Passwordly

How Password Managers Work: Security Architecture Explained

🪪 Identity & Authentication

How Password Managers Work: Security Architecture Explained

Password managers store hundreds of credentials securely. Learn how zero-knowledge encryption, key derivation, and vault architecture work to protect your passwords.

Passwordly Team
11 min read

Why Understanding the Architecture Matters

The most common objection to password managers is: "Isn't it risky to put all my eggs in one basket?" It's a reasonable question. You're trusting a single application with the keys to your entire digital life — every login, bank account, social media profile, and email.

The answer depends entirely on how the basket is built. A well-designed password manager is architecturally sound enough that even a complete server breach doesn't expose your passwords. A poorly designed one is a catastrophe waiting to happen.

The LastPass breach (2022) illustrated both ends of this spectrum. Attackers stole encrypted password vaults. Users with strong master passwords remained safe — the encryption held. Users with weak master passwords (short, common phrases) had their vaults cracked. The architecture worked as designed, but users who chose weak master passwords paid the price.

Understanding how password managers work lets you:

  • Choose a trustworthy manager based on architecture, not marketing
  • Configure it securely (especially the master password and settings)
  • Understand what's actually at risk in different breach scenarios
  • Make informed decisions about cloud-sync vs local-only storage

Zero-Knowledge Architecture

Zero-knowledge architecture means the password manager provider cannot access your data — ever. They have zero knowledge of your passwords, even though they store your encrypted vault on their servers.

How zero-knowledge works:

  1. Your master password never leaves your device in any form
  2. Your vault is encrypted on your device before being sent to the server
  3. The server stores only the encrypted blob — it cannot decrypt it
  4. When you sync to another device, the encrypted vault is downloaded and decrypted locally
  5. The encryption key is derived from your master password (which the server never sees)

The critical property: Even if the password manager company is subpoenaed, hacked, or compromised by a rogue employee, they cannot produce your passwords. They don't have the key. They can hand over encrypted data that is computationally infeasible to decrypt without your master password.

Password managers with zero-knowledge architecture:

  • Bitwarden — open source, audited, zero-knowledge
  • 1Password — zero-knowledge with an additional Secret Key parameter
  • Proton Pass — zero-knowledge, end-to-end encrypted by the Proton team
  • KeePass/KeePassXC — local-only by default (no server at all)
  • Dashlane — zero-knowledge cloud sync

Not all password managers are zero-knowledge. Browser-integrated password stores (Chrome Saved Passwords, Firefox Lockwise) sync your passwords through your Google/Mozilla account. The encryption and access model varies — they are improving, but they historically haven't had the same zero-knowledge rigor as dedicated password managers.

The Master Password and Key Derivation

Your master password is the single most important credential you'll ever create. Every password in your vault is protected by it. If the master password is weak, the entire vault is vulnerable.

How the master password becomes an encryption key:

Your master password is human-friendly but too short and predictable for direct use as a cryptographic key. Key Derivation Functions (KDFs) transform it into a strong encryption key:

  1. You type your master password: correct horse battery staple
  2. The KDF (Argon2id, PBKDF2, or scrypt) stretches it:
    • Adds a unique salt (random data stored with your vault)
    • Runs the password through many iterations of hashing (100,000+ for PBKDF2, or memory-hard computation for Argon2id)
    • Produces a 256-bit encryption key
  3. This key encrypts/decrypts your vault

Why stretching matters: Without stretching, an attacker who steals your encrypted vault can test master password guesses at billions per second. With Argon2id stretching (the modern standard), each guess requires significant time and memory — reducing the attack speed to hundreds or thousands of guesses per second.

KDF comparison across password managers:

| Manager | Default KDF | Default Iterations | |---------|-----------|-------------------| | Bitwarden | Argon2id (default since 2023) | 3 iterations, 64MB memory | | 1Password | Argon2id | Tuned per device | | Proton Pass | Argon2id | Configured for security | | Dashlane | Argon2id | Configured for security | | LastPass | PBKDF2-SHA256 | 600,000 iterations | | KeePassXC | Argon2id | Configurable (1s target) |

Argon2id is the gold standard because it's memory-hard — requiring significant RAM per guess attempt. This makes GPU-based and ASIC-based attacks extremely expensive. PBKDF2 is CPU-only, which makes it more vulnerable to GPU acceleration.

1Password's Secret Key. In addition to the master password, 1Password uses a 128-bit Secret Key generated at setup. Your vault is encrypted with a key derived from both the master password AND the Secret Key. Even with a weak master password, an attacker would also need the Secret Key (stored on your devices and in your Emergency Kit, never on 1Password's servers). This provides an additional layer of protection against server-side breaches.

