Suppose you are browsing a web shop and you finally found that item that you want to purchase. You add it to the shopping cart, but another screen pops up, stating that you must create an account to continue. This is not uncommon, as there are many more online services that require you to create an account. You enter your email and come up with a new password, only to get an error that it is too short and missing a special character. Absentmindedly you add the requested characters until the error stops and you end up with a password that you won’t remember.
We all know that a password must not be easily guessable and not too short. Many online services help you with this by imposing constraints on the password that you wish to use, such as minimum or maximum password length, at least one special character, at least one number, etc. This is to increase the password entropy, which is a measure to describe how strong a password is. A longer password that uses more different types of characters has a higher entropy than a short password with just lowercase letters.
A strong password must also be unique and not reused for multiple accounts. If your password for one account gets compromised, a hacker could access all of your other accounts where you used the same password. However, given the large number of online services that you need to use, it is impossible to remember all of these passwords. Some online services require you to change your password periodically, which makes this problem even worse.
A password manager solves this problem by storing all your passwords together with their associated service securely, or generate them on the fly. In this article, we explore how password managers achieve this on a technical level. At the end, we will compare commonly provided features of commercially available password managers, so that you can make an informed decision.
How do password managers store all passwords?
The idea of password managers is to store passwords for all of your accounts, which makes it important that this happens securely. In general, the data is not stored in plaintext, but is encrypted first. Encryption is the process of transforming the data into something that does not mean anything using a cipher key. The same cipher key can be used to reverse the encryption operations.
The most common (symmetric) encryption algorithm that is used for password managers is the Advanced Encryption Standard (AES). This algorithm takes the data in blocks of 128 bits and performs complex, reversible mathematical operations on the data, based on the cipher key that is used. The output of the algorithm is a block of encrypted data of 128 bits that can only be reversed using the cipher key. However, the data that is encrypted is rarely exactly 128 bits in length. If the data is more than 128 bits, it gets divided into these blocks and if there is not enough data to fill a block, padding is used until it does.
The cipher key that is used in AES can differ in length. The official specification states that the cipher key must comprise of either 128, 192 or 256 bits (16, 24 or 32 bytes). The longer the cipher key, the more effort it would take to guess the correct key. If you do not know the cipher key, you may need to try decrypting the encrypted data with every possible cipher key. With the cipher key of 128 bits, it will already take trillions of years to try every possible combination with the best supercomputer in the world! By doubling the length of the key, this grows exponentially. However, if quantum computing becomes more accessible, it could be much faster. Therefore, almost all password managers use AES-256; they are using the longest cipher key of 256 bits. In the remainder of this article, we use the cipher key of 256 bits.
Cipher key as a secret
Only if your cipher key is secret, the encrypted data remains secret. This makes a cipher key similar to a password and you should never share it. However, there are crucial differences. A cipher key that consists of 256 bits means that every single bit can be used. A password is often entered into a computer.
A computer only works with bits and bytes, so every character that you enter is encoded into bits. There are different encodings present, and they should map every single character that you can possibly enter in a computer, which includes enters, backspaces and the delete key. These are not characters that you can use in a password, which means that there will be a combination of bits that you can not enter in a machine. Therefore, it is impossible to use a 32-character long password to represent every single cipher key.
Instead of using a 32-character long password directly, a cipher key is derived from a password. Most password manages use the Password-Based Key Derivation Function 2 (PBKDF2) algorithm for this. This is a hashing algorithm, which is an algorithm that performs irreversible mathematical operations on the input. This means that the resulting value, the hash, can never be used to retrieve the input. In our case, the input will be the password that we have, and the resulting hash will be the cipher key to our encrypted data.
The PBKDF2 algorithm is designed to run many times repeatedly, or iterations. The more iterations there are, the more computationally expensive it is to calculate the resulting hash. If you do know the password, you only need to do the large number of iterations once. The large number of iterations are mainly performed to discourage an attacker to guess the password. The OWASP Password Storage Cheat Sheet recommends using PBKDF2 with at least 310,000 iterations.
