This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Password manager" – news ·newspapers ·books ·scholar ·JSTOR(June 2013) (Learn how and when to remove this message)

Apassword manager is a software program to preventpassword fatigue byautomatically generating,autofilling and storingpasswords.^[1][2] It can do this forlocal applications orweb applications such asonline shops orsocial media.^[3]Web browsers tend to have a built-in password manager. Password managers typically require a user to create and remember a single password to unlock to access the stored passwords. Password managers can integratemulti-factor authentication.

The first password manager software designed to securely store passwords wasPassword Safe created byBruce Schneier, which was released as a free utility on September 5, 1997.^[4] Designed forMicrosoftWindows 95, Password Safe used Schneier'sBlowfishalgorithm to encrypt passwords and other sensitive data. Although Password Safe was released as a free utility, due toexport restrictions on cryptography from the United States, only U.S. and Canadian citizens and permanent residents were initially allowed to download it.^[4]

As of October 2024^[update], the built-in Google Password Manager inGoogle Chrome became the most used password manager.^[5]

These are built directly into web browsers like Chrome, Safari, Firefox, and Edge. They offer convenient access for basic password management on the device where the browser is used. However, some may lack features like secure syncing across devices or strong encryption.

These are standalone applications installed on a user's device. They offer strong security as passwords are stored locally, but access may be limited to that specific device. Popular open-source options includeKeepassXC,KeePass andPassword Safe.

These store passwords in encrypted form on remote servers, allowing access from supported internet-connected devices. They typically offer features like automatic syncing, secure sharing, and strong encryption. Examples include1Password,Bitwarden, andDashlane.

Designed for businesses, these cater to managing access credentials within an organization. They integrate with existing directory services and access control systems, often offering advanced features like role-based permissions and privileged access management.

These physical devices, often USB keys, provide an extra layer of security for password management. Some function assecure tokens for account/database access, such asYubikey and OnlyKey, while others also offer offline storage for passwords, such as OnlyKey.

Some applications store passwords as an unencrypted file, leaving the passwords easily accessible tomalware or people attempted to steal personal information.

Some password managers require a user-selected master password orpassphrase to form thekey used to encrypt passwords stored for the application to read. The security of this approach depends on the strength of the chosen password (which may be guessed through malware), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password may render all of the protected passwords vulnerable, meaning that a single point of entry can compromise the confidentiality of sensitive information. This is known as asingle point of failure.

While password managers offer robust security for credentials, their effectiveness hinges on the user's device security. If a device is compromised by malware like Raccoon, which excels at stealing data, the password manager's protections can be nullified. Malware like keyloggers can steal the master password used to access the password manager, granting full access to all stored credentials. Clipboard sniffers can capture sensitive information copied from the manager, and some malware might even steal the encrypted password vault file itself. In essence, a compromised device with password-stealing malware can bypass the security measures of the password manager, leaving the stored credentials vulnerable.^[6]

As with password authentication techniques,key logging or acoustic cryptanalysis may be used to guess or copy the "master password". Some password managers attempt to usevirtual keyboards to reduce this risk - though this is still vulnerable to key loggers.^[7] that take the keystrokes and send what key was pressed to the person/people trying to access confidential information.

Cloud-based password managers offer a centralized location for storing login credentials. However, this approach raises security concerns. One potential vulnerability is a data breach at the password manager itself. If such an event were to occur, attackers could potentially gain access to a large number of user credentials.A 2022 security incident involving LastPass exemplifies this risk.^[6]

Some password managers may include a password generator. Generated passwords may be guessable if the password manager uses a weak method ofrandomly generating a "seed" for all passwords generated by this program. There are documented cases, like the one withKaspersky Password Manager in 2021, where a flaw in the password generation method resulted in predictable passwords.^[8][9]

A 2014 paper by researchers atCarnegie Mellon University found that while browsers refuse to autofill passwords if the login page protocol differs from when the password was saved (HTTP vs.HTTPS), some password managers insecurely filled passwords for the unencrypted (HTTP) version of saved passwords for encrypted (HTTPS) sites. Additionally, most managers lacked protection againstiframe andredirection-basedattacks, potentially exposing additional passwords whenpassword synchronization was used across multiple devices.^[10]

This article needs to beupdated. Please help update this article to reflect recent events or newly available information.(June 2022)

Various high-profile websites have attempted to block password managers, often backing down when publicly challenged.^[11][12][13] Reasons cited have included protecting againstautomated attacks, protecting againstphishing, blockingmalware, or simply denying compatibility. TheTrusteer client security software fromIBM features explicit options to block password managers.^[14][15]

Such blocking has been criticized byinformation security professionals as making users less secure.^[13][15] The typical blocking implementation involves settingautocomplete='off' on the relevant passwordweb form. This option is now consequently ignored onencrypted sites,^[10] such asFirefox 38,^[16]Chrome 34,^[17] andSafari from about 7.0.2.^[18]

In recent years, some websites have made it harder for users to rely on password managers by disabling features like password autofill or blocking the ability to paste into password fields. Companies like T-Mobile, Barclaycard, and Western Union have implemented these restrictions, often citing security concerns such as malware prevention, phishing protection, or reducing automated attacks. However, cybersecurity experts have criticized these measures, arguing they can backfire by encouraging users to reuse weak passwords or rely on memory alone—ultimately making accounts more vulnerable. Some organizations, such asBritish Gas, have reversed these restrictions after public feedback, but the practice still persists on many websites.^[19]

• List of password managers
• Security token
• Smart card
• Cryptography

• Password authentication
• Password managers
• Identity management

• Articles with short description
• Short description is different from Wikidata
• Articles needing additional references from June 2013
• All articles needing additional references
• Articles containing potentially dated statements from October 2024
• All articles containing potentially dated statements
• Wikipedia articles in need of updating from June 2022
• All Wikipedia articles in need of updating