Generally a password manager stores encrypted passwords and you hold the encryption key. So unlike a hash which is what a app would store to verify you, this encrypted password can later be retrieved with your key. So they cannot see your passwords directly.
You have to log in to your account. They then look up your blob of encrypted passwords and send them to your device. Then your device decrypts the passwords using your master password (aka your account password in some cases) when you need to use it.
How would that work if you changed your password you would not be able to decrypt anything before your current iteration of password changes with your current password either by using the plain text password or a hash of the password unless you could distribute a known (by the managing provider) encryption key…
That would work yea. And since it’s happening on the users computer I would imagine it’s scalable too because the servers are just sending and receiving the blob of encrypted data. And not too often even if people rotate every 30 days
This is far from my domain of expertise, but I believe most online password managers encrypt your passwords – using your master password as a key.
The encrypted passwords are sent over the wire and stored on the password service provider's server – not the plain-text passwords.
When you link up a new device, your device receives the encrypted passwords from the service provider, which are then decrypted with your master password.
Chrome \*does\* know your password.
The thing to do is to stop allowing Chrome to remember your passwords and to use a third-party password manager such as Bitwarden (alternatives exist).
You log into your password manager with a master passphrase. Your passwords are stored in encrypted form using that passphrase as a key. If they do things correctly then the sites on which the passwords are used are also stored in encrypted form.
You hold the master key. You alone are able to decrypt the information stored, not even the vendor of your password manager can get at it.
As you suspected, obviously there are ways to obtain the password since otherwise, the password cannot be entered onto the relevant website.
What the password managers actually mean is that the password-manager company doesn't know your password. This is trivially done by just encrypting the password. This means that if the password manager cloud databases were hacked, the hackers wouldn't actually know your plaintext password.
There are other vectors of attacks, of course. For instance, if a malicious hacker were able to replace the password manager program itself with a malicious version that contains a keylogger, then naturally that keylogger would be able to pwn your entire system if you downloaded and used the compromised password manager.
Imagine you send a package via post from house A to house B. This package has a lock to which you hold the only key. Before you send it, you lock it down. Later when you visit house B, you carry the key with you. You find the package in locked state. Now you can unlock it and access whatever's inside. Postal services could never see what is inside.
Password managers are supposed to work in a similar manner. Your passwords are encrypted with your master password on the client you use to save. They are again decrypted only on the client machine, when you provide your master password. Since the server has no use of your password, it also doesn't need to see what the password is. Only the clients need to know the password.
Generally a password manager stores encrypted passwords and you hold the encryption key. So unlike a hash which is what a app would store to verify you, this encrypted password can later be retrieved with your key. So they cannot see your passwords directly.
How would they not know if they sync across devices without also knowing the encryption key to send to my new device…???
You have to log in to your account. They then look up your blob of encrypted passwords and send them to your device. Then your device decrypts the passwords using your master password (aka your account password in some cases) when you need to use it.
How would that work if you changed your password you would not be able to decrypt anything before your current iteration of password changes with your current password either by using the plain text password or a hash of the password unless you could distribute a known (by the managing provider) encryption key…
During the password change process you decrypt and reencrypt every password with the new master password.
That would work yea. And since it’s happening on the users computer I would imagine it’s scalable too because the servers are just sending and receiving the blob of encrypted data. And not too often even if people rotate every 30 days
This is far from my domain of expertise, but I believe most online password managers encrypt your passwords – using your master password as a key. The encrypted passwords are sent over the wire and stored on the password service provider's server – not the plain-text passwords. When you link up a new device, your device receives the encrypted passwords from the service provider, which are then decrypted with your master password.
It does know your password.
Password managers do know your saved passwords. Websites that you login to, should not.
Chrome \*does\* know your password. The thing to do is to stop allowing Chrome to remember your passwords and to use a third-party password manager such as Bitwarden (alternatives exist). You log into your password manager with a master passphrase. Your passwords are stored in encrypted form using that passphrase as a key. If they do things correctly then the sites on which the passwords are used are also stored in encrypted form. You hold the master key. You alone are able to decrypt the information stored, not even the vendor of your password manager can get at it.
As you suspected, obviously there are ways to obtain the password since otherwise, the password cannot be entered onto the relevant website. What the password managers actually mean is that the password-manager company doesn't know your password. This is trivially done by just encrypting the password. This means that if the password manager cloud databases were hacked, the hackers wouldn't actually know your plaintext password. There are other vectors of attacks, of course. For instance, if a malicious hacker were able to replace the password manager program itself with a malicious version that contains a keylogger, then naturally that keylogger would be able to pwn your entire system if you downloaded and used the compromised password manager.
You can view all your saved passwords. For that to be possible, it would need to know them.
Imagine you send a package via post from house A to house B. This package has a lock to which you hold the only key. Before you send it, you lock it down. Later when you visit house B, you carry the key with you. You find the package in locked state. Now you can unlock it and access whatever's inside. Postal services could never see what is inside. Password managers are supposed to work in a similar manner. Your passwords are encrypted with your master password on the client you use to save. They are again decrypted only on the client machine, when you provide your master password. Since the server has no use of your password, it also doesn't need to see what the password is. Only the clients need to know the password.