We need secure and unique passwords to use business applications, access e-mail, and social media securely, and even watch movies on a streaming service. Password managers take some strain from generating, associating, and remembering those passwords. In this article, we’ll explain how password managers work, how to use a password manager, and how to choose the right one for your purposes.
Table of Contents
Featured Partners: Password Management Software
What Is a Password Manager?
A password manager solves several problems related to the ocean of login credentials we require daily. These are the primary functions of a password manager (although most do much more):
- Generating secure passwords: A password manager generates truly random passwords. This addresses the problem of the “guessable” password. When we create our passwords, we do it by association to make them memorable — spouse’s, children’s, or pet’s names, street addresses, sports teams, etc. — with a jumble of numbers or symbols to make them less hackable. They’re quite obvious.
- Avoiding duplication: The same memory glitch that makes us create passwords by association makes us use the same password, or minor variations, for multiple accounts. If one password is cracked, all login credentials are exposed. Password managers create new random passwords for every account.
- Storing and associating passwords: There’s no point in generating dozens of cryptic passwords if we have to store them on a spreadsheet or (more likely) a mountain of sticky notes. Password managers keep track of the credentials they generate and the accounts and applications for which they were created.
How Password Managers Work?
There are three types of password managers: Online, offline (or locally installed), and token-based. The first two work in essentially the same way. Token-based systems are different.
Online and offline password managers create a separate database file called a vault. Passwords are stored in this discrete file, whether the manager generated them or you created them yourself. But before they are transferred to the vault, the password manager encrypts them, usually using impenetrable 256-bit Advanced Encryption Standard (AES) encryption.
This makes the vault’s contents unreadable without the password manager, unlocking them using a master password. (Note that vaults can also contain information like credit card numbers and other details that are frequently used for transactions.)
The difference is the location of the vault. Online (or cloud-based) managers keep the vault on the provider’s server; offline systems store them on your device or a medium like a USB key or SD-RAM card. Each system has advantages and disadvantages.
Online Password Managers
The greatest advantage of an online password manager is accessibility. Passwords can be reached on any device, and anywhere there is Internet access (but make sure you’re using a virtual private network connection to protect the information in transit). There’s no need to synchronize or update devices separately.
On the other hand, if there’s no Internet access, you’re out of luck. The wide accessibility opens up vectors for attacks to steal your passwords, and you rely on the service provider to protect your passwords. There will (almost) inevitably be a contract or fee.
Offline Password Managers
Locally stored password management systems offer greater security since they’re not exposed to Internet attacks. There’s also enhanced privacy — you’re not sharing your accounts and passwords with a third-party provider. Free and open-source applications are available, and two-factor authentication, for example, using a hardware fingerprint scanner, is more reliable.
The most obvious downside: If you lose the device, you lose your passwords unless they are religiously backed up. All devices to access the accounts must be synchronized and updated, and you’re restricted to using those devices.
Token-Based Systems
These rely on an external device, like a USB key or passcard, to access passwords. The vault isn’t stored anywhere. Instead, in conjunction with an on-device application, the key generates the database with each use. It is perhaps the most secure of password management systems because you carry it. But a USB key is easier to lose than a device with a locally installed manager, and if you do, you’ve lost your passwords.
Many commercial password management solutions offer a hybrid of these categories.
7 Benefits of Having a Password Manager
More Secure Passwords
Password managers can generate truly random passwords immune from social engineering attacks. Since users don’t have to remember individual passwords and the accounts they’re associated with, complexity is not an issue, and users needn’t repeat passwords to make them easier to remember.
Seamless Access Across Devices
Access all accounts across all devices, especially with an online password manager. One master password or physical key is easier for a user to keep track of than dozens.
Centralized Access Management
An enterprise password management solution allows the IT department to consolidate team passwords in a single, manageable vault, make it easier to add or remove team members, manage access privileges, and enforce password policies, all from a single application.
Risk Management
Many password managers include features to prevent leakage of security information and alert IT management to compromised accounts. Some include monitoring subscriptions that track cracked credentials circulating on the Web.
