A lot goes on behind the scenes in a password manager. Here’s what happens and why it is a good idea to use them.
FIRST, HOW PASSWORDS ACTUALLY WORK
Most people think that when they are trying to log into their account on a website, the website simply compares the password they have input with the password that they have stored in their database. So if your password is “password123,” it is stored as such in the database and the website simply checks if you have entered “password123” against their database when you are trying to log in. This is what is known as storing passwords in plain text and it is a lazy and horrible security practice that, hopefully, no website practices today.
Instead, most decent websites store what is known as a salted hash of a password and not the actual password itself. A hash is a one-way function that is applied to the password to scramble it. This way, if the website is hacked, the hacker only gets his hands on the hash of a password and not the actual password itself.
To make things even more secure, random data is typically added to the password before it is hashed. This random data is known as a salt and is usually appended and assigned to a user’s password during account creation. The resultant hashed value is known as the salted hash. So the next time a user logs in, the website takes the password and looks for the salt associated with the account and checks if the resultant hashed value matches the salted hash that it has in its database.
Now, access to the account is given if the user is able to reproduce the salted hash by entering the password. In other words, having the salted hash alone isn’t going to give the hacker access to anything. The hacker must be able to reconstitute the final hash value through the use of the real password.
PASSWORD MANAGER 101
Password managers are apps that help users generate, store, and then retrieve passwords so that users don’t have to remember them. The idea is that users only need to remember a single strong master password since the password manager remembers and manages the passwords for all of your accounts.
There are two main kinds of password managers: cloud-based ones and offline ones. The former stores your passwords in the cloud so that it can be accessed on multiple devices while the latter stores your passwords locally on your device and can’t be accessed anywhere else. There are advantages and disadvantages to both approaches. Cloud-based ones are more convenient but they can be hacked since the passwords are stored on a remote server. Offline password managers are arguably more secure since hackers need to have physical access to your system to be able to retrieve the passwords. But if anything happens to the device - if it becomes stolen or if it malfunctions all of a sudden - you can lose all your passwords.
HOW PASSWORD MANAGERS TAKE THINGS EVEN FURTHER
Every password manager has their own methods of securing and storing a user’s passwords and the specifics are different. That said, the general idea of how they go about doing it is broadly similar.
Typically, two security keys are generated during account creation. One is the encryption key used to decrypt the vault that holds the password and the other is an authentication key that is used to verify the identity of the user who is trying to log in. To be clear, your master password is never sent directly to the password manager. The password manager services never want your master password because then it would become an attractive target for hackers. It is always salted and hashed on your device before the resultant hash is sent to the servers to be verified.
Typically the encryption key to the vault is derived from your master password using the salt and hash method described earlier. LastPass, for example, takes your master password and sends it through 100,100 rounds of PDBKDF2 hashing (password-based key derivation function 2) to generate your encryption key.
The authentication key can be generated by your master password using a hashed derivative of it, or it can be generated on a per account or device basis using what is commonly referred to as a secret key. Dashlane and 1Passwords use secret keys as part of their authentication process. The benefit of secret keys is that they are generated and stored on the device, so if a hacker somehow manages to get hold of your encrypted vault, they can’t access it without also having physical access to your device because that’s where the secret key sits.