To use a password manager, you will need a master password. This master password will be used to derive a key, which is used to encrypt the password data for all of your accounts. Since this master password is the key to all of your accounts, it must be a very strong password, thus the password entropy must be high. Most of the password managers that are discussed also provide some guidance on how you should choose your master password.
Existing Password Managers
A password manager securely stores all of your passwords in an encrypted file. Let’s assume that this file is located on your local computer. To access all of your passwords, you must decrypt the file on that computer first. What if you do not have access to that computer, the computer gets stolen or the file is corrupted? That means that you are locked out of all of your accounts.
Many different password managers exist that you can use. All password managers save your passwords securely and they require one master password as discussed, although the exact algorithms may differ. In addition to this, some password managers provide additional features, which are offered in different subscription models. Here, we will discuss most of these additional features that password managers may provide, so that you can make an informed decision about which one you should choose. There is a large number of password managers, so we will limit our discussion to the features of: LastPass, KeePassXC, LessPass, BitWarden, Dashlane and 1Password. There are many more, and you are encouraged to look for other password managers.
The main advantage of using a password manager service rather than managing passwords yourself is that the passwords are backed up by default. With the exception of LessPass, all password managers require you to create an account. By logging in with your master password you have access to all of your passwords regardless of what device you are using to login. If your device where you normally access your passwords from stops working, you can still get another device to access them.
Access Limitations
The number of devices you can be logged in at any given time may depend on the service or plan that you choose. For example, currently the free version of LastPass limits your access to your passwords from your computer using a browser, or from your phone using an app. The paid version does not have this limitation and allows you to access your passwords from anywhere.
Some password managers provide the option to create an account for multiple users. This may be an attractive feature for companies, organizations or large friend groups. You can pay from one of the accounts and then the entire group has access to the password manager. Each user that you add will be able to create an account and use the features of the password manager. However, if you are looking for a personal password manager, this may not be the best option for you. For example, Dashlane currently provides its Starter plan at 2$ per user per month, but it has a minimum of 10 “seats” or users. This means that the minimum cost for Dashlane is 20$ per month, as you are paying for 9 extra users. Note that this type of plan exists, or you may be negatively surprised.
Password Generators
Almost all password managers provide a built-in password generator, that simply generates a random password that meet certain constraints that you specify. This can include capital letters, numbers, special characters and password length. The passwords that are generated are hard to guess and hard to remember, but this is not a problem. The password manager itself ensures that you don’t have to remember your passwords, and a hard password makes your accounts more secure.
Password Sharing
Password sharing is a feature that is supported by many password managers. This may seem unintuitive, as a password must remain secret. However, for some services you can have a family account or another type of shared account where multiple people will want to login. Within your password manager, you can share the password with someone by providing their email address. Once they login or create an account to the same password manager, they can access the shared password. Whenever the person that shared the password changes the original password, the other people can see this change as well.
There are two different types of sharing. On the one hand, there is one to one sharing, which allows you to share one password with one other (trusted) person. On the other hand, there is one to many sharing, which makes it possible to share one password with multiple people. LastPass distinguishes between these two types, and only one to one sharing is available for the free plan. For all other password managers, there is no distinction between the two types.
Additional File Storage
As discussed before, passwords can be stored as a file and password managers can securely store such files. Some password managers use this functionality to also offer secure file storage as a feature to their users. This makes it possible to safely store notes, files and other data within your password manager. The data gets encrypted, so that even if the password manager company gets hacked, no one can read it without your master password!
Not all password managers offer this feature. The ones that do, provide various options of storage sizes, depending on how much you are willing to pay. While this can be a nice feature, it should not be the reason to use a certain password manager. If the password manager you would like to use does not support this, you can always sign up for a secure online storage service and save the account credentials to your password manager.
Security Breach Alerts
Almost every day there is a data breach. It could be the case that you have an account on a website that suffers a data breach. Some password managers can alert you in case a data breach happens. Sometimes, email addresses are compromised, which can result in unwanted spam emails. Cybersecurity companies keep track of data breaches and they maintain a database of all leaked data. Once your password manager finds that your data has been compromised, it alerts on this and you should take action on this. This can include changing your password for a certain account.
