Tech Friend: What makes password managers safe?

Tips & tricks
4 mins
Tech Friend column on the security of password managers.

Tech Friend is our advice column covering cybersecurity, privacy, and everyday technology. Email your question to techfriend@expressvpn.com. If you have questions about your ExpressVPN subscription or need troubleshooting help, please visit Support.


Breaking and entering

I don’t understand how a password management company can manage a list of passwords with any guarantees that it will not be hacked just like every other service. Please explain to me how this is secure.

Submitted by Tom, via blog comments

Password managers are services that let you store all your passwords in one place, and the only thing you need to access them is one primary (or master) password. So what’s to stop someone from hacking into the password manager company’s servers to steal either your full set of saved passwords or, just as useful, your primary password?

Let’s back up for a moment to discuss the benefits of using a password manager in the first place.

You probably have dozens of online accounts and hence dozens of passwords for logging in to those accounts. With many sites suggesting the inclusion of letters, numbers, symbols, a minimum character count, etc., passwords can get complicated. You might resort to using the same password across many accounts or a formula that allows you to tweak your various passwords slightly. 

There are several issues here. Repeated or similar passwords make you especially vulnerable because in the event of the all-too-common data breach, a hacker can use one revealed password to try to guess your passwords for numerous other accounts. 

The other problem is it is borderline impossible for the average human to remember lots of different strong passwords—and by strong we mean long and random. A short password is much more vulnerable against brute-force attacks, where a bot is set up to try lots of password combinations. A non-random one—one that has common phrases, for example—could also be easier to crack than one that has no meaning. (One exception is randomly generated passphrases, where random real words make up the password.)

To have numerous strong passwords, you need a system that lets you not have to remember them. That’s what password managers are for.

Here’s how it works. You enter all your login details into the password manager app. It works like a vault, and as such, you need a key to access it, which would be your primary password. It’s the only thing you need to remember when using a password manager. You might also be able to set it up so you can use your biometrics (fingerprint or FaceID) to access your vault. 

Some password managers also let you hold details like your contact information, credit card details, and even medical information. It makes sense that you’d worry about putting all your information in one place. After all, if a password manager gets hacked into, that’s a lot of information about you that will land in the hands of a third party.

Unfortunately, security isn’t absolute—you can only mitigate risk, not eliminate it—and as the recent data breach at Lastpass has shown, password managers can get hacked. So, why do cybersecurity experts continue to champion the use of password managers? The short answer: Your passwords remain indecipherable. 

It all boils down to encryption. When you store passwords (or any data, for that matter) in a password manager, that information should get encrypted. Reputable password managers use AES 256-bit encryption to protect your passwords—the same encryption standard used by militaries, banks, and ExpressVPN. 

If a third party manages to hack into a password manager’s servers and make away with user data, they still wouldn’t be able to decipher it thanks to encryption. For the record, Lastpass encrypted users’ passwords but left some information—like URLs—unencrypted, which increased the risk to users’ privacy. Ideally all data would be encrypted.

Additionally, most password managers employ zero-knowledge encryption. Your data is encrypted on your device before it gets sent to the server. When you decrypt it by typing your primary password or using your biometrics, it again all happens on your device.

This means the company does not have access to your primary password or any of your account passwords—so they cannot be stolen. No one but you can unlock your password vault. 

One aspect of this design is if you lose your primary password (and recovery code, offered by most password managers), you’ll lose everything you’ve saved in the password manager. But that’s a feature, not a bug.

Password managers may employ additional security measures to protect your data, such as PBKDF2 key strengthening and end-to-end encryption. This will vary by providers, so it’s always best to do your research before picking a password manager.

In terms of functionality, most password managers can also help you generate a long and random password for any given account, and you can configure the service to automatically fill in your login details when you try to access a site.

If there is any potential weak point in your use of a password manager, it’s your primary password. Password managers can do everything they can to keep your data out of the hands of third parties, but setting a strong primary password—and keeping it to yourself—is still up to you. If you were to set an easily guessed or common password, your password manager would not be secure. You should set a strong primary password and enable two-factor authentication for your password manager if it’s available.

Watch our video: Best ways to store your passwords

Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

Various devices protected.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?
Answering your online privacy, cybersecurity, and other everyday technology questions.