THIS IS HOW REAL PASSWORD MANAGERS ACTUALLY WORK
Source: Dev.to
Most people use password managers every day, but very few understand how they actually keep passwords secure.
In this article, I break down how real, production‑grade password managers work—the same core ideas used by tools like 1Password or Bitwarden—by walking through a project I built called Passwuts.
Why I Built Passwuts
Password reuse is one of the biggest security risks today. When a single website is breached, reused passwords expose users across every service they use.
Passwuts solves this by:
- Enforcing strong, unique passwords
- Using client‑side encryption
- Ensuring the server never sees plaintext credentials
This is the same security philosophy used by serious password managers.
High‑Level Architecture (Zero‑Knowledge Model)
Passwuts follows a zero‑knowledge, client‑first encryption model:
- 🔐 Master password never leaves the client
- 🔑 Encryption keys are derived locally using PBKDF2
- 🔒 Passwords are encrypted using AES‑GCM
- 🗄️ Server stores only ciphertext + IV
Even if the backend is compromised, passwords remain safe.
How Encryption Works (Step‑by‑Step)
- User creates a master password.
- A strong encryption key is derived using PBKDF2 (inputs: master password + user UID as salt).
- Passwords are encrypted using AES‑GCM with a random IV for each entry.
- Only the encrypted data is stored in Firestore.
At no point does plaintext leave the browser.
Vault Verification (Without Storing Passwords)
Problem: How to verify the master password without storing it?
Solution – Verifier Pattern:
- Encrypt a known string (e.g.,
"vault-check"). - Store the ciphertext as vault metadata in Firestore.
On unlock:
- Client decrypts the stored ciphertext locally.
- If decryption succeeds, the password is valid.
✅ Secure ✅ Zero‑knowledge ✅ No password storage
Browser Extension Architecture
The browser extension reuses the exact same crypto layer as the web app:
- Firebase authentication
- Shared internal crypto package (
@pm/crypto) - Client‑side encryption only
- No secret logic in the backend
This keeps behavior consistent across platforms.
What This Project Taught Me
- 🔍 Crypto failures usually come from misuse, not the math.
- 🔄 IV/nonce management is critical.
- 🧠 Security UX matters as much as cryptography.
- 🔐 Zero‑knowledge systems require discipline everywhere.
Final Thoughts
Password managers are not magic. They are carefully engineered systems built on:
- Key derivation
- Authenticated encryption
- Secure client‑side architecture
Understanding how they work makes you:
- A better engineer
- A safer user