multipledeviceswhilethe
latterstoresyourpasswords
locallyon yourdeviceand
can’tbe accessedanywhere
else.Thereare advantages
and disadvantagesto both
approaches.Cloud-based
onesare moreconvenient
but theycan be hacked
sincethe passwordsare
storedon a remoteserver.
Ofine passwordmanagers
are arguablymoresecure
sincehackersneedto
havephysicalaccessto
yoursystemto be able to
retrievethe passwords.But
if anythinghappensto the
device- if it becomesstolen
or if it malfunctions all of
a sudden - you can lose all
your passwords.
HOW PASSWORD
MANAGERS TAKE
THINGS EVEN
FURTHER
Every password manager
has their own methods of
securing and storing a
user’s passwords and the
speci cs are different. That
said,the generalidea of how
theygo aboutdoingit is
broadlysimilar.
Typically,two security
keysare generatedduring
accountcreation.One is
the encryptionkey used to
decryptthe vaultthat holds
the passwordand the other
is an authenticationkey that
is usedto verifythe identity
of the userwhois trying
to log in. To be clear,your
masterpasswordis neversent directly to the password
manager. The password
manager services never
want your master password
because then it would
become an attractive target
for hackers. It is always
salted and hashed on your
device before the resultant
hash is sent to the servers
to be veri ed.
Typically the encryption
key to the vault is derived
from your master passwordusing the salt and hash
method described earlier.
LastPass, for example,
takes your master
password and sends it
through 100,100 rounds
of PDBKDF2 hashing
(password-based key
derivation function 2)
to generate your
encryption key.
The authentication key
can be generated by your
master password using a
hashed derivative of it, or
it can be generated on a
per account or device basis
using what is commonly
referred to as a secret key.
Dashlane and 1Passwords
use secret keys as part of
their authentication process.
The bene t of secret keys is
that they are generated and
stored on the device, so if a
hacker somehow manages
to get hold of your encrypted
vault, they can’t access it
without also having physical
access to your device
because that’s where the
secret key sits.PASSWORD HASH SALTING
LAST PASS
JUNE 2019 | HWM 87