Multifactor Authentication
The idea of multifactor authentication is that you use multiple factors to confirm your identity to sign-in to a service. Three different factors exist that can be described by the following: “something you know”, “something you have” and “something you are”. A password that you need to enter before logging in, is described by “something you know”. An access card or an authenticator app on your phone is described by “something you have”. Biometric data, such as a fingerprint scanner or a face ID, is described by “something you are”.
Multifactor authentication means that you need to confirm your identity using at least two different factors. To get access to an account you may need both a password and a code that is generated from an authenticator app on your phone. Even if someone knows your password, he would still need your phone to get access to your account.
A password manager is your key to everything, so you should protect it at all costs. Multifactor authentication makes it harder for others to gain access to your account. If you can’t set up multifactor authentication for your password manager, you should reconsider taking another password manager.
Autofill Passwords and Sensitive Information
Some password managers provide a browser extension that makes it possible to automatically fill fields on websites. When you store a password in your password manager, you can also store a website on which the password is used. The extension enters the username field and the password field for you, so that you only need to press the login button.
The passwords that a password manager generates may be hard to remember, which makes this a convenient feature. However, this convenience is at the cost of security. If someone gains access to your unlocked computer, the passwords may be automatically entered on the websites you have an account on. Multifactor authentication for all of your accounts may prevent this problem.
If you do want to use the autofill feature, make sure that you must enter your master password each time the autofill feature is used, or that you must manually confirm each login. This makes it less convenient, but keeping your accounts safe is not about convenience. As a general advice, do not leave your computer unlocked when unattended!
Support
It is worth knowing that if you run into any problems with your password manager, you can contact support. Some password managers offer 24/7 support, others only during office hours. It may depend on your pricing whether you can receive support, as the high-paying customers always get priority over free accounts.
Support can consist of a live chat, by email or by phone. Not all password managers provide all options. If your personal preference is to solve issues over the phone, make sure to choose a password manager that provides that type of support.
Reputation
The reputation of a password manager can play a significant role in your decision to choose one over another. The reputation of a password manager is backed by the features it offers, the algorithms it uses to encrypt its data, the support it provides, but also past data breaches. Password managers are a prime target for hackers, because if you can get access to all of the data, you might get access to every single account of every user.
A data breach is a serious issue, but it can not always be prevented. Whether a password manager is trustworthy or not may depend on how the company has handled data breaches that happened. What kind of data has been breached? Did they handle the breach responsibly? Note that a company that handled a prior data breach responsibly might be more trustworthy than a company that has not experienced a data breach yet.
Keep in mind that the reputation of a password manager is important, but it is not the only factor to consider. It is also important to carefully evaluate the features and security of a password manager to ensure that it meets your needs and provides the level of protection that you require.
Stateless Password Manager
LessPass is a completely different type of password manager, because it is a stateless password manager. This means that the password manager does not store any password information at all. Instead, the passwords are generated using a pure function. This is a programming term where a function, or algorithm, always computes the exact same result given the same parameters, without any side effects. The function is always executed on your own system, which means that nothing is ever sent to any server. The function requires the name of a website, your login to that website and your master password. You can also choose the constraints that the generated password should meet. Effectively, this is the same as any password manager, except it uses the website name and your login together with your master password to generate a unique password.
The main flaw with this system is that you do need to remember the specific options that you selected for every website if you don’t use the default values. This is the problem that we are trying to avoid by using a password manager. LessPass solves this issue by providing the option to create an account where all of these configurations for each service are stored. For this, you can use either the default LessPass server, or host a LessPass server yourself, as all of the code is open-source (publicly available). Due to this completely different method of handling passwords, LessPass does not offer the same features that other password managers offer.
Conclusion
This article has highlighted many features that known password managers offer. These features can make it more convenient to login to your services, but they might also make your accounts less secure. You should make these considerations yourself and using the knowledge in this article, I hope that you can make an educated decision. Keep in mind that the core functionality of a password manager is to securely store passwords. Ultimately, the best password manager for you is the one that you find easy to use and that you trust to keep your passwords secure.
This article previously appeared in IB Magazine #2 2023.
