Glossary

Password manager and authentication terms, defined plainly — the security vocabulary behind every review and comparison we publish.

A

AES-256 cryptography

The symmetric cipher most password managers use to encrypt the vault. Strong when correctly implemented; the realistic weak point is the master password and KDF, not AES itself.

Argon2 cryptography

A modern, memory-hard KDF resistant to GPU and ASIC cracking. Increasingly the default in security-focused password managers.

Autofill features

The manager filling credentials into the matching site or app. Origin-matched autofill is also a phishing defense: a good manager won't fill a login on a look-alike domain.

B

Breach monitoring features

Checking your stored emails or passwords against known data-breach corpora and flagging exposed or reused credentials. A common value-add feature, not a substitute for unique passwords.

E

Emergency access / recovery features

Mechanisms to regain or delegate vault access (recovery codes, trusted contacts). Their design is a real trade-off: easier recovery can mean a weaker zero-knowledge guarantee.

Encryption at rest architecture

Stored vault data kept encrypted on disk and on servers. Necessary but insufficient on its own — what matters is whether the provider also lacks the key (zero-knowledge).

End-to-end encryption (E2EE) architecture

Data encrypted on the sender/owner device and decrypted only on the authorized device, with no readable copy in between. The basis of zero-knowledge sync and sharing.

F

FIDO2 / WebAuthn authentication

A phishing-resistant authentication standard using public-key cryptography bound to the real site origin. The technology underlying security keys and passkeys.

K

Key derivation function (KDF) cryptography

The algorithm (PBKDF2, scrypt, Argon2) that stretches your master password into an encryption key, deliberately slow to resist brute force. Argon2 is the current preference.

See also: Argon2, PBKDF2, Master password

L

Local-only vault architecture

A manager that stores the vault file on your devices with no provider cloud (e.g., KeePass-family). Maximum control; sync and backup become your responsibility.

M

Master password fundamentals

The single secret that unlocks the vault. It is typically never sent to the provider in zero-knowledge designs; if it's lost, the vault is usually unrecoverable by design.

O

Open source / audited trust

Code published for inspection, ideally with independent security audits. Not a guarantee of security, but it enables verification of zero-knowledge and crypto claims.

P

Passkey authentication

A FIDO2 credential that replaces the password entirely with a device-held private key, syncable via a password manager or platform. Phishing-resistant by design.

Password manager fundamentals

An encrypted vault that generates, stores, and autofills unique credentials so you only memorize one master password. The single highest-impact account-security tool for most people.

Password reuse threats

Using one password across multiple sites, so a single breach compromises many accounts. The exact problem a password manager exists to eliminate.

PBKDF2 cryptography

An older, widely supported KDF. Secure with a high iteration count but not memory-hard, so weaker than Argon2 against modern hardware at equivalent settings.

Phishing threats

Tricking a user into entering credentials on a fake site. Password managers reduce risk by only autofilling on the exact registered domain; FIDO2/passkeys eliminate it for that account.

S

Security key (hardware token) authentication

A physical FIDO2 device (e.g., YubiKey) that proves possession during login. The strongest common second factor and a strong option for protecting the vault account itself.

Self-hosted (sync server) architecture

Running your own sync backend (e.g., Vaultwarden, a Bitwarden-compatible server) so encrypted vault data never touches a third-party host while keeping multi-device sync.

T

TOTP authentication

Time-based one-time passwords — the 6-digit rotating codes from authenticator apps. Phishable if entered on a fake site, but far stronger than SMS codes.

Two-factor authentication (2FA) authentication

Requiring a second proof of identity beyond a password. For a password manager account it protects vault sync access; it does not encrypt the vault itself.

See also: TOTP, FIDO2 / WebAuthn, Passkey

V

Vault fundamentals

The encrypted database holding your credentials, notes, and secrets. Its security depends on the encryption, the master password's strength, and how the key is derived.

Z

Zero-knowledge architecture architecture

A design where encryption and decryption happen only on your device, so the provider stores ciphertext it cannot read. The property that lets you trust a cloud-synced manager.