This chapter covers password managers and best practices for the CompTIA A+ Core 2 (220-1102) exam, specifically under Domain 2.0 (Security) and Objective 2.2: 'Given a scenario, implement security best practices to secure a workstation.' Password managers are a key tool for enforcing strong, unique passwords across multiple accounts, and the exam expects you to understand their types, features, and proper configuration. Approximately 10-15% of exam questions in the Security domain touch on password management, including password managers, password policies, and multi-factor authentication. Mastering this topic will help you answer scenario-based questions about securing user credentials and reducing the risk of credential theft.
Jump to a section
Imagine you work in a large office building with hundreds of locked rooms, each requiring a unique key. Carrying all these keys on a single keychain is insecure—if lost, every room is compromised. Instead, you use a master key safe: a small, sturdy box that holds all the keys. To open the safe, you need a single master key. You keep the master key on your person at all times, and the safe is bolted to the floor. When you need a room key, you unlock the safe with the master key, retrieve the specific key, use it, then return it. The safe itself is tamper-proof and alerts you if someone tries to break it. In this analogy: the master key is your master password—the only credential you must remember. The safe is the password manager's encrypted vault. The room keys are your individual passwords for each website or service. The safe's tamper-proof design corresponds to encryption and integrity checks. If someone steals the safe (vault file), they cannot access the keys without the master key. If you lose your master key, you lose access to all room keys—just as losing your master password means losing access to all stored passwords unless you have a recovery mechanism. This illustrates the single point of failure and the critical importance of a strong master password.
What is a Password Manager?
A password manager is a software application that stores and manages a user's login credentials for various websites, applications, and services in an encrypted database, called a vault. The vault is protected by a single master password—the only password the user must remember. The password manager can also generate strong, random passwords, autofill login forms, and synchronize across multiple devices. The primary goal is to eliminate password reuse and weak passwords, which are leading causes of account compromise.
Why Password Managers Exist
Before password managers, users faced a dilemma: create strong, unique passwords for every account (impossible to remember) or reuse a few weak passwords (highly insecure). Password reuse is dangerous because if one site is breached, attackers can use the same credentials on other sites (credential stuffing). Password managers solve this by securely storing all passwords and allowing the user to use a single, strong master password. They also encourage the use of complex, unique passwords because the user never needs to memorize them.
How Password Managers Work Internally
A password manager operates through three core functions: encryption, storage, and retrieval.
Encryption: The vault is encrypted using a strong symmetric encryption algorithm, typically AES-256 (Advanced Encryption Standard with 256-bit key). The encryption key is derived from the master password using a key derivation function (KDF) such as PBKDF2 (Password-Based Key Derivation Function 2), bcrypt, or Argon2. The KDF applies a salt (a random value) and many iterations (e.g., 100,000 iterations for PBKDF2) to resist brute-force attacks. The master password itself is never stored; only the derived key is used to encrypt/decrypt the vault.
Storage: The encrypted vault is stored locally on the device (e.g., in a file or system keychain) or in the cloud for synchronization. Cloud-based password managers (e.g., LastPass, 1Password, Bitwarden) store the encrypted vault on their servers. The service provider never has access to the decryption key—the user's master password is never sent to the server. This is known as zero-knowledge architecture.
Retrieval: When the user wants to log in to a website, the password manager decrypts the vault in memory (using the master password), retrieves the specific credential, and autofills the login form. The decrypted data exists only in volatile memory and is cleared after use. Some password managers use a secure clipboard to prevent other applications from reading the password.
Key Components, Values, Defaults, and Timers
Master Password: The only password the user must remember. It should be long (at least 12-16 characters) and complex (mix of uppercase, lowercase, numbers, symbols). The master password is never stored; it is used to derive the encryption key.
Vault: The encrypted database containing credentials. Vaults may be local files (e.g., KeePass .kdbx) or cloud-synced.
Encryption Algorithm: AES-256 is the standard. Some managers also encrypt data with a unique key per entry.
Key Derivation Function (KDF): PBKDF2 with SHA-256 and 100,000+ iterations (default in many managers). Argon2 is becoming more common for its resistance to GPU attacks.
Salt: A random value added to the master password before hashing to prevent rainbow table attacks. Salts are unique per user and stored alongside the vault.
Auto-lock Timer: Automatically locks the vault after a period of inactivity (e.g., 5 minutes). On mobile devices, this may be tied to the device lock.
Two-Factor Authentication (2FA): Many password managers support 2FA for added security when accessing the vault (e.g., using TOTP or hardware keys).
Password Generator: Generates random passwords with configurable length (default often 16-20 characters) and character sets (uppercase, lowercase, digits, symbols).
