How password managers work
All passwords are not created equal
Since I’ve started speaking about password security and the risks it entails I’ve gotten a wide range of questions from every angle depending. One recent question reminded me of a question I had forgotten about.
“Isn’t storing all your passwords in one place more dangerous?”
The short answer is no, read on for the long answer.
What is a password?
A password is just a secret phrase that unlocks something. Passwords can be used for anything but there are two major classes of password that we encounter daily.
Passwords for authentication
Passwords are often used, alongside a username or email, as credentials for a website to determine if you are who you claim to be. This enables the service to unlock certain actions for you. For example, logging in with your email address and password to a retailer like Amazon lets Amazon trust that you are who you say you are and that you are allowed to purchase items with stored credit cards in the account. You can still purchase without access to your account, but you won’t be able to rely on Amazon’s stored information for that account (like addresses or credit cards) or any linked subscriptions (like Amazon Prime).
These passwords are tied to you and a company like Amazon can reset your password by sending you an email because the password is just some secret that only you should know. It doesn’t matter what it is, as long as you’re the only one who knows it.
Passwords for authentication can be seen like the key to your house. It unlocks the front door and if you lose a key you can call a locksmith to have the door unlocked or the doorknob replaced. If someone breaks through a window then they have access to all your possessions regardless of whether or not they had access to a key.
Passwords for encryption
Another type of password is used for encryption, or locking up data. You may have encountered passwords on things like PDFs, ZIP files, spreadsheets, or similar. These often don’t have a username associated with them and, if you don’t have the password, then you’re out of luck. There’s no “reset” service. Passwords like these are used to encrypt data so it is meaningless without the correct password.
These kinds of passwords are tied to the data. If they are lost they are unrecoverable. No one can reset your password because it was used to encrypt the data and then it was thrown away. It’s not stored anywhere and it can’t be recovered.
Passwords for encryption can be seen like decoder rings or secret glasses that you might have used when you were a kid. Without them, what you’re looking at is meaningless but, with them, you can read the message your best friend sent to you. Obviously this is much more complex in computer cryptography but the fundamental idea is the same, hiding a message (data) that can only be unlocked with an agreed upon key (password).
Reputable password managers largely rely on the second type of password to protect your data. You may also have a username and password to log in, especially if you use a paid service, but your stored password data is protected via encryption and what unlocks that is usually called something different, e.g. a “master password”. It’s confusing and muddies up what’s going on, but the important point is you have many more layers of protection in place when using a password manager.
Password managers should be trusted!
Using a password manager makes it more convenient to use stronger passwords and makes it easier to have a unique password for every website. These two aspects protect you more than anything else.
If you have any questions, please feel free to message me on twitter at @jsoverson!