes down to the master password. To make a password manager effective, one needs a strong password. Unfortunately, by definition, strong passwords are almost impossible to remember. Since you cannot commit the master password to memory, you must do what is anathema in security, commit the master password to paper. If you follow good security protocol and change your master password regularly, you multiply your problems of remembering it and not misplacing it.

  11. Jean-Francois Messier
    April 6, 2016 at 5:26 pm

    Lastpass with 2FA.

    I've been using Lastpass for a while, and I also have a second-factor Authentication. In my case, I use Google Authenticator for it. It gives me everything I need, including storing secure notes that may contain sensitive infos, other than the formats currently know. I find that the price is right for the feature of keeping the passwords in sync, and the option to share some passwords. In ored to facilitate the use of 2FA on multiple devices, I keep in a safe a copy of the QR codes scanned by Google Authenticator, so I can have multiple devices with the one-time password. Useful, since I re-install my Android devices on a regular basis.

    • Michael McConnell
      April 6, 2016 at 5:33 pm

      That is a great choice, the two factor is what makes me comfortable using a cloud service.