Oct 21, 2021 | English

How do Password Managers function?

Peri Elgrot

Password Manager Editor

Most individuals despise creating passwords, let alone registering accounts. It’s possible that’s why they utilize them several times while creating accounts. Despite the fact that it solves the problem at hand – registration – it leaves a security breach in your system that could one day blow up in your face.

However, it is 2021, and there are alternatives. Password managers could be one of them. You may use them to construct and store complex passwords. Here’s how password managers operate and how you can use them to increase your online security.

 

Img for How do Password Managers function?

What is a Password Manager?

A password manager is a piece of software that allows you to generate and store all of your passwords in one place. Most of them also allow you to save credit card information and secure notes. For added protection and convenience, password managers allow you to use biometric data (fingerprint or face) instead of your master password. You can also send specific information to family and friends without having to copy and paste it into an email or instant message.
When you use a password manager, you only have to remember one master password instead of all the login credentials you use for each site. You’ll be able to simply connect to all of your accounts owing to the autosave and auto-fill capabilities.

What is the Role of Password Managers in securing your Accounts?

Password managers can be classified in a variety of ways. This time, though, we’d like to introduce three technologies and explain how they function. We should also mention that some services provide different options for storing your data. The majority of them will demand that you employ a master password to secure your vault.

The three types of password managers are as follows:

  • Offline or locally installed password managers
  • Password management services that are web-based or available online
  • Password managers that are stateless or token-based

Let’s take a closer look at each of them:

1. Offline or Locally installed Password Managers

Locally installed password managers, often known as offline password managers, keep your data on your device, as the name implies. Depending on your preferences, it could be a computer or a smartphone. Your passwords will be stored in an encrypted file separate from the password manager. Some managers also allow you to save each password in its own file, which considerably improves overall security.

To access your offline vault, you’ll need a master password, like always. If it’s a good one, the chances of the government or some hackers breaking into your local database are slim. This is due to the fact that brute-forcing military-grade encryption takes a long time. Furthermore, if you leave that gadget offline with all of your credentials, you won’t be able to access it without seizing it.

Offline password managers, by definition, have some flaws. For starters, using them across numerous devices may be difficult. There is just one location, and all other devices must somehow sync with the vaulted device. It usually entails putting your device, which has a password manager installed locally, online so that it may be accessed by third parties. Finally, if your offline password management device fails and you don’t have a backup, be prepared for some tedious manual labor.

Your credentials are kept locally if you use an offline or locally installed password manager. It’s the device you’ve picked for your vault, to be more specific. However, it is possible to synchronize passwords across numerous devices, which requires that all of them be connected to the internet. If you want even more security, you can save your passwords on different files, requiring a unique key for each.

Pros of Offline/Local Password Managers

• Minimizes risk of password breaching and overlooking access of private information
• The service provided is usually free of charge

Cons of Offline/Local Password Managers

• The vault can only be accessed on a single device
• You lose your vault if you also lose your device.

2. Online or Web-based Password Manager

By far, the most popular type, web-based password managers, store your passwords on a cloud, which is usually the provider’s server. You can access your passwords from anywhere at any time with this configuration, and you don’t even need to install the online password manager program. If you can’t access your vault through a web application, you can use a browser extension or a mobile app instead.

But how can one tell if the provider has access to their passwords? Zero-knowledge technology is used by all credible online password managers. It implies that before sending your data to the server, they encrypt it on your device. It also means that third-party access attempts to your vault are possible 24 hours a day, seven days a week.

Furthermore, all security measures are useless if your device is infected with keylogger malware and you aren’t using two-factor authentication.

Finally, a web-based password manager will cost you money. There are some excellent free versions available, but key features, like as device limitations and black web scanning, will always be paid. However, most premium online password managers will not break the bank, especially if you sign up for a long period of time.

Most likely, you choose an online (or web-based) password manager. Your credentials are saved online in this instance! Your vault is stored on the provider’s server and is accessible from anywhere at any time as long as you know the master password. Most of the time, a browser extension will suffice instead of installing the password management program. You may be able to access the vault using a web application on the provider’s website.

Pros of Online/Web-based Password Managers

• Syncing across all devices is possible
• It provides a subscription plan for more features

Cons of Online/Web-based Password Managers

• For authentication, you will need an internet connection
• Your account information and credentials are stored in an unknown vault or location

3. Token-based/Stateless Password Managers

Token-based or stateless password managers are at the bottom of the list. A local piece of hardware, such as a flash USB device, has a key to unlock your specific account in this circumstance. There is no such thing as a password vault because the password manager creates new ones each time you log in. We recommend utilizing both the token and your master password for further security. You’ll be able to use two-factor authentication this way.

Because there is no database, stateless password managers don’t require synchronization between your devices. In other ways, this is also safer because a hacker won’t be able to access all of your passwords. Although this is the case, one can hack token-based passwords if she or he knows the master password and one account.

