Password Managers: why you should use one and their types of encryption explained

Updated as of July 2023

Author: Allister D.

The Importance of Using a Password Manager

In today's digital age, the average internet user manages a slew of online accounts, each demanding its unique set of login credentials. As the need for more complex and diverse passwords increases, so does the difficulty in remembering all of them. A password manager is a valuable tool that addresses this challenge. It ensures not only the convenience of remembering all your credentials but also the security of your digital identity.

Convenience: A password manager stores all your passwords in one secure location, meaning you only need to remember a single master password.
Password Generation: Most password managers offer the ability to generate random and complex passwords, reducing the likelihood of creating easily guessable passwords.
Security: A password manager encrypts your passwords, rendering them useless to anyone without the master password.
Avoiding Reuse: Password reuse is a major security risk. If one site gets compromised, all accounts using that same password are at risk. Password managers prevent this by creating unique passwords for each site.
Auto-Fill: Password managers often include auto-fill features, preventing keyloggers from capturing your keystrokes.

However, all these benefits hinge on the strength of the encryption algorithm the password manager uses. Encryption protects your sensitive information from being accessed even if someone were to gain physical access to your device or storage.

Argon2 versus PBKDF2

PBKDF2 (Password-Based Key Derivation Function 2) and Argon2 are two common encryption methods utilized by password managers.

PBKDF2, a key derivation function, has been widely adopted due to its inclusion in cryptographic standards. It works by applying a pseudorandom function, like a hash function, to the input password, along with a salt, for many iterations. This approach makes brute-force and rainbow table attacks considerably more difficult, but it's not immune to all types of attacks. The major limitation of PBKDF2 is that it doesn't utilize memory hardness, making it more vulnerable to GPU, FPGA, and ASIC-based attacks.

On the other hand, Argon2, the winner of the Password Hashing Competition in 2015, is built to resist various types of attacks, including those that were effective against PBKDF2. Argon2 addresses PBKDF2's weaknesses in the following ways:

Memory Hardness: Argon2 is designed to use a significant amount of memory, which can be configured. This property makes it resistant to GPU and ASIC-based attacks as these attacks are much less efficient against functions that require large amounts of memory.
Time Cost: Like PBKDF2, Argon2 also has a time cost associated with the encryption, which is the computational time required to compute the hash.
Parallelism: Argon2 introduces a degree of parallelism. It can be computed by multiple threads simultaneously, providing resistance against time-memory trade-off (TMTO) attacks.

https://youtu.be/qQAhprPM5lw?t=561