Master password best practices:

  • Minimum 4-5 random words (passphrase) or 14+ random characters
  • Generate a strong one with our password generator
  • This is the ONE password you must memorize
  • Never reuse it anywhere else
  • Consider writing it down and storing it in a physical safe (alongside your Emergency Kit, if using 1Password)

Vault Encryption

Your vault — the collection of all your logins, notes, and other stored items — is encrypted as a unit. The specifics vary by manager, but the general architecture:

Bitwarden:

  • Each item is individually encrypted with AES-256-CBC
  • A symmetric key (generated per vault) is itself encrypted with the key derived from your master password
  • The encrypted vault syncs to Bitwarden's servers (or your self-hosted instance)
  • On your devices, the vault is decrypted in memory only when unlocked

1Password:

  • Uses AES-256-GCM (authenticated encryption — provides both confidentiality and integrity)
  • Two-key architecture: master password + Secret Key derive the encryption key
  • Vault data is encrypted into "keysets" — hierarchical key structure supports shared vaults and item groups
  • Encrypted item metadata allows searching vault contents without decrypting individual items

KeePassXC:

  • Vault stored as a local .kdbx file
  • AES-256-CBC with HMAC-SHA-256 for integrity, or ChaCha20-Poly1305
  • Key derived from master password via Argon2id (configurable)
  • No cloud sync by default — you manage file sync yourself (Dropbox, Syncthing, etc.)

Why AES-256? AES (Advanced Encryption Standard) with a 256-bit key is the standard for protecting classified government information. It's considered computationally unbreakable with current technology — there are no known practical attacks. Every major password manager uses it.

Authenticated encryption (AES-GCM, ChaCha20-Poly1305): Beyond confidentiality (making data unreadable), authenticated encryption also guarantees integrity — if the encrypted data is tampered with, decryption fails. This prevents an attacker from subtly modifying your vault data (e.g., changing a stored URL to a phishing site).

Sync Architecture: Cloud vs Local

Password managers need to sync your vault across devices. There are two fundamental approaches:

Cloud-synced (Bitwarden, 1Password, Dashlane, Proton Pass):

  • Your encrypted vault is stored on the provider's servers
  • Changes sync automatically to all your devices
  • Security model: The provider stores encrypted data they cannot decrypt (zero-knowledge). Even if their servers are breached, the encrypted vaults require each user's master password to decrypt.

Advantages:

  • Seamless multi-device sync without configuration
  • Works across all platforms (phones, tablets, computers, browsers)
  • Provider handles backup, availability, and infrastructure
  • Features like shared vaults, family plans, and emergency access

Risks:

  • The provider's servers are a high-value target (many vaults in one place)
  • You trust the provider's zero-knowledge implementation
  • If the provider goes out of business or is acquired, your data is at their mercy (mitigated by export features)

Local-only (KeePassXC, Enpass with local sync):

  • Your vault is a file on your device
  • Sync is your responsibility (Dropbox, Syncthing, USB drive, etc.)
  • Security model: The vault file never touches the provider's infrastructure. You control every aspect of storage and sync.

Advantages:

  • Complete control over your data — no third party involved
  • No central server to breach (your vault is as secure as your own devices and sync method)
  • No subscription fees
  • Self-hosted: no point of failure except your own infrastructure

Risks:

  • Sync requires manual setup and maintenance
  • Backup is your responsibility — if you lose the file without a backup, your passwords are gone
  • Sharing and multi-device access is more complex
  • No web vault for emergency access from unfamiliar devices

Self-hosted cloud (Bitwarden Vaultwarden): A middle ground: run your own Bitwarden-compatible server. You get cloud sync convenience with full control over the server infrastructure. Requires technical expertise to set up and maintain.

Browser Extension and Autofill Security

The browser extension is how most people interact with their password manager daily. It also introduces a unique security surface:

How autofill works:

  1. You navigate to login.example.com
  2. The browser extension detects a login form
  3. The extension checks your vault for credentials matching the domain "example.com"
  4. If found, the extension offers to fill the username and password fields
  5. You confirm (or it fills automatically, depending on your settings)

Phishing protection through domain matching: The extension fills credentials only for the domain they're stored under. If you saved credentials for paypal.com and visit paypa1.com (a phishing site), the extension won't offer to fill — because it has no entry for paypa1.com. This is passive phishing detection that works automatically.