These are usually free and open-source, unlike online password managers. As a result, they are not particularly recommended for novice users, as the only support they will receive will be through forums and knowledge bases. To generate tokens, you will need a smart card reader or a USB stick.

If you’re using a token-based password manager (also known as a stateless password manager), your passwords aren’t saved anywhere! How is that possible? As the name implies, there is no password vault; instead, every time you access a certain account, a token is generated. An external device, such as a USB stick, can be used to generate a token.

Pros of using a Token-based/Stateless Password Manager

• Credentials can be stored in a Separate device

Cons of using a Token-based/Stateless Password Manager

• You lose access when you lose your device
• Token-based Password managers requires proprietary hardware of software most of the time

How do password managers do encryption for credentials?

 

256-bit AES encryption is a military-grade level cipher for encrypting and decrypting data so that only authorized parties may see it. It was accepted by the National Security Agency (NSA) and major organizations in 2005, and it quickly became a standard for Virtual Private Networks, firewalls, and password managers.

The encryption is AES, whereas the key is 256 bits. Random strings of zeros and ones make up encryption keys. It means that there are a total of 2256 possible possibilities in this scenario. The more options you have, the more difficult it is to find the right one via trial and error.

The symmetric or private key encryption algorithm AES 256-bit is one of the most widely used. Because the key is needed to encrypt and decode data, it must be known by both parties. Asymmetric or public-key encryption, on the other hand, employs a public key for encryption and a private key for decryption. As a result, your device’s private key doesn’t have to leave it, boosting security.

However, there is already a better encryption option than AES 256-bit, known as XChaCha2. Among all premium password managers, only NordPass has integrated this next-generation cryptography. Argon2 is used to generate keys, and XChaCha2 encrypts your password vault.
Password Manager Setup

The solution is contingent on the type of password manager you intend to use. If it’s token-based, you’ll need to first decide what kind of device you’ll use to generate keys. If you’ve decided to use an offline password manager, you’ll need to pick a primary device to store your database.

7-step Password Manager Setup

We’ll utilize web-based password managers as an example because they’re the most user-friendly. The following are the essential steps in creating a password manager:

1. Choose which devices your password manager will be used on.

Is it going to be your phone, or someone else’s? Is there anyone else who knows your access code if that’s the case? What about gadgets that are shared in the home, such as tablets and smart TVs? Will you be using your password manager at work? These are some of the most crucial questions to consider when constructing your vault.

2. Install the password manager of your choice.

There are numerous free and paid options available, but we advocate only using the finest password managers. You should see what features are offered for free (if any) and whether the benefits outweigh the cost. After that, double-check that it works with your operating system and browser. If you want to import your existing vault, make sure it’s possible first. Finally, spending a little extra for round-the-clock customer service typically pays off.

3. Make a master password that is both secure and unique.

Even if your password manager supports master password recovery, you should choose a password that is both memorable and difficult to guess. It could be a good idea to utilize a pass comprising 4-5 randomly picked words to meet the last condition. Finally, while it may seem strange, try sharing your master password with the person you most trust.

4. Two-factor authentication should be enabled (2FA).

Adding two-factor authentication to the mix can significantly increase your password security. While the second factor can be “something you have,” which is most likely your smartphone, we propose leveraging biometrics and choosing “something you are.” It might be a fingerprint or a face scan, depending on your device. Furthermore, you can utilize 2FA instead of a master password, which increases touchscreen device use greatly.

5. Begin by inputting your passwords.

Before you feel comfortable with your new password manager, and while you’re still having trouble remembering your master password, you might want to start with less essential passwords. It’s a good idea to make a strong password for the email address you’ll use to reset the master password. Otherwise, after hacking into your mailbox, a hacker can quickly gain access to your database.

6. Consider providing more information.

Most password managers allow you to keep not only logins but also credit card information and encrypted notes. If you do a lot of online shopping, having payment information saved in autofill might save you a lot of time. And there’s probably no better place to preserve the secrets you only want to tell your closest pals about.

7. Share your usernames and passwords.

Someone will ask for your Netflix account sooner or later. Because copying and pasting the username and password isn’t a good idea, your password manager lets you share logins with others (or at least some do). Some systems even let you create folders for the least-sensitive and frequently-shared passwords.

Are password managers compatible with numerous devices and mobile apps?

Not all password managers, especially those for smartphones, can be used on numerous devices. The idea behind a stateless password manager is that only one device may generate passwords for your accounts. Furthermore, there is no such thing as a password vault to look into.

Password managers that are installed locally are similarly unsuitable for use across many devices. This is because your database is saved on a single computer or smartphone, and while synchronizing between all devices is possible, it is inconvenient. Of course, if you want to use multi-factor authentication, you’ll need two devices that are compatible.

Comapre All