Password managers - how do they work and why should you trust them? Link to heading
Previous posts have shown that every account needs a unique, strong password. But who can remember thirty different, random passwords? No one. That’s what password managers are for.
What is a password manager? Link to heading
A password manager is an encrypted storage device - like a safe where all your passwords are securely locked away. It can be opened with a single master password, and you don’t need to remember anything else.
The program stores your usernames, passwords, and website addresses - and in most cases, it automatically fills them in for you when you log in.
How does encryption work? Link to heading
The password manager does not store data as plain text. The entire database is protected with AES-256 encryption - the same standard used by banks and governments. It generates an encryption key from the master password, and only that key can open the database.
Important consequence: if you forget your master password, your data is irretrievable. The password manager cannot send you a “forgotten password” email - because it really has no access to your content.
Cloud vs. local storage Link to heading
| Cloud (e.g., Bitwarden) | Local (e.g., KeePassXC) | |
|---|---|---|
| Synchronization | Automatic, on all devices | Manual or custom solution |
| Accessibility | From anywhere | Only where the database is located |
| Data management | The service provider’s server | Completely in your hands |
| Offline access | Limited | Full |
Both approaches are secure if set up correctly. The cloud solution is more convenient, while the local solution gives you complete control.
“But what if the password manager gets hacked?” Link to heading
This is the most common objection - and a valid question. The answer lies in the architecture.
With a well-designed password manager, only the encrypted database is stored on the server. Encryption and decryption take place exclusively on your device - the master password never leaves your machine. If the server is hacked, the attacker will only get meaningless, encrypted data.
This principle is called zero-knowledge architecture - the service provider really doesn’t know what’s in your storage.
Password generation Link to heading
Another big advantage of password managers is that they can generate strong passwords - you don’t have to think of anything. With the click of a button, you can create something like this:
x7!Kpq#mZ2$vLw9R
No need to remember it, no need to type it - the program does it for you.
Which one should you use? Link to heading
Here are some reliable, widely recommended options:
Cloud-based:
- Bitwarden - open source, free basic version, can be self-hosted
- Proton Pass - Swiss data protection focus, Proton ecosystem
Local:
- KeePassXC - open source, cross-platform, full local control, with browser integration
Closed source solutions (LastPass, 1Password) should be avoided if data sovereignty is important - the code cannot be audited.
The only thing you need to know by heart Link to heading
The master password. This should be a long, unique passphrase - one that you don’t use anywhere else. This was discussed in detail in the first post.
Summary Link to heading
A password manager is not a convenience tool - it is the only realistic way to use unique passwords. It is encrypted, controlled, and much more secure than a “universal password” kept in your head. The next step is to enable two-factor authentication - because even a strong password is not enough on its own.
This article is part of a series that aims to explain the basics of online security in simple terms.