Most password managers combine convenience and security with the following features:

• Random password generators: A tool that quickly creates random passwords for users to apply to their existing or new account logins. The tool lets users specify the desired password length or inclusion/exclusion of certain letters, numbers, symbols, or special characters, to generate a random password.
• Multi-device access: Users can log into their password manager across any platform and desktop and mobile operating systems – Mac, Windows, Android, and iOS. Adding or modifying a password on one device updates and syncs the information across all platforms.

Other features include:

• Payment information and document storage: The ability to store credit card information, online banking information, passports, health records and other secure files.
• Sharing capabilities: The ability to share passwords and documents with other trusted users such as family members or team members at work. This feature is not always available with free versions but is common with paid versions.
• Emergency access/account recovery: The ability to recover access to the password vault if a user forgets their master password or is unable to login. This can be through additional security questions or permissions to access granted to another trusted user.
• Dark web monitoring: The user’s email addresses across various accounts are monitored against a database of known breaches. If an account is known to have been compromised, the password manager alerts the user to the breach and triggers them to change their login credentials.

Zero Knowledge Security Architecture

One of the ways password managers guard against this risk is by using what is called zero knowledge security architecture.

This means that data is only readable by the end user. When the data is stored and transmitted to and from the password manager’s servers, it remains fully encrypted.

The result is that even the company operating the password manager has “zero knowledge” of the information stored within the tool.

If their servers are ever hacked, the perpetrators would only obtain encrypted records which would be gibberish without the individual customers’ master passwords to decrypt the information.

Multi-Factor Authentication

Cyber-security experts now view multi-factor authentication (MFA) as an essential step in maintaining cybersecurity.

MFA is a process that requires users to verify who they are by using a combination of steps (or factors) – in addition to a password – before they are granted access to their data.

The name sounds complicated but the process it describes is not.

The first factor is the password the user creates for themselves.

The additional factor can take various forms and can usually be completed within a few seconds.

Biometric verifiers (fingerprints or retina scans) are one option.

Another is a passcode — typically a four or five digit number — sent by text message to the user’s cell phone. The user then enters the code, together with their password, into whatever webpage they are trying to access.

A third option is push-to-authenticate verifiers, which send a message directly to the user’s device, telling them that an authentication attempt is taking place. Users can then approve or deny access with a simple click of a button. This technique is gaining popularity because it provides a simple means to authenticate users, especially if used without passwords.

Ultimately your password manager is not simply secured by a master password alone, but by other factors that require verification before allowing access to your vault.

The greatest risk to the use of password managers is often the user themselves. A study conducted in 2019 revealed that many users of password managers store their master password in a plain text document somewhere on their computer, meaning it could be accessed by hackers without difficulty.

By following a few simple practices, you can play a role in ensuring that your password vault remains as secure as possible.

• Never save your master password where someone could access it without your knowledge or permission. Just as you should not leave your password on a Post-It note stuck to the side of your computer, you should not keep your password in an unsecured document or email within your computer either.
• Do not leave your password manager running in the background, even if it is locked. Exit the tool completely once you retrieve the password you were looking for.
• Set up multi-factor authentication wherever possible since this significantly limits a hacker’s ability to breach your computer.
• Never re-use your passwords. Always use a distinct password for each of your distinct accounts and avoid password clones that vary by only a single character or digit.
• Consider refraining from integrating your password manager with your web browsers, if possible, as the browser extensions/plugins can create issues. While you will have to launch your password manager instead of auto-populating credentials, this is a simple step that only requires a few seconds to complete. The resulting improvement in your online security is well worth the minor delay.

For Mac and iOS users, iCloud Keychain is part of the operating system that lets users keep their passwords and other secure information updated across their Apple devices. Password AutoFill automatically fills credentials stored in the keychain.

The Keychain password manager and Password AutoFill provide the following features:

• filling in credentials in apps and websites;
• generating strong passwords;
• saving passwords in both apps and websites in Safari;
• sharing passwords securely to a user’s contacts; and
• providing passwords to a nearby Apple TV that requests credentials.

Password Monitoring is an Apple feature that matches passwords stored in the user’s keychain against a continuously updated and curated list of passwords known to have been exposed in leaks. If the feature is turned on, the monitoring protocol continuously matches the user’s keychain passwords against the curated list. If the user’s password appears on this list, the user is immediately notified without any external interaction.

If you use Safari on your iPad or iPhone, you can store website passwords and manage them using the Passwords settings.

For Windows 10 users, Personal Vault (also known as Credential Locker) is a protected area in OneDrive where users can store usernames and passwords. Microsoft Edge allows users to save passwords for sites they use.

These programs are free but full-featured password managers currently on the market, including LastPass, 1Password, DashLane, Bitwarden, Keeper, and NordPass, are more attractive and provide better data security generally. Please refer to the appendix for more details.

Subscription plans for password managers are available at different price points with the following increasing levels of functionality and features:

• A basic tier (for one user) – often free, includes essential password manager features such as the password vault, password generator, and auto-save/auto-fill capabilities. There may a restriction on the number of passwords a user is able to store or the number of devices that the application may operate on (e.g., only operates on a single mobile device or for desktop, without cross-integration).
• A premium tier (for one user) – around or below $5.00 USD/month that builds on the capabilities offered under the basic tier with features like dark web monitoring, unlimited devices allowed, and capacity to store an unlimited number of passwords.
• A family tier – increases the number of user accounts available under a single subscription plan, including a family dashboard to monitor member accounts.
• A business, teams, or enterprise version – designed for larger-scale and business-wide implementation.