Password Strength Indicator: Evaluates password strength based on entropy (bits of randomness). The exam may refer to this as entropy estimation.
Configuration and Verification Commands
Password managers are typically GUI-based, but some (like KeePassXC) offer command-line interfaces. For example, KeePassXC provides a CLI tool (keepassxc-cli) to create, open, and manage databases.
# Create a new database
keepassxc-cli db-create --set-key-file mykeyfile.key myvault.kdbx
# Generate a password with 20 characters, including symbols
keepassxc-cli estimate --length 20 --every-group mypassword
# Show entries in the database
keepassxc-cli ls myvault.kdbxOn Windows, the Credential Manager can be accessed through Control Panel > User Accounts > Credential Manager. It stores Windows credentials (e.g., network passwords) but is not a full password manager. The exam may ask about Credential Manager as a built-in Windows feature.
Interaction with Related Technologies
Web Browsers: Most browsers have built-in password managers (e.g., Chrome's password manager). They store passwords encrypted with the user's OS account password. However, they are less secure than dedicated password managers because they may be vulnerable to malware that accesses the browser's credential store. The exam emphasizes that dedicated password managers are preferred for better security.
Single Sign-On (SSO): Password managers can integrate with SSO solutions (e.g., Azure AD, Okta) to automatically fill credentials for enterprise applications.
Multi-Factor Authentication (MFA): Many password managers support TOTP (Time-based One-Time Password) codes, allowing them to function as an authenticator app. This can be a single point of failure if the password manager is compromised, so separate MFA devices are recommended.
Operating System Keychain: macOS Keychain and Windows Credential Manager are OS-level credential stores. They are used by the OS and applications but are not as feature-rich as dedicated password managers.
Best Practices for Using Password Managers
Use a Strong, Unique Master Password: This is the most critical practice. The master password should be long (16+ characters), include all character types, and not be used for any other account. Consider using a passphrase (e.g., 'correct-horse-battery-staple') for memorability.
Enable Two-Factor Authentication on the Password Manager: This adds a layer of security even if the master password is compromised. Use TOTP or a hardware key (e.g., YubiKey).
Keep the Vault Backed Up: If using a local vault, regularly back up the encrypted file. Cloud-based managers typically handle backups automatically.
Use the Password Generator for All New Accounts: Avoid manually creating passwords. The generator ensures randomness and complexity.
Regularly Audit Stored Passwords: Many password managers include a security dashboard that flags reused, weak, or compromised passwords. Address these promptly.
Log Out When Not Using the Manager: Especially on shared or public computers. Auto-lock should be set to a short timeout (e.g., 1-5 minutes).
Keep the Password Manager Updated: Updates often include security patches and improvements to encryption algorithms.
Types of Password Managers
Local Password Managers: Store the vault locally on the device (e.g., KeePass, KeePassXC). They do not sync automatically but can be manually synced via cloud storage (e.g., Dropbox). Advantages: full control, no cloud dependency. Disadvantages: manual sync, less convenient.
Cloud-Based Password Managers: Store the vault in the cloud and sync across devices (e.g., LastPass, 1Password, Bitwarden, Dashlane). They offer convenience and features like password sharing. Security relies on zero-knowledge architecture.
Browser-Based Password Managers: Built into browsers (e.g., Chrome, Firefox, Edge). They are convenient but have limited features and may be less secure because they are tied to the browser's security model. The exam notes that browser-based managers are not as robust as dedicated ones.
Security Considerations
Master Password Recovery: If the master password is forgotten, most password managers offer recovery options (e.g., recovery codes, email reset). However, these can be security weaknesses. The exam may test that recovery methods should be secured (e.g., printed and stored safely).
Vault Export: Some managers allow exporting the vault in plaintext (e.g., CSV). This should be done only in secure environments and the exported file should be deleted immediately.
Phishing Attacks: Password managers can help detect phishing by autofilling only on the correct domain. However, some managers may be tricked by lookalike domains. Users should verify the URL before autofill.
Malware: Keyloggers can capture the master password. Using a password manager with two-factor authentication and hardware-based security (e.g., YubiKey) mitigates this risk.
Exam Relevance
The 220-1102 exam expects you to:
Identify the purpose and benefits of password managers.
Differentiate between local, cloud-based, and browser-based password managers.
Know best practices for creating a master password and using a password manager.
Understand how password managers integrate with MFA and SSO.
Recognize common attacks against password managers (e.g., phishing, keylogging) and how to mitigate them.
Common exam scenarios include choosing the most secure way to store passwords for a small business, identifying the risk of password reuse, and configuring a password manager for a user.
