Password Managers: How Zero-Knowledge Encryption Works and Which One to Choose

The case for using a password manager is overwhelming — and most people who avoid them cite reasons that don't hold up

The standard objections: "What if it gets hacked?" "I don't want all my eggs in one basket." "I remember my passwords fine." These are reasonable-sounding concerns. When examined against the actual threat model and the actual security architecture of reputable password managers, they consistently don't hold up.

Why reusing passwords is the primary threat

The threat that matters most isn't a targeted attack on you specifically. It's credential stuffing — using credentials leaked from one service to gain access to others.

In any given year, billions of username/password pairs are exposed in breaches at hundreds of companies. The attackers don't need to crack passwords or compromise your device. They just try the leaked credentials on other services. If you use the same email and password on your bank account as on a breached forum, your bank is now at risk.

The only complete defence against credential stuffing is using a different, unique, randomly generated password for every service. No human can memorise 50–200 unique 20-character random passwords. A password manager can.

This is the fundamental argument for password managers: the threat is at scale, the defence requires unique credentials at scale, and a password manager is the only practical way to achieve that.

How password manager encryption works

The critical security property of reputable password managers is zero-knowledge architecture: the provider cannot decrypt your vault.

The master password never leaves your device. Your vault is encrypted client-side before synchronisation. The server stores encrypted data that it cannot read.

The encryption process:

1. Your master password is run through a key derivation function (Argon2 or PBKDF2 with many iterations) to produce an encryption key. The master password itself is never stored — only derived material.
2. The vault (all your stored passwords) is encrypted with AES-256 using this derived key.
3. The encrypted vault is uploaded to the provider's servers.
4. When you log in from a new device, the encrypted vault downloads. Your master password re-derives the key locally and decrypts the vault locally.

What a server breach reveals: encrypted data that the attacker cannot decrypt without your master password. Assuming your master password is strong (long, random, not used elsewhere), a breach of the provider's servers doesn't compromise your vault contents.

What you're trusting: that the client-side code (the browser extension, the app) is correctly implemented. For open-source managers, this code is auditable.

The major password managers compared

Bitwarden

Open source, audited, cross-platform. The client-side code is publicly auditable. Bitwarden undergoes regular third-party security audits. The free tier is comprehensive — unlimited passwords across devices.

Self-hosting option: Bitwarden can be self-hosted on your own server, removing the third-party trust entirely. The official server is complex; Vaultwarden (a community Rust reimplementation) is more lightweight.

Pricing: Free (unlimited); Premium £10/year ($10/year) for TOTP, Yubikey support, encrypted file attachments.

1Password

Commercial, closed-source, widely respected. Used by many security professionals and companies. Family and team plans. Strong security track record. No free tier for individuals.

The Secret Key: 1Password requires both the master password and a "Secret Key" (a 34-character randomly generated key stored locally) to decrypt the vault. This provides protection against server-side compromise — even if the servers are breached and someone has your master password, they can't decrypt without the Secret Key.

Pricing: from $2.99/month individual.

KeePass / KeePassXC

Local-only, open source, no cloud sync by default. The database is a single encrypted file (.kdbx) that you store and synchronise yourself (Dropbox, Syncthing, a NAS). No third-party servers involved.

KeePassXC is the actively maintained cross-platform fork with modern UI. Mobile apps: KeePassDX (Android), Strongbox (iOS).

The downside: synchronisation requires more setup. The upside: complete control, no service dependencies.

iCloud Keychain / Apple Passwords

Built-in, free, zero-friction for Apple ecosystem users. Acceptable security architecture (end-to-end encrypted). Works well for users entirely within the Apple ecosystem. Limited flexibility for non-Apple devices and cross-platform use.

Google Password Manager

Built into Chrome and Android. End-to-end encryption added in recent versions. Convenient for Google ecosystem users. Less flexible than dedicated managers.

The master password: the one password that matters

With a password manager, all your security concentrates in one place — your master password must be strong.

A good master password approach:

• Four to six random words from a large word list (diceware method): provides ~50–80 bits of entropy, memorable, long
• Example: "correct horse battery staple" (deliberately common example — don't use this)
• Store it nowhere digital — memorise it and write it on paper in a physically secure location

What to avoid:

• A master password similar to other passwords you use
• A short password (under 20 characters)
• A meaningful phrase or personal information
• The same master password as any other account

Emergency access and recovery

A common objection: "What if I forget my master password?" This is a real concern. Most password managers address it:

Bitwarden: allows designating trusted emergency contacts who can request access after a configurable waiting period.

1Password: the Emergency Kit (a printed document containing the Secret Key and instructions) provides recovery if you lose access. Store it physically.

KeePass: the database file is the backup. If you lose the master password, you lose the database. Keep the .kdbx file backed up in multiple locations.

Physical paper recovery codes, stored in a secure location (safe, safety deposit box), are the practical solution for all password managers.

How to use the Password Generator on sadiqbd.com

1. Set length — 20+ characters for stored passwords, 24+ for high-value accounts
2. Include all character types — uppercase, lowercase, digits, symbols
3. Generate — cryptographically secure random output
4. Copy directly into your password manager's new entry — never type it manually

The generator produces the passwords that populate your manager. The manager handles storage and recall.

Frequently Asked Questions

What happens if the password manager company shuts down? All reputable managers allow exporting the vault (usually as an encrypted file or CSV). Export regularly and store the backup securely. For open-source managers like Bitwarden, the software exists independently of any company.

Can a browser extension be compromised? Browser extensions are a more realistic attack surface than server compromise. Extensions with broad permissions can access page content and input fields. Use extensions from established, well-audited providers and keep them updated.

Should I still use two-factor authentication if I have a password manager? Yes — two-factor authentication is a separate layer. A compromised password (from a phishing attack, not a breach) is insufficient if 2FA is required. Enable 2FA on your password manager itself and on all accounts that offer it.

Is the Password Generator free? Yes — completely free, no sign-up required.

The argument for password managers isn't theoretical. Credential stuffing attacks are real, common, and scale to billions of leaked credentials. Unique randomly generated passwords at scale require a password manager.

Try the Password Generator free at sadiqbd.com — generate secure random passwords to store in your password manager of choice.