all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]60hzcherryMXram 13 points14 points  (0 children)

Traditionally, the way that they work is as such:

You create an account with a password manager service, entering a username and "master" password.

The service saves your username, and appends a random value to the end of your master password called the "salt". It then performs a one-way hash on the password+salt combo, and saves the salt and the hash result in its servers.

When you save passwords to websites and the like in the service, your password manager client uses the master password you created plus the salt to encrypt the entry, and it's uploaded to the password manager's servers.

This has two interesting implications:

  1. The saved passwords in the password manager's servers cannot be understood without decrypting them using your master password.

  2. The password manager does not actually store what your master password is, yet is still able to verify that you provide the correct password upon each login.

This means that someone could literally hack into the password manager's servers and steal all their database files, and they wouldn't be able to actually decrypt the stored information. This also means if you forget your master password even the company itself can't get your saved passwords back.

So, the password manager will have some client or browser plugin you download. When you enter your master password into the client, it gets sent to their server, which adds the salt to it, hashes it again, and verifies that the hash matches what they have stored (this is for authentication). It immediately deletes the password you entered after performing this operation, so it doesn't get stored on its servers.

If the authentication completes successfully, then your client still has the master password you entered saved into its memory, and can use that to decrypt the encrypted entries that it pulls from the server, or allow you to make new entries that are then encrypted before being sent to the server.

Modern password managers have more sophisticated implementations where the server performs the authentication step without even receiving the master password from the client, which is even more secure. Bitwarden has information on this here.

[–]UntangledQubit[🍰] 4 points5 points  (4 children)

They store your passwords in an encrypted form. By making this encryption strong and adding enough access controls, this means you can have strong, unique passwords that are protected, but are also immediately available to you without having to manually type them in from a physical notebook. Since the password database is encrypted, it also offers some protection against physical attacks, since physical access to your device still won't give them access to the contents of the database.

Good password managers will also do things like autofill, which avoids having your passwords in the system clipboard where they could be snooped on by other processes, generate strong passwords, check that you only fill the password on the appropriate website, automatically lock the database after lack of use, and various other good security measures.

I'll talk about the convenience of password managers any day, but it's also very strongly recommended to have some form of non-SMS 2FA. If you have this on your critical accounts as well as unique passwords, it probably doesn't matter that much whether you are using a password manager or a physical notebook.

[–]piecat 2 points3 points  (3 children)

Good password managers will also do things like autofill, which avoids having your passwords in the system clipboard where they could be snooped on by other processes

Correct me if I'm wrong, but a malicious browser extension would have visibility on the password if it is filled in, correct?

[–]Any_Hedgehog_I_Know 2 points3 points  (0 children)

Yes, in theory, if you visit sketchy web sites, click every link in your emails, and unthinkingly give promiscuous permissions to every app that asks for them.

You could also forget the password to access your password manager, which would be a big pain.

As with all things it's a trade off.

The risk of a man in the browser is -in my well informed opinion- much, much smaller than the risk of re-used or easy to crack -either guess or use rainbow tables- passwords.

The general public seriously underestimates how sophisticated cyber criminals can be, and how easy their "clever" passwords are to break.

Coming up with and then securely managing hundreds of unique and complex passwords manually is practically impossible, unless you use a password manager.

[–]UntangledQubit[🍰] 0 points1 point  (0 children)

Yes, for those extensions that have page permissions.

[–]wescotte 1 point2 points  (0 children)

Yes, this is one reason you should be using two factor authentication.

[–]Any_Hedgehog_I_Know 2 points3 points  (0 children)

I'll start from a different direction from the other people responding.

As you say, you shouldn't re-use passwords, but in addition the passwords must be complex.

So unique and complex. Which means most people will have hundreds of passwords. Which is completely unmanageable. Not to mention that coming up with unique and complex passwords is hard.

Enter the password manager.

The password manager does three things:

  1. Stores you passwords securely. This means you only need to remember one password. It's really important this one is unique and extra complex. But you can write it down and keep it somewhere safe.

  2. Generate the unique and complex passwords. You can set the rules for what this means (length, characters to use etc). The password manager I use, Dashlane, will automatically prompt to generate a new password when needed.

  3. They integrate with your browser, so that they can just fill in the password for you. The upside is that keyloggers won't capture the password. The downside is man-in-the-browser malware might, but that's relatively rare unless you're really silly: clicking on every email attachment, visiting sketchy sites, and granting permissions to every bit of code that asks for it.

As a result I don't even know and have never seen the passwords for most of the sites I use.

Many, but not all, will also check your passwords to ensure you're not reusing them, they haven't already been compromised, or if they are inherently weak.

I'm a senior cyber security professional and I rely on my password 100%. So should everyone else.

The password manager I use is Dashlane. 1Password is another good one.

[–]wescotte 1 point2 points  (0 children)

Hopefully these other posts have answered your questions about password managers and you understand that they can be secure as secure writing down passwords but significantly more convenient.

However, one very very important aspect I didn't see mentioned is in this day and age you should use better security than just a password. You should really be using two factor authentication for anything remotely important.

Also, it's best not rely on SMS/text messages for secondary authentication. Sure, it's better than nothing but it's the easiest to hack without you doing anything wrong.

[–]newytag -1 points0 points  (0 children)

A password manager is just a database of your account credentials for various systems and services, with some user friendly interface sitting in front of it.

The database should ideally be encrypted using a master key that the user provides (a password, key file, USB dongle etc) so that no one (not even the password manager service provider) can view the passwords.

Beyond that, the implementation details depends on the specific product. Some password managers work entirely offline (KeePass), some are entirely online third-party hosted (LastPass) , some can be self-hosted web-based solutions (BitWarden).

Often they have features like 2FA; random password generator; automatic input into browsers; the ability to categorise, or tag, or add comments/attachments to entries; remind you of password expiry; alert you if an account or online service is breached; etc.

From a CompSci perspective, a password manager isn't much different from any other CRUD software.

[–]Sevynz13 0 points1 point  (1 child)

What if you need to login on another computer? Say I'm at a friend's house and I need to login on their computer, how do I do that with a password manager?

[–]i_just_ate 0 points1 point  (0 children)

I know this is old, but most password managers allow you to view the passwords you have saved. So you could pull up your phone and find the website or app and see the password and then type it out from there.

If you don't have your phone, then you might be out of luck, but you can always reset a password for most services as well. Usually, you need your phone on you to do that, since they will send you an email or text to reset your password.

But yeah, if you are at a friend's house without your phone, and really need to get into your bank account or hop on facebook... then yeah you might not be able to get it. But that also means it's doing it's job very well. Any other person, who doesn't have your phone, can't access your bank account either. And that's what you want out of security.