Emergency Access
Privileged access management solutions can be configured for a “break glass in case of emergency” function. This is useful for development teams who may be called on to fix code they didn’t write by centrally reassigning privileges and tracking users.
Sharing Credentials
IT management can assign the same credentials to multiple accounts if, for example, several users need sporadic access to a single subscribed service.
Storing Accessory Information
Many password managers will allow additional information — credit card numbers, client lists, biographical information, etc. — to be securely stored in the vault alongside passwords, accessible and automatically usable with the same master password.
9 Steps in Getting Started With Your Password Manager
Setup instructions for password managers will vary from product to product. For the most part, though, it will involve the following steps:
Choose Your Password Manager
The biggest consideration will be the type of solution. If you prize convenience, accessibility, and usability on any device, you might opt for an online password manager. If it’s a solution for a team or an enterprise using specific devices or in an on-premise environment, a local solution might be better. A token-based solution could be the best approach if you’re willing to install dedicated hardware on user devices.
We explain other considerations here.
Choose a Subscription Plan
If you are opting for a provider offering an online or hybrid solution, select the appropriate subscription plan. The price and features will differ from single users to families and small teams, while for an enterprise solution, it will be based on the number of seats (users).
Create an Account
You’ll need to register your name and e-mail address at a minimum. Some other information may be required.
Create a Strong Master Password
You may have to access your password vault on different devices or from several locations. You can’t rely on sticky notes. The keywords here are “strong” and “memorable.” The next section has some tips for creating secure but easy-to-remember passwords.
Retrieve Your Emergency Key
Many password managers will provide a key to unlock your vault if you forget your password. Keep it in a safe place, and don’t share it.
Install the Software Components
Depending on the type and brand of solution, this could include a desktop app, an online app, a browser extension, or more components.
Add Existing Passwords
Follow the prompts to add your existing password store and the corresponding accounts to the vault.
Maintain Your Passwords
When you’re loading your existing passwords, evaluate their strength. If you’ve been using MyDogsName@12, change it as soon as you log into the app or service. Let the password manager generate a new, secure one. Experts are divided on whether you need to change passwords yearly or on another schedule, but it doesn’t hurt.
Back-Up Your Vault
Password managers should allow you to export your vault to a comma-separated values (CSV) file on a USB key or other external storage. Any database or text program can open it if something goes awry. Back up your vault when you add or change passwords.
Tips for Creating Secure Master Passwords
Your password manager is now taking care of all your passwords except your master password. That, you’ll generate yourself. Remember the keywords: “strong” and “memorable.” Ideally, it would be a 28-plus-letter string of truly random characters, but without a photographic memory, that’s a lot to ask.
Security firm Proton AG (which offers an open-source password manager that is free to individual users and includes VPN service) cites these characteristics of a secure password:
Length: At a minimum, a password should be 12 characters long, but 15 or more characters are recommended.
Randomness: Use a combination of letters, cases, numbers, and special characters in an unpredictable string.
Uniqueness: Have a separate password for each account.
But how do you remember it? One technique many use is to take a base word — say, “microscope” — and swap in numbers and symbols for letters while mixing case: “m1kR0sc0p37.” This is disastrously easy to crack. Hackers have a dedicated dictionary attack for just such passwords.
A safer mnemonic approach is a passphrase. Start with a string of five or more random words that don’t logically follow: Koolaid-rug-tortoise-drawer-towel. Separate them with a random series of numbers: 8730. Tweak the result by substituting symbols.
Kool@1d8rug7T()RTOISE3towel0 is not difficult to remember but virtually impossible to guess. (If you don’t feel creative, Proton will generate a passphrase for you.)
Frequent use immediately after choosing a master password will help ingrain both the password and the associated body memory.
Choosing the Right Password Manager
The perfect password manager for everyone doesn’t exist. Consider the following when choosing a solution:
Online, offline, or token-based: As mentioned above, your priorities will impact which class of solution you use. Online systems make cross-device use more seamless. Offline or local management systems must be installed on all of a user’s devices, but are often available as open source software; they are free, but will require a well-versed IT staff to maintain. Token-based systems are best at obscuring your vault, but might require dedicated hardware.
