RandomKeygen
Passwords*6 min read

How Password Managers Work

Understanding the encryption, architecture, and security features that make password managers safe for storing your most sensitive credentials.

The Core Concept: Zero-Knowledge Architecture

Modern password managers use "zero-knowledge" architecture. This means the service provider cannot access your passwords - even if they wanted to, even if compelled by law enforcement, even if they're hacked.

How? Your passwords are encrypted on your device before being sent to their servers. The encryption key is derived from your master password, which is never transmitted.

Simplified flow:
1. You enter master password: "correct-horse-battery-staple"
2. Key derivation (PBKDF2/Argon2): master password + salt → encryption key
3. Encrypt vault locally: AES-256(vault, key) → encrypted blob
4. Sync encrypted blob to cloud
5. Server only sees: encrypted data it cannot decrypt

Key Derivation: Protecting Your Master Password

Your master password isn't used directly for encryption. Instead, it goes through a key derivation function (KDF) that:

  • * Adds a random salt (unique to your account)
  • * Runs through many iterations (100,000+) to slow down brute-force attacks
  • * Produces a cryptographic key of the exact length needed
Key Derivation Example
// PBKDF2 example (simplified)
const salt = getRandomSalt(16);  // Unique per user
const iterations = 600000;        // Makes brute-force slow
const keyLength = 256;            // bits

const encryptionKey = pbkdf2(
  masterPassword,
  salt,
  iterations,
  keyLength,
  'sha256'
);

// Even if attacker gets the encrypted vault,
// they'd need to run 600,000 iterations per guess

Modern managers use Argon2 (memory-hard, resistant to GPU attacks) or PBKDF2 with high iteration counts.

Encryption: AES-256

Your vault is encrypted with AES-256 - the same encryption standard used by governments for classified information. It's considered unbreakable with current technology.

What's Encrypted

  • * Usernames and passwords
  • * URLs and site names
  • * Secure notes
  • * Credit card numbers
  • * All custom fields

Metadata like "when did you last access this item" may not be encrypted, but actual credentials always are.

Why Not Just Use Browser Password Storage?

Browser built-in password managers have improved, but dedicated password managers offer significant advantages:

FeatureBrowserPassword Manager
Cross-platformLimitedFull (any browser, any device)
Zero-knowledgeVariesStandard
Master password requiredOften optionalRequired
Secure sharingNoYes (encrypted)
Breach monitoringBasicComprehensive
Non-web credentialsNoYes (apps, WiFi, etc.)

What If the Password Manager Gets Hacked?

This has happened (LastPass in 2022). Here's why zero-knowledge architecture limits the damage:

  • * Attackers got encrypted vaults, not plaintext passwords
  • * Each vault needs the user's master password to decrypt
  • * Strong master passwords remain secure
  • * Weak master passwords are vulnerable to offline brute-force

The Lesson

Your master password is your last line of defense. Use a strong, unique passphrase (4+ random words) that you've never used elsewhere.

Choosing a Master Password

Your master password is the only password you need to remember. Make it count:

Good Master Passwords

  • correct-horse-battery-staple
  • purple-elephant-dancing-tuesday-42
  • MyDogAte3TacosLastFriday!

Long, memorable, impossible to guess

Generate Passphrase