> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/password-managers.md).

# Password Managers

### Why They're Needed

* Average person has \~100 passwords (NordPass study)
* Leads to password reuse and weak passwords
* Solution: password manager = encrypted database for all credentials

**Features most offer:**

* Password generation
* 2FA support
* Secure form filling / autofill
* Browser integration
* Multi-device sync
* Security alerts

***

### How They Work

Most use a **master password** to encrypt the entire database.

Relies on:

* **Cryptographic hash functions** — prevent unauthorized access
* **Key derivation functions (KDFs)** — harden the master password

#### Bitwarden's Approach (example)

```
TEXTMaster Password      ↓ KDF (PBKDF2-SHA256)Master Key  ──────────────────────────────► Decryption Key (AES-256)      ↓                                             ↓Master Password Hash                        Decrypts vault items(authenticates to cloud)
```

**Zero-Knowledge Encryption** — even the service provider cannot access your vault.

***

### Cloud vs Local

|              | **Cloud**                                                            | **Local**                                                        |
| ------------ | -------------------------------------------------------------------- | ---------------------------------------------------------------- |
| **Examples** | Bitwarden, 1Password, LastPass, Dashlane, Keeper, NordPass, RoboForm | KeePass, KWalletManager, Password Safe, Pleasant Password Server |
| **Storage**  | Encrypted DB on provider's servers                                   | Encrypted DB on your own machine                                 |
| **Sync**     | Auto across all devices                                              | Manual / your responsibility                                     |
| **2FA**      | Usually supported                                                    | Depends on tool                                                  |
| **Trust**    | Relies on provider's security                                        | Full control, full responsibility                                |
| **Risk**     | Provider breach                                                      | Local device compromise                                          |

> "At first it might seem like local storage is more secure than cloud storage, but cybersecurity is not a simple discipline." — Dashlane

**Local extras:** memory protection, keylogger resistance, secure desktop (similar to Windows UAC)

***

### Key Features to Evaluate

| Feature             | Why it matters                      |
| ------------------- | ----------------------------------- |
| 2FA support         | Extra layer beyond master password  |
| Multi-platform      | Android, iOS, Windows, Linux, Mac   |
| Browser extension   | Auto-fill without copying passwords |
| Import/export       | Avoid vendor lock-in                |
| Password generation | Strong unique passwords per site    |
| Sync                | Access across all devices           |

> Use Wikipedia's password manager comparison list to evaluate options against your needs.

***

### Alternatives to Passwords

| Method                | Description                                         |
| --------------------- | --------------------------------------------------- |
| **MFA**               | Requires 2+ factors — something you know + have/are |
| **FIDO2**             | Passwordless — physical device (YubiKey etc.)       |
| **OTP**               | One-time password — single use                      |
| **TOTP**              | Time-based OTP (Google Authenticator etc.)          |
| **IP Restrictions**   | Whitelist allowed source IPs                        |
| **Device Compliance** | Microsoft Endpoint Manager, Workspace ONE           |

#### Authentication Factor Types

| Factor               | Type                                | Example                              |
| -------------------- | ----------------------------------- | ------------------------------------ |
| Password             | Knowledge — something you **know**  | Vulnerable to theft, reuse, guessing |
| Physical key / token | Possession — something you **have** | YubiKey, phone                       |
| Biometric            | Inherent — something you **are**    | Fingerprint, face ID                 |

> Passwordless removes knowledge factors entirely — relies on possession or inherent factors.

***

### Going Passwordless

Companies pushing for it:

* **Microsoft** — Microsoft Passwordless
* **Auth0** — Auth0 Passwordless
* **Okta** — Okta Passwordless
* **Ping Identity**

**Why passwords are the problem:**

* Vulnerable to theft
* Shared or reused
* Guessable via OSINT
* Cracked via wordlists / brute force

***

### Key Takeaways

| Point                  | Detail                                                        |
| ---------------------- | ------------------------------------------------------------- |
| 100 passwords avg      | Humans cannot memorize securely — need a manager              |
| Cloud = convenience    | Sync everywhere, trust the provider                           |
| Local = control        | You manage encryption and backups                             |
| Zero-knowledge         | Good providers can't read your vault even if breached         |
| Passwordless is coming | FIDO2 / possession factors replacing knowledge factors        |
| One tool isn't enough  | Orgs often combine password manager + MFA + device compliance |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/password-managers.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