Install and Configure Password Manager
Choose a reputable password manager (e.g., Bitwarden, KeePassXC, or LastPass). Download and install the software on the workstation. During initial setup, the application will prompt you to create a master password. This password must be strong: at least 12 characters, containing uppercase, lowercase, digits, and symbols. The software will use a key derivation function (e.g., PBKDF2 with 100,000 iterations) to derive an encryption key from the master password. The master password is never stored; the derived key is used to encrypt and decrypt the vault. After creating the master password, the application generates a salt (random value) and stores it in the vault file. The vault is then created as an encrypted file (e.g., .kdbx for KeePassXC) or stored in the cloud (for cloud-based managers). The user may also set an auto-lock timer (e.g., 5 minutes) and enable two-factor authentication if supported.
Generate and Store Passwords
When creating a new account on a website, use the password manager's built-in password generator. Typically, you can specify the password length (e.g., 20 characters) and character sets (uppercase, lowercase, digits, symbols). The generator uses a cryptographically secure pseudorandom number generator (CSPRNG) to create a password with high entropy (e.g., 128 bits). The generated password is automatically saved to the vault along with the username and website URL. The vault entry may also include additional fields like notes or TOTP secrets. The password is encrypted with the derived key before being written to the vault file. For cloud-based managers, the encrypted entry is synced to the server. The user never sees the plaintext password unless they choose to reveal it.
Autofill Credentials on Websites
When the user navigates to a website that has stored credentials, the password manager detects the URL and matches it against entries in the vault. The user may need to unlock the vault by entering the master password (if not already unlocked). Once unlocked, the manager decrypts the relevant entry in memory and fills the username and password fields automatically. Some managers also submit the form automatically. The decrypted data exists only in volatile memory and is cleared after the form is submitted or the vault is locked. The password manager verifies the domain name to prevent autofill on phishing sites. If the domain does not match exactly (e.g., 'example.com' vs 'examp1e.com'), autofill is blocked. This is a key security feature.
Sync Vault Across Devices
For cloud-based password managers, the encrypted vault is synced to the provider's servers. When the user makes a change on one device (e.g., adds a new password), the change is encrypted locally and then uploaded. Other devices download the updated vault and decrypt it locally. The sync process uses end-to-end encryption: the provider never has access to the decryption key. Conflicts are resolved using timestamps or last-write-wins. For local managers, syncing is manual—the user must copy the vault file to other devices via USB, cloud storage, or network share. Syncing introduces a risk of data loss if the vault file becomes corrupted, so backups are essential.
Audit and Update Passwords Regularly
Many password managers include a security audit feature that scans the vault for weak, reused, or compromised passwords. The audit checks each password against known breach databases (e.g., Have I Been Pwned) using a hashed query to avoid exposing the password. The user should review the audit report and update any flagged passwords. Updating involves generating a new password and changing it on the corresponding website. The password manager can often open the website's change password page automatically. Regular audits (e.g., monthly) reduce the risk of account compromise. Some managers also alert users if a password has been exposed in a data breach.
Enterprise Scenario 1: Small Business with 50 Employees
A small marketing agency with 50 employees uses a cloud-based password manager (e.g., Bitwarden Teams). The IT administrator creates an organization and invites users. Each user has a personal vault and shares a set of shared credentials (e.g., social media accounts, analytics tools) via the organization. The admin enforces a policy requiring a master password of at least 16 characters and two-factor authentication (TOTP) for all users. The vault is synced across Windows, macOS, and mobile devices. The main challenge is user education: employees must be trained not to share master passwords and to use the password generator for all new accounts. The admin also configures auto-lock to 5 minutes. In production, the password manager reduces password reset requests by 80% and eliminates credential reuse. A common misconfiguration is allowing weak master passwords (e.g., 'password123'), which the admin must prevent through policy enforcement.
Enterprise Scenario 2: Large Organization with 5000+ Users
A university with 5000 faculty and staff uses an enterprise password manager (e.g., 1Password Business). The IT team integrates it with SSO via Azure Active Directory, allowing users to unlock their vault with their domain credentials. The vaults are stored in the cloud with zero-knowledge encryption. The organization also uses the password manager to store API keys and database credentials for IT staff. The scale introduces performance considerations: syncing 5000 vaults requires robust server infrastructure, and the provider must handle concurrent sync requests. A misconfiguration could occur if the SSO integration is not properly secured—for example, if the SSO token is not tied to the user's identity, an attacker could potentially access another user's vault. The IT team mitigates this by requiring a separate master password (not just SSO) for vault access and by auditing access logs regularly.