Security considerations:

  • Extension permissions: Browser extensions require permissions to read and modify web pages. Password manager extensions are granted broad permissions. Use only official extensions from the manager's website or official browser store listing.
  • Clipboard clearing: Good password managers clear the clipboard after a short time when you copy a password, preventing other applications from reading it.
  • Memory handling: When you lock the vault, the decryption key and decrypted passwords should be purged from memory. This varies by implementation.
  • Auto-lock: Configure the vault to auto-lock after a period of inactivity (5-15 minutes recommended). This prevents someone with physical access to your unlocked computer from browsing your vault.

Recommended settings:

  • Enable auto-lock (5-15 minutes)
  • Disable auto-fill on page load (require manual trigger to prevent filling on unexpected pages)
  • Enable phishing detection notifications
  • Require biometric verification for vault unlock on mobile devices
  • Keep the extension updated (enable auto-updates)

What Happens If the Password Manager Is Breached

Let's model the worst case: the password manager's servers are fully compromised.

Scenario: Server breach (zero-knowledge architecture): The attacker obtains:

  • Your encrypted vault (the encrypted blob)
  • Your email address (used as account identifier)
  • Account metadata (when created, last sync, etc.)
  • The vault's salt (used for key derivation — this is not a secret)

The attacker does NOT obtain:

  • Your master password
  • Your decryption key
  • Your actual passwords, notes, or stored data
  • 1Password's Secret Key (stored only on your devices)

What the attacker must do to access your data:

  1. Download your encrypted vault
  2. Guess your master password
  3. For each guess, run the KDF (Argon2id with your salt) to derive the key
  4. Attempt to decrypt the vault with the derived key
  5. If decryption fails, try the next guess

Time to crack based on master password strength:

  • 8-character common password: Hours to days
  • 12-character random password: Centuries (with Argon2id)
  • 4-word random passphrase: Thousands of years (with Argon2id)
  • 5-word random passphrase: Millions of years (with Argon2id)
  • Strong master password + 1Password Secret Key: Effectively infinite

The LastPass breach lesson: LastPass was breached in 2022. Users with strong master passwords (and higher KDF iterations) remained safe — years later, their vaults remain uncracked. Users with weak master passwords (e.g., "password123") and low iteration counts (some accounts had 5,000 PBKDF2 iterations — dangerously low) had their vaults cracked.

Your defense:

  1. Strong master password (the single most important action)
  2. Modern KDF (Argon2id with high parameters or PBKDF2 with 600,000+ iterations)
  3. Regular password rotation for high-value accounts (banking, email) as an additional safeguard
  4. Enable 2FA on your password manager account (prevents unauthorized login, separate from vault encryption)

Choosing a Password Manager Securely

When evaluating a password manager, prioritize these architectural features:

Non-negotiable requirements:

  • Zero-knowledge architecture — the provider cannot access your data
  • AES-256 encryption (or equivalent: ChaCha20-Poly1305)
  • Modern KDF — Argon2id or PBKDF2 with 600,000+ iterations
  • Open-source client (or at minimum, independently audited code)
  • Regular third-party security audits — published, recent results
  • End-to-end encryption for sync

Important features:

  • Cross-platform support (all your devices)
  • Browser extension with autofill
  • Passkey support
  • Secure sharing for families/teams
  • Emergency access for trusted contacts
  • Export capability (you should always be able to leave)

Red flags:

  • No published security audit
  • Closed-source with no security documentation
  • PBKDF2 with low default iterations (under 100,000)
  • No 2FA support on the manager account itself
  • No auto-lock feature
  • Stores master password on the server (not zero-knowledge)
  • No breach disclosure history (transparency matters)

Our recommendations:

  • Bitwarden — open source, audited, Argon2id, free tier, cross-platform. Best overall value.
  • 1Password — Secret Key architecture, polished UX, excellent family/team features. Best for families and teams.
  • KeePassXC — fully local, open source, maximum control. Best for users who want zero cloud dependency.
  • Proton Pass — end-to-end encrypted, privacy-focused (from the Proton team). Best for Proton ecosystem users.

Whichever manager you choose, generate a strong master password with our password generator and verify its strength with our strength checker. This one password protects everything.

Password managers are the single most effective security tool available to everyday internet users — they enable unique, strong passwords for every account with zero memorization burden. The architecture behind them is sound: zero-knowledge encryption means even a full server breach doesn't expose your passwords, as long as your master password is strong. Choose a reputable manager, set a strong master password, enable 2FA on the manager itself, and you've built a security foundation that protects hundreds of accounts simultaneously.

Share:

Tags

password managerencryptionzero-knowledgekey derivationvault security

Related Articles

Continue exploring related topics