CyberSearch .in
SUBSCRIBE
← All articles
PASSWORDS · 8 min read

How password managers actually keep your secrets

Vaults, key derivation and zero-knowledge — explained without the jargon.

cover image

“Put all your passwords in one place” sounds like the worst security advice ever given. One breach and everything is gone, right? Yet password managers are the single most recommended security tool by people who do security for a living. The reason is in the engineering — and it’s worth understanding, because once you see how the vault actually works, the fear of the “one basket” mostly evaporates.

The vault is encrypted before it leaves your device

A password manager stores your credentials in a vault — a database encrypted with AES-256 or a similar cipher. The crucial detail is where the encryption happens: on your device, before anything is synced or uploaded.

The company’s servers only ever see ciphertext — a blob of random-looking bytes. If those servers are breached (and some have been), what leaks is the encrypted blob, not your passwords. The attacker’s only path from blob to passwords runs through your master password.

Your master password never leaves your device either

This is the part people find surprising. When you “log in” to your password manager, your master password isn’t sent to the server and checked. Instead, it’s fed into a key derivation function (KDF) on your device — PBKDF2, or the newer Argon2 — which stretches it into the actual encryption key.

A KDF is deliberately, tunably slow. Where a normal hash takes nanoseconds, a KDF is configured to take a large fraction of a second, even on fast hardware:

  • You type your master password once and wait ~200 ms. Unnoticeable.
  • An attacker who stole the vault must pay that cost for every guess. At hundreds of thousands of iterations, brute force drops from billions of guesses per second to a few thousand.

A strong master password behind a modern KDF pushes cracking timescales into centuries.

”Zero-knowledge” is a design, not a slogan

Put those two pieces together and you get what vendors call zero-knowledge architecture: the provider stores your vault but cannot read it — not for support requests, not for subpoenas, not for curious employees. They never had the key.

The honest consequence: if you forget your master password and didn’t set up a recovery kit, nobody can reset it. That inconvenience is the proof the design is real. If a provider can recover your vault without any secret you hold, they can also read it — and so can anyone who compromises them.

What a real breach looks like

This design has been stress-tested in public. When LastPass was breached in 2022, attackers stole customer vaults — the encrypted blobs. Users with strong master passwords and high KDF iteration counts were largely fine; the practical fallout concentrated on weak master passwords and accounts left on old, low iteration settings.

The lesson isn’t “password managers fail.” It’s that the design worked as intended: the master password was the wall, and the wall held wherever it was built properly.

What a manager protects you from — and what it doesn’t

It protects you from:

  • Reuse — the #1 practical risk for most people. One breached site no longer unlocks your other accounts, because every account has its own random password.
  • Weak passwords — generated 20-character random strings are effectively uncrackable.
  • Phishing, partially — autofill matches the real domain. If your manager refuses to fill a login page, treat that as an alarm, not an inconvenience: you may be on a lookalike domain.
  • Server breaches at the provider — see above.

It doesn’t protect you from:

  • Malware on your device (a keylogger captures the master password as you type it)
  • Entering the master password into a fake “vault login” page
  • A weak master password — the entire design concentrates on that one secret

Getting the setup right

  1. Make the master password a passphrase: four to five random words (corridor-velvet-anchor-thursday) — long, memorable, and far stronger than P@ssw0rd2026!.
  2. Turn on two-factor authentication for the manager account itself, ideally a hardware key or passkey.
  3. Store the recovery kit offline — printed, somewhere you’d keep a passport. Not in the vault (obviously) and not in a synced note.
  4. Let it generate passwords — the habit that delivers most of the value: every new account gets a unique random string you never even see.
  5. Check the KDF settings if you’ve had the account for years — older accounts sometimes sit on outdated iteration counts. Modern defaults (Argon2, or PBKDF2 at 600k+ iterations) are what you want.

The one-basket question, answered

Yes, you’re putting all eggs in one basket — a basket encrypted with a key only you hold, guarded by a deliberately slow lock, held by a company that cannot open it. The alternative isn’t “many safe baskets.” It’s the same three passwords reused across forty sites, where any single breach quietly unlocks your email, and your email unlocks everything else.

Concentrated, engineered risk beats diffuse, unmanaged risk. That’s the whole argument — and it’s why the people who understand the design best are the ones most likely to use it.

Want to see what “effectively uncrackable” means in numbers? Run your current password style through our Password Strength Lab — it estimates real-world crack times right in your browser.

Written & tested by CyberSearch Get one tip a week →
KEEP READING

More from the blog

PHISHINGJul 2, 2026 · 6 min
Anatomy of a phishing email: 7 tells you can spot in 10 seconds

From mismatched senders to urgency traps — a visual field guide to reading a suspicious email the way an analyst does.

PRIVACYJun 19, 2026 · 5 min
Is your browser extension spying on you?

Permissions to check before you click "Add to browser".

WI-FIJun 12, 2026 · 7 min
Public Wi-Fi survival guide for travellers

What's actually risky, what isn't, and the 3-step routine to stay safe.