Scenario 3: Remote Workers Using Local Password Managers
A consulting firm with remote workers uses KeePassXC as a local password manager. Each worker stores their vault file in an encrypted cloud storage folder (e.g., OneDrive with BitLocker). The vault is synced manually. The challenge is ensuring that all workers use the same version of KeePassXC to avoid compatibility issues. Another risk is that the vault file could be accidentally shared or accessed by unauthorized users if the cloud storage permissions are misconfigured. The firm mitigates this by using a key file in addition to the master password (two-factor authentication via something you know and something you have). If a worker loses their key file or forgets the master password, recovery is difficult—the firm has a policy to store a printed recovery code in a safe. This scenario highlights the trade-off between security and convenience: local managers offer full control but require more user discipline.
220-1102 Exam Focus: Objective 2.2
The CompTIA A+ Core 2 exam (220-1102) tests password managers under Objective 2.2: 'Given a scenario, implement security best practices to secure a workstation.' You must be able to recommend and configure password managers as part of a broader security strategy. The exam does not require deep knowledge of specific products, but you must understand the concepts.
Common Wrong Answers and Why Candidates Choose Them
'Storing passwords in a browser is just as secure as a dedicated password manager.' Candidates choose this because they use browser password managers and find them convenient. The reality: browser-based managers are less secure because they are tied to the browser's security model, which may be vulnerable to malware that accesses the browser's credential store (e.g., by reading the SQLite database). Dedicated password managers use stronger encryption and often have additional security features like two-factor authentication and zero-knowledge architecture.
'A password manager eliminates the need for multi-factor authentication.' Candidates think that because the vault is encrypted, MFA is unnecessary. The reality: the master password is a single point of failure; if it is compromised (e.g., via keylogger), the attacker gains access to all stored passwords. MFA adds a second layer of security, such as a TOTP code or hardware key, making it much harder for an attacker to access the vault.
'The master password can be written down safely because it's the only password to remember.' Candidates may think writing down the master password is acceptable. The reality: writing down passwords is a security risk if the paper is lost or seen by others. The exam expects you to recommend using a passphrase that is easy to remember but hard to guess, and to store recovery codes securely (e.g., in a safe).
'All password managers are cloud-based.' Candidates may assume that because popular managers like LastPass are cloud-based, all are. The reality: there are local password managers (e.g., KeePass) that store the vault locally. The exam may ask you to choose the best type for a given scenario (e.g., offline environment).
Specific Numbers and Terms That Appear on the Exam
AES-256 encryption is the standard for vault encryption.
PBKDF2 is the key derivation function used to derive the encryption key from the master password.
Salt is used to prevent rainbow table attacks.
Entropy is measured in bits; a password with 80 bits of entropy is considered strong.
Two-factor authentication (2FA) should be enabled on the password manager.
Auto-lock timer should be set to a short duration (e.g., 5 minutes).
Phishing protection is a feature where the manager checks the domain before autofilling.
Edge Cases and Exceptions
Shared computers: On a shared computer, the user must log out of the password manager and clear the vault from memory. The exam may test that using a portable version (e.g., KeePass on a USB drive) is more secure.
Password manager recovery: If the master password is lost, most managers offer recovery options (e.g., email reset, recovery codes). However, these recovery methods can be exploited. The exam may ask which recovery method is most secure (e.g., using a pre-generated recovery code stored offline).
Enterprise environments: In organizations, password managers can be integrated with SSO. The exam may test that SSO integration should not bypass the master password requirement.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When faced with a scenario question about password managers, think about the mechanism: the vault is encrypted with a key derived from the master password. Any answer that suggests the master password is stored or that the service provider can access the passwords is wrong (zero-knowledge architecture). Answers that imply browser managers are equivalent to dedicated managers are wrong because of weaker encryption and vulnerability to local attacks. Answers that ignore MFA are wrong because the master password is a single point of failure. Use these rules to quickly eliminate distractors.
A password manager stores credentials in an encrypted vault protected by a single master password.
The vault is encrypted with AES-256, and the encryption key is derived from the master password using a KDF like PBKDF2 with a salt.
Cloud-based password managers use zero-knowledge architecture: the provider never has access to the unencrypted vault.
Master passwords should be at least 12 characters, include all character types, and be unique to the password manager.
Two-factor authentication should be enabled on the password manager to protect the vault even if the master password is compromised.
Browser-based password managers are less secure than dedicated password managers due to weaker encryption and vulnerability to malware.
Password managers help prevent password reuse and enable the use of strong, unique passwords for every account.
Auto-lock timer should be set to a short duration (e.g., 5 minutes) to protect the vault when the device is unattended.
