What is a password generator?

A password generator is a tool that automatically creates strong, random passwords. Such passwords are difficult to guess and improve your access security. A password generator typically combines uppercase letters, lowercase letters, numbers, and symbols. Some password generators generate a passphrase consisting of multiple terms instead of a long, complex password. Such a passphrase is usually easier to remember.

What is password entropy?

Password entropy is a measure of the strength or unpredictability of a password. It expresses how many attempts are required to guess a password with a brute-force attack. Entropy is expressed in bits, and the higher the entropy, the stronger the password. Complex passwords, especially longer ones, have higher entropy.

What is a password policy?

A password policy is a set of guidelines within an organization that defines how employees must create, use, and manage secure passwords. The policy includes rules for minimum length, complexity, and expiration periods. It may also require using a password manager.

Password Manager

Q: What is a password manager?

A password manager is a digital vault for securely storing and managing your passwords. To access the password manager, you only need to enter the master password. After that, you can sign in to websites and applications with a single click. This combines security with user convenience.

A password manager is a convenient application for securely storing passwords and using them easily at sign-in. You no longer need to remember passwords, so that you can use a different strong password for each application without issues. Below, we explain how a password manager works and what it offers. We also outline how you can benefit from this smart tool within your IAM environment.

What is a Password Manager?

Depending on the vendor, a password manager may be either a cloud application or a locally installed application. At its core, it provides a well-secured digital vault where you can store passwords and use them to sign in to websites and applications. In addition to passwords, you can usually store other confidential data such as PINs, documents, or credit card details. As the owner, you access your data with a master password. That is also the only password you still need to remember as a user. The rest of your passwords and other data are available with a single click. Password managers are used both privately and within companies and organizations.

How Does a Password Manager Work?

After installing or activating your password manager, you can get started. You secure the tool with a personal username, usually an email address, and a master password. That password must be unique and sufficiently strong because it grants access to all your passwords. For that reason, most password managers also allow you to add Multifactor Authentication (MFA) for extra protection.

Adding Items to Your Password Manager

In your digital vault, you can store passwords and other data. First, specify which type of item you want to add, such as a password or a credit card. Then you can enter the relevant information. For a password, this includes the application or web service name, the URL, the username, and the password. If it is a new account and you still need to create a password, most password managers automatically generate a strong password using their built-in password generator. You can configure password rules, such as minimum length and allowed characters, yourself.

Signing In With Your Password Manager

Most password managers offer plug-ins for all common browsers. If you visit a website or application sign-in page where your account information has already been saved, the password manager recognizes it and uses the Autofill feature to complete the fields automatically. If you create a new account somewhere, you can add those details to the password manager with a single click.

Sharing Data

With a password manager, you can often share data easily with, for example, family members or colleagues. For personal use, this is a convenient option to share the login credentials for Netflix and other shared accounts. In business environments, sharing account credentials is generally discouraged.

Benefits of a Password Manager

A password manager provides several benefits for both security and convenience:

Remember One Password: You only need to remember your master password, which makes it easy to make that password sufficiently strong.
Strong Passwords: Best practice requires passwords to be unique and sufficiently strong. That is difficult if you must remember all of them yourself. With a password manager that is no longer necessary, so meeting this requirement is straightforward.
Efficient and User-Friendly: The Autofill option automatically enters credentials. Otherwise, you can do it yourself with a single click.
Synchronization: With an online password manager, your passwords are automatically available on all your devices.
Secure Storage: The password manager functions as a vault for digital data. Without the master password, the data is guaranteed to be inaccessible.
Additional Protection Against Phishing: You also store the URL of a website or application in a password manager. Phishing attempts often use a different URL that the password manager does not recognize.

A password manager, therefore, makes it much easier and more secure to use and manage your passwords.

Are Password Managers Secure?

Yes. Whether the data is stored locally or in the cloud, it is encrypted with strong methods such as AES-256. This does mean the central sign-in requires extra attention. You only need one master password for that, which makes it feasible to use a unique, strong password. Especially when combined with Multifactor Authentication or a hardware key such as the YubiKey, access is well protected.

That protection is limited to the password manager itself. As soon as you sign in, the credentials are sent from the password manager to the target application or website, as usual. Passwords can still be stolen by hackers there. The password manager helps you manage passwords as securely as possible, but they remain passwords and are always somewhat vulnerable. This is why ongoing work focuses on alternative authentication methods, such as biometric verification and passkeys.

