d4rtht3ll3ctus' root vault

Password Managers

4 min read

password manager is an application that allows users to store their passwords and secrets in an encrypted database. In addition to keeping our passwords and sensitive data safe, they also have features to generate and manage robust and unique passwords, 2FA, fill web forms, browser integration, synchronization between multiple devices, security alerts, among other features.

How Does a Password Manager Work?

Most work with a master password to encrypt the database.

The encryption and authentication work using different Cryptographic hash functions and key derivations functions, to prevent unauthorized access to our encrypted password database and its content. The way this works depends on the manufacturer and if the password manager is offline or online.

Online Password Managers

All password manager vendors have their way of managing their security implementation, and they usually provide a technical document that describes how it works. You can check Bitwarden1Password and LastPass documentation as a reference, but there are many others. Let’s talk about how this generally works.

A common implementation for online password managers is deriving keys based on the master password. Its purpose is to provide a Zero Knowledge Encryption, which means that no one, except you (not even the service provider), can access your secured data. To achieve this, they commonly derive the master password. Let us use Bitwarden’s technical implementation for password derivation to explain how it works:

  1. Master Key: created by some function to turn the master password into a hash.
  2. Master Password Hash: created by some function to turn the master password with a combination of the master key into a hash to authenticate to the cloud.
  3. Decryption Key: created by some function using the master key to form a Symmetric Key to Decrypt Vault items.

watch the How Password Managers Work - Computerphile video.

Most popular online password managers are:

  1. 1Password
  2. Bitwarden
  3. Dashlane
  4. Keeper
  5. Lastpass
  6. NordPass
  7. RoboForm

Local Password Managers

 Dashlane wrote a blog post Password Manager Storage: Cloud vs. Local which can help you discover the pros and cons of each storage.

Local password managers encrypt the database file using a master key. The master key can consist of one or multiple components: a master password, a key file, a username, password, etc. Usually, all parts of the master key are required to access the database.

To encrypt the database, local password managers focus on securing the local database using different cryptographic hash functions (depending on the manufacturer). They also use the key derivation function (random salt) to avoid precomputing keys and hinder dictionary and guessing attacks. Some offer memory protection and keylogger protection using a secure desktop, similar to Windows User Account Control (UAC).

The most popular local password managers are:

  1. KeePass
  2. KWalletManager
  3. Pleasant Password Server
  4. Password Safe

Features

most common features for password managers:

  1. 2FA support.
  2. Multi-platform (Android, iOS, Windows, Linux, Mac, etc.).
  3. Browser Extension.
  4. Login Autocomplete.
  5. Import and export capabilities.
  6. Password generation.

Alternatives

Some of the most common ways to secure identities beyond passwords are:

  1. Multi-factor Authentication.
  2. FIDO2 open authentication standard, which enables users to leverage common devices like Yubikey, to authenticate easily. For a more extended device list, you can see Microsoft FIDO2 security key providers.
  3. One-Time Password (OTP).
  4. Time-based one-time password (TOTP).
  5. IP restriction.
  6. Device Compliance. Examples: Endpoint Manager or Workspace ONE

Passwordless

Multiples companies like MicrosoftAuth0OktaPing Identity, etc, are trying to promote the Passwordless strategy, to remove the password as the way of authentication.

Passwordless authentication is achieved when an authentication factor other than a password is used. A password is a knowledge factor, meaning it’s something a user knows. The problem with relying on a knowledge factor alone is that it’s vulnerable to theft, sharing, repeat use, misuse, and other risks. Passwordless authentication ultimately means no more passwords. Instead, it relies on a possession factor, something a user has, or an inherent factor, which a user is, to verify user identity with greater assurance.

  1. Microsoft Passwordless
  2. Auth0 Passwordless
  3. Okta Passwordless
  4. PingIdentity

Graph View