Password Managers

Password Managers

Password managers are an extremely common tool for people who want to stay secure. It is imperative to have strong passwords. Remembering a handful of strong passwords is possible, but when you have 50 different passwords, it becomes impossible. Password managers keep all of your passwords in one place and allow you to access them with only one password. The fact that all of the passwords are all in one place on a distant server that they do not own has created some skepticism around the idea of password managers.

How password managers work:

All password managers require an account and a password to have a vault on their system. Password managers have a specific algorithm that they use to prevent others from accessing them, and it also prevents the server itself from accessing your vault. Just because the server knows the password you used to log into your account, it still doesn’t know the code that was used to open your vault. Every vault inside the password manager is protected by some sort of key.

The client usually creates a vault key. The vault key is the value used to encrypt or decrypt the vault. This is usually done by appending some information to the login password. The concentate value is then ran through a hash function of thousands to prevent anyone from brute forcing it. If someone was trying to brute force this value, it would have to go through thousands of hashes every single time it took a guess. This greatly slows down the process of guessing it.

Now the client will also create an authorization key. The authorization key is the key that is used by the server to find and return the correct vault. The authorization key is created by adding the vault key and the login password together and then hashing it a bunch of times. The authorization key will then be sent to the server, which will use it to return the correct vault. You gave the server the authentication key, but due to the hashing, the vault key can’t be derived from it. So, once the server gives the client’s vault, they only have the means to open it using the vault key that they created. Refer to the following short demonstration for more information.

If you want an example refer to the slideshow that I made

https://docs.google.com/presentation/d/1m-FSuXDUtKHKNiH_6KLb_qY-YDfMYFwZpLs_pGcir20/edit?usp=sharing