Tips for Choosing a Password Manager

What is the best password manager? The answer depends on your own requirements and context. Below are several factors you should consider when selecting a password manager:

Security: Does the password manager support end-to-end encryption (E2EE) so only the user can access it? Is a strong encryption algorithm such as AES-256 used? Is MFA supported?
Device Compatibility: Which devices can you use, and which operating systems and browsers are supported?
Usability: Can you easily add items, and can you use stored passwords to sign in?
Cost: Which features are included with each subscription? Many free accounts offer too little functionality to be truly usable.
Future Readiness: Does the software also support modern authentication methods such as passkeys?
Reputation and Transparency: Have there been security incidents, and how did the vendor handle them? Is the software open source and auditable?

Many organizations also encourage or require the use of a password manager. When choosing a business password manager, you will also look at maintenance, user support, monitoring, and reporting tools. You must also verify the extent to which the solution complies with your internal IT policies.

How Do You Create a Secure Password?

A strong password is one whose cost of compromise is too high or takes too long relative to the value it would yield. The main risk is not real-time sign-in attempts, since those are usually detected after a few failed tries.

It is distinct from a stolen or leaked credential database. Passwords are stored there in encrypted form as so-called hash codes. You cannot sign in with a hash, but offline, you can use brute-force techniques to derive the password that corresponds to a given hash. With current computing power, you can try millions or even billions of password variations per second until a password is found.

Long and complex passwords

You therefore need enough password variants to ensure that even such a brute-force approach still requires too much time and compute. You achieve this by making passwords complex and long:

Originally, passwords consisted mostly of letters. Today, applications often require complex passwords that include numbers, uppercase letters, and special characters. That produces many more variants and makes an attack much harder.
A similar principle applies to length. Passwords with 8 characters are now considered too short. The lower bound is often 12 characters or more. The longer a password is, the more variants exist.

Many applications, therefore, define strict rules for password selection. In most password managers, you can configure such rules for the built-in password generator. For those passwords, there is no need to limit length or complexity. You do not have to remember them yourself.

How Do You Choose Your Master Password?

That is different for your master password because you must remember it yourself. In that case, the preference is an extra-long password but without complex characters. We will not burden you with the math (you can find it here), but the rule of thumb is that extra length contributes more to strength than using complex characters. Complex passwords are also usually harder to remember and use.

This is why more users choose passphrases that consist of several words. Together, that yields a very long, secure password you can still remember relatively easily. Our Tools4ever password generator uses this principle. It automatically generates a secure passphrase consisting of multiple terms, such as:

vinyl heretic clinic could

In practice, even such a phrase of nonexistent or unrelated words is usually easier to remember than a shorter but complex password. If you want to know how secure a chosen password is, you can check it with our password calculator.

Password Managers with IAM Platforms such as HelloID?

Is a password manager still needed if your organization also uses an IAM platform? In principle, the two complement each other. With an IAM platform such as HelloID, you ensure that users receive the correct accounts and permissions. Those settings are provisioned to various target systems. The way users sign in to a target system varies by customer. If users sign in manually, a password manager is almost essential. Only then can you use a unique and secure password for each application.

However, most organizations handle sign-in through the access management functionality of HelloID or with an external identity provider, such as Active Directory or Entra ID. In that case, you have Single Sign-On capabilities, and the role of a password manager is less important.

No Hassle with Password Managers When Using Single Sign-On?

Many organizations use Single Sign-On (SSO). With SSO, you only need to sign in once at the start of a user session, for example, to Active Directory. The SSO mechanism then ensures that you automatically gain access to all registered applications. At first glance, you would not need a password manager in that case. You use a password manager to store your login credentials, whereas you do not need them with SSO.

That is not the whole story. Not all business applications support Single Sign-On, and employees will often also use their own business applications and websites. You cannot manage all those accounts through the IAM platform, so you still need a password manager to store them.

Combining IAM and a Password Manager?

IAM Single Sign-On and your password manager can complement each other very well. On our website, you can learn more about the SSO functionality in the HelloID Access Management module. This module also includes Multifactor Authentication, which makes your authentication more secure.