These come up on the exam all the time. Here's how to tell them apart.
Local Password Manager (e.g., KeePassXC)
Vault stored locally on the device; no cloud dependency.
No automatic sync; must manually sync via cloud storage or USB.
Full control over the vault file; no third-party server risk.
Typically free and open-source.
Requires user discipline for backups and syncing.
Cloud-Based Password Manager (e.g., Bitwarden)
Vault stored in the cloud; automatic sync across devices.
Convenient for users with multiple devices.
Zero-knowledge architecture; provider cannot access passwords.
Often offers premium features like password sharing and security audits.
Dependent on the provider's service availability and security.
Mistake
Password managers store passwords in plain text on their servers.
Correct
Reputable password managers use zero-knowledge architecture: the vault is encrypted locally with a key derived from the master password, and the encrypted data is synced to the server. The server never has access to the decryption key, so it cannot read the passwords.
Mistake
Browser-based password managers are just as secure as dedicated password managers.
Correct
Browser-based managers are less secure because they may store passwords in a format that can be accessed by malware or other applications (e.g., Chrome's password manager stores passwords encrypted with the OS user's password, but tools can decrypt them). Dedicated managers use stronger encryption and often include features like two-factor authentication and phishing protection.
Mistake
Once you use a password manager, you don't need multi-factor authentication.
Correct
The master password is a single point of failure. If it is compromised (e.g., by a keylogger), an attacker can decrypt the entire vault. Enabling two-factor authentication on the password manager adds a second layer of security, making it much harder for an attacker to gain access.
Mistake
Password managers are only for individuals, not for organizations.
Correct
Many password managers offer enterprise editions with features like shared vaults, centralized administration, and integration with SSO. Organizations use them to manage shared credentials (e.g., social media accounts, API keys) and enforce security policies.
Mistake
You should never write down your master password.
Correct
While writing down passwords is generally discouraged, writing down the master password and storing it in a secure location (e.g., a safe) can be acceptable as a backup. The key is to keep it physically secure and not in plain sight. Alternatively, use a passphrase that is easy to remember.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The CompTIA A+ exam does not endorse a specific password manager product. Instead, you need to understand the features and security principles common to all reputable password managers: AES-256 encryption, zero-knowledge architecture (for cloud-based), support for two-factor authentication, and the ability to generate strong passwords. For the exam, focus on concepts rather than brand names. You may be asked to recommend a type (local vs. cloud-based) based on a scenario.
While no system is completely secure, reputable password managers implement strong security measures. The primary risk is the master password being compromised (e.g., through phishing or keylogging). Using two-factor authentication mitigates this. Additionally, the encrypted vault is resistant to brute-force attacks due to the key derivation function (e.g., PBKDF2 with many iterations). Cloud-based managers have been targeted in the past (e.g., LastPass breach in 2022), but the zero-knowledge architecture means that even if the servers are breached, the attacker cannot decrypt the vault without the master password. However, metadata (e.g., URLs) may be exposed. For maximum security, use a local password manager with a strong master password and two-factor authentication.
Most password managers offer recovery options during setup, such as a recovery code (a one-time use code) or the ability to reset via email (if you have access to the registered email). Some managers allow you to set up a biometric unlock (e.g., fingerprint) as a secondary method. However, if you lose the master password and have no recovery method, the vault is permanently inaccessible due to encryption. It is crucial to store recovery codes in a secure location (e.g., a safe) or use a password hint that does not reveal the password. The exam may test that recovery methods should be used with caution as they can be security weaknesses.
Using a password manager on a shared or public computer is risky because the master password could be captured by keyloggers or the vault could be left unlocked. If you must use one, use a portable version (e.g., KeePass on a USB drive) and ensure you log out and clear the vault from memory after use. Alternatively, use a cloud-based manager with two-factor authentication and be sure to log out. The exam may recommend avoiding password managers on public computers altogether and instead using a different method (e.g., one-time passwords).
A password manager protects against phishing by verifying the domain of the website before autofilling credentials. It compares the current URL to the stored URL for the entry. If the domain does not match exactly (e.g., 'bankofamerica.com' vs 'bankofamerica.xyz'), the manager will not autofill. This prevents users from inadvertently entering their credentials on a fake site. However, some sophisticated phishing attacks may use lookalike domains or subdomains that trick the manager. Users should still verify the URL manually. The exam may test that password managers reduce but do not eliminate phishing risks.
A password manager is a dedicated application that stores and manages passwords for websites and applications. A credential manager (e.g., Windows Credential Manager) is an OS-level feature that stores credentials for network resources, such as Windows domain logins, mapped drives