Pricing: Most providers charge a subscription fee. It will likely be tiered according to the number and type of user. Some managers are free to individual users. That doesn’t necessarily mean they’re not as secure as paid offerings.
Key recovery: Choose a solution that best suits your organization’s password recovery policy. Options include locally stored emergency keys and e-mail recovery addresses.
Compatibility: Your solution has to work on all devices using the enterprise or home network. This is not an issue with online offerings, but could be a problem with entirely local solutions.
Additional features: Password generators are a must-have. Other features can also be useful: auto-fill for forms, storage of sensitive information like client lists and telephone numbers, VPNs, and tools that identify suspect websites, among other useful additional features.
Multifactor authentication: For enhanced security, perhaps a password isn’t enough. Two-factor authentication typically entails something the user knows (a password) and something a user has — a passcard, a fingerprint, or a face for recognition.
Top Password Managers of 2024
We’ve reviewed the top enterprise password managers, individually and head-to-head, elsewhere in the TechAdvice online universe. Check out our evaluations by clicking on the links below. We’ve also linked directly to the company websites.
- 1Password: Best overall password manager.
- Bitwarden: Best for self-hosting requirements.
- LastPass: Best for core and enterprise features.
- RoboForm: Best for affordable business pricing.
- Keeper: Best government solution.
- NordPass: Best for quick implementation.
FAQs
Is It a Good Idea to Use a Password Manager?
There are many benefits to using a password manager. Complex, truly random passwords immune to social engineering hacks can be generated. Users need only remember a single password (or retain a single token). Password managers work across accounts and devices. IT management can retain centralized control without having access to individual passwords.
The biggest downside of a password manager is that it is a single point of failure. Master passwords can be forgotten. Tokens and end-user devices can be lost, stolen, or broken. A single successful hack betrays all of a vault’s password secrets. Installing the manager on several devices is inconvenient if it’s not an entirely online solution. Weigh the pros against the cons.
Can Password Managers See Your Passwords?
Reputable password management providers use a “zero-knowledge” system. Passwords are encrypted on your device before being transferred to your vault. The standard is 256-bit Advanced Encryption Standard (AES) encryption. The vault’s contents can’t be read without the separately stored encryption key.
What Is the Easiest Password Manager to Use?
The easiest-to-use password manager might be the one that’s already in your Internet browser. Google’s Chrome browser integrates Google Password Manager (GPM) with no installation, no setup, and no fee. GPM prompts you with the option to use its randomly generated password and automatically fills in the appropriate windows. The password is stored with your Google account, making your e-mail login your master password.
On the downside, people tend to stay logged in to e-mail on their devices, making the device a master password if someone else gains control. No group management features exist, so GPM is best for individual users — provided Chrome is their browser.
Where Is The Safest Place To Keep Passwords?
There are a few schools of thought on the safest place to store your password vault. In an enterprise solution, a hardened server accessible only through a virtual private network offers safety, security, and easily enforced backup. In a token-based solution, the vault doesn’t even exist until paired with its device and software — but losing or damaging a token is easier than a server.
Can a Password Manager Be Hacked?
Anything can be hacked. Password management solutions are no exception. They can be hacked both locally and remotely. Most of the time, it is the user rather than the manager that is being hacked, whether by social engineering, phishing, keylogging exploits, device theft, or poor password hygiene (for example, not setting the password manager to lock out if a device is unused for a while).
Remote attacks rely on poor design (inadequate encryption) or software vulnerabilities. Reputable providers will be vigilant about patching these vulnerabilities, but their products are under increased hacker scrutiny because of their widespread use.
That said, a quality password manager is more secure than none. Only one element in an overall security regime protects your enterprise or device system.
Bottom Line: Password Managers Improve Security & Accessibility
Passwords are an integral element of any IT security regimen. Good password hygiene — complex passwords, uniqueness, secure storage — and the sheer volume of passwords needed demand a system to manage them.
There are many solutions available for your particular password management needs. You can start your search with our evaluations of the top offerings for 2024, or drill down deeper with one of our product-specific and head-to-head reviews.
