0

I have been recommended to use a password manager, but I don't understand how it can be secure. Any passwords it saves have to either be stored in strings or encoded in a way that is easy enough to decode, so anyone who knows how it's encoded can crack them, right?

Normal passwords are hashed so this isn't a problem.

Anders
  • 65,052
  • 24
  • 180
  • 218
Iexist
  • 161
  • 1
  • 1
  • 3

2 Answers2

4

Using a good password manager that generates unique, long, random passwords is a good idea. The passwords are not "stored in strings or encoded". They are encrypted, hopefully with a strong encryption algorithm like AES.

The encryption key is usually generated from the master password with an algorithm such as PBKDF2, specifically designed to be slow so as to prevent brute forcing.

Someone who does not know the master password cannot generate the encryption key, and therefore not decrypt the passwords.

Anders
  • 65,052
  • 24
  • 180
  • 218
1

@Anders answered your point on encryption, a note on

Normal passwords are hashed so this isn't a problem.

You can hash a password when you do not need to use it to authenticate further, but only to check if a password currently presented to you is the same as the one which was hashed.

In other words, if you need the plaintext version of a password (which is the use case for password managers) you cannot use a hashed version as the plaintext form is irreversibly gone.

WoJ
  • 8,968
  • 3
  • 33
  • 51