What is a Password Manager?

What is a password manager, and how can it save you from hackers and password fatigue?

As we discussed in the post Why Should I Use a Password Manager?, the average internet user typically has a few online accounts. All these accounts require that you provide a pair of credentials - a username and a password - to log in. As we know, a long password is more secure than a short one, but who can possibly remember tons of different long passwords? No one.

Because of this, many people use the same, short and uncomplicated password on all their online accounts. The username is also usually the same everywhere - more often than not, it’s the e-mail address of the user.

There’s no doubt that this is very convenient. It’s one pair of credentials to rule them all. But what happens if one of the services you use gets hacked, and your credentials are leaked? Since you’re using the same username and password everywhere, the hacker can now log in to all the online services you use!

To prevent this from happening, you should use a password manager. But what is a password manager?

What is a Password Manager?

At its core, a password manager is a service or an application that saves your passwords so that you don’t have to remember them.

Broadly speaking, there are three types of password managers: Online, offline, and deterministic. Online password managers store your passwords on the internet, offline password managers store them locally, and deterministic password managers doesn’t store anything at all.

Online Password Managers

This type of password managers is the most popular type, and with good reason. They are created and designed to be easy to set up, and easy to use. The most prominent password managers have been around for ages, and are used by millions of people every day.

Online password managers make it easy to synchronize your passwords across all your devices. If you create an account with your desktop browser, the password information will also be available on your phone. Brilliant, isn’t it?

When using an online password manager, however, it’s important to realize that you’re putting all your passwords in one, huge, online bucket. Since a lot of people are using passwords managers, these service become prime targets for hackers.

Still, using an online password manager is a thousand times better than not using a password manager. You might run into trouble if the online password goes offline, or the service is discontinued without notice. But if you use one of the well-established online password managers, this probably won’t be an issue.

Two of the better known online password managers are 1Password and LastPass.

Offline Password Managers

Offline password managers are similar to online password managers, but with one big difference. Can you guess it? Correct! The main difference is that offline password managers are not available as an online service.

Instead, they are usually implemented as an application you install on your computer or mobile phone. This means that rather than putting all your passwords in a huge public basket, your putting them in a much smaller private basket. You won’t become collateral damage in a online password manager security breach, but synchronizing your passwords across multiple devices is a lot more complicated.

Offline password managers are for the nerds, and other people who like to tinker, or doesn’t mind sacrificing convenience for potentially even better security. It’s more hassle, and less user friendly, but on the plus side, an offline password manager will never disappear in the same way its online counterpart might. Even if whoever developers the offline password manager decides to call it quits, you can still use it.

Many offline password managers are even open source. This means that someone else can pick it up and continue development.

Deterministic Password Managers

The big difference between the previous two types of password managers and deterministic, or stateless, password managers, is that the latter doesn’t save your password anywhere. Instead, the password is generated on-the-fly when the user enters a master password and other data associated with the account they want the password for.

The “other data” can be the name or address of the site, and the username you want to log in with. With this information, a unique password is generated.

In theory, deterministic password managers sound like a brilliant idea. That the passwords are not stored anywhere means that you don’t have to worry about synchronizing everything across all your devices.

But the deterministic model has its flaws. First of all, changing passwords can be hard, or even impossible. You might have to change your master password, which in turn means that you have to change the password on every site where you use the password manager to log in. Either that, or you have to use different master passwords for different sites. By then you’re not really using a password manager anymore.

Some implementations of deterministic password managers try to mitigate the password changing issue by adding serial numbers to the information a user have to enter to generate the password. Doing it that way, you don’t have to change your master password to change a site password, you only have to use a different serial number. This method, however, means that you have to remember the serial number for each site - in addition to your master password.

Some deterministic password managers allow users create accounts and to log in to make it easier to change site passwords. If you fall into that rabbit hole, you might as well use a proper, online password manager.

Yes, let’s talk about two factor authentication, or 2FA for short.

2FA is used, together with the user’s password, to confirm a their claimed identity. The most common way to do this is to require the user to provide a one-time password. The password is typically generated by a token of some sort, for instance an application on the user’s mobile phone.

The second factor makes sure that only the user is able to log on to their account even if the username and password is compromised. Unfortunately, some 2FA implementations are flawed. They use SMS text messages to provide the users with the one-time password. SIM swapping is trivial, and that makes it all too easy to capture a user’s one-time password.

As long as passwords are still a thing - and they will be for some time - you should us a password manager and 2FA together.

What Should I Use, Then?

Which password managers you should use is determined by your needs. You should also take into account your technical capacity, and how much hassle you’re willing to put yourself through.

For the vast majority of internet users, an online password manager is probably the right solution. The services generally are easy to set up and use. Even if you’re throwing all your password eggs in that one infamous basket, it’s a better password strategy than the one you’re using today.

If you prefer open source software, however, your choice of online password managers are rather limited. Most of them use proprietary, closed source software, and you’ll never get to look at source code. In this case, an offline password manager is a better choice, since most of them are open source. You’ll have to be a bit tech savvy to make all the bits and pieces work together, though. Setting up a way to synchronize everything across multiple devices is also usually an issues left to solve by the user.

Whether you use an online or an offline password manager really isn’t that important. The important thing is that you actually use a password manager.


Feedback

This post has no feedback yet.

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.


Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.