What is a password manager?
A password manager is a technology tool that helps internet users create, save, manage and use passwords across different online services.
Many online services require a username and password to create an account and gain access to a specific service. Over time, users face a recurring choice: create unique passwords for each site, a challenge to remember, or reuse a single password repeatedly, a challenge to secure.
If a site is breached, exposing usernames and passwords, attackers try those passwords on other sites. These credential stuffing attacks — the use of stolen credentials — accounted for nearly half of the cyber attacks in 2022, according to Verizon’s yearly “Data Breach Investigations Report.” Of course, sometimes, users simply forget a password, and the password reset cycle takes time, diminishing a user’s overall experience.
A password manager is an attempt to improve password usability and security, enabling users to create unique, complex passwords for every online account without needing to remember them. All information is securely stored in a password vault and accessible via the password manager.
Password managers also help users manage accounts for online services and include the site or service name, web address, user account name and password. This makes a password manager crucial, even essential, to users dependent on a variety of services requiring usernames and passwords.
How does a password manager work?
The first time a user visits a site that requires a username and password while using a password manager, various outcomes can occur.
If the user has not previously created a username and password for the site, the password manager can help create a highly randomized and unique password. When the user puts the cursor in the input field for the password, the password manager prompts the user to create a new, strong password. Once the username and new password have been entered, the password manager typically prompts the user to save the information. The username and password are then securely stored in the password manager. The next time the user visits the same site, the password manager opens a prompt window, typically above where the user input is required, asking if the user wants to input the previously saved information.
On the other hand, when the user already has a username and password but visits a site for the first time with a password manager installed, it prompts the user to save account information for future visits.
How does a password manager detect if a password is needed?
Websites generally use a standard Hypertext Markup Language form for the username and password fields. Password manager technologies detect that username and password fields are present. The password manager also identifies the web address visited, matching it to a list of known credentials and determining if a password credential can be input or if a new password is needed.
Browser developers and third-party password managers have different mechanisms for detecting username and password fields. Google has published a set of best practices to help developers build reliably detected username and password forms. Third-party password manager tools, including both 1Password and LastPass, have also published information to help developers build compatible forms.
How does a password manager secure access to passwords?
Password managers themselves need to be secured as well, typically with a master password used to access the password manager. Additionally, the best password managers use multifactor authentication (MFA) or two-factor authentication (2FA), such as a second password or a biometrics measure, like facial recognition. All username and password information in the password manager is typically secured with Advanced Encryption Standard 256.
Benefits of using a password manager
Password managers provide users with several benefits to accessing and using passwords on many devices, including the following:
- Convenience. With all the username and password combinations that internet users require, a password manager makes it significantly easier and faster to create, manage and use passwords.
- Autofill. A core capability of a password manager is the ability to auto fill user credentials when a login form is detected for which the system has a username and password.
- Minimization of password reuse. With the integrated capability to help users create new, unique passwords for every site they use, a password manager can help to minimize or eliminate password reuse.
- Stronger passwords. A password manager can create complex and strong passwords that are unique and more difficult for an attacker to crack.
- Increased security. Password managers encrypt user passwords and provide safe access. They can also alert users when credentials have been part of a data breach or phishing attempt.
- Password mobility. Many password managers enable synchronization of usernames and passwords across multiple devices, from desktop to mobile.
- Compliance with best practices. Having a password manager is considered a best practice for authentication and lifecycle management, according to the National Institute of Standards and Technology.
Challenges of using a password manager
Alongside the benefits of a password manager, there are vulnerabilities and user operation challenges that remain, including the following:
- Security concerns. With a password manager, users essentially create a single point of failure. If the password manager is hacked, all of a user’s passwords could be at risk. There have been multiple incidents in recent years where password manager services publicly reported security incidents. In addition, publicly disclosed research revealed multiple password managers have security vulnerabilities.
- Master password loss risk. With a password manager, all access to a user’s passwords is secured by a single master password. If that password is lost, a user could lose access to all their passwords — without an easy way to recover them.
- Interoperability. Not all websites conform to the best practices of all password managers. Some are incompatible with specific password manager technologies.
- Setup for existing sites. New users sometimes face a challenge in integrating existing username and password information into a recently deployed password manager.
- Compatibility with MFA or 2FA. A common best practice for many sites is to support MFA or 2FA. However, since password managers are not always directly connected with MFA or 2FA, users still must manage that aspect separately.
Types of password managers
Because the browser is the primary way most users access sites and services, the most well-known and easily accessible type of password manager is the browser-based approach. All major browser platforms, including Google Chrome, Apple Safari, Microsoft Edge and Mozilla Firefox, have long had some form of integrated password manager.
Originally, all browser-based password managers were also local password managers; they only ran and saved usernames and passwords on the local device. That’s no longer the case. Many browser vendors include synchronization capabilities that enable password management across multiple devices. For example, Apple Safari’s password manager is integrated with Apple iCloud Keychain, which enables secured credential sharing across devices.
Besides browser-based password managers, other password managers to choose from include the following.
Local password managers
As mentioned, the first password managers were local password managers. An application on a user’s device stores and manages user credentials on that specific device. Examples of local password managers are the open source Password Safe and KeePass applications.
Cloud-based password managers
These password managers enable users to retrieve passwords from any internet-connected device by storing them in the cloud. Among the vendors that provide cloud-based password managers are 1Password, Dashlane and LastPass.
Enterprise password managers
For managing passwords within a business, an enterprise password manager is built for the task. These password managers can also be integrated with role-based access control and corporate directory technology and often include privileged access management features as well. Vendors in this space include CyberArk and Delinea, formerly known as Thycotic.
Hardware password managers
Hardware password managers work in various ways. Some hardware devices, often deployed as USB keys, functionally hold a token that enables access to an account. Other hardware devices act solely as secure offline storage to manage passwords. Examples of hardware or token password managers are YubiKey and OnlyKey, as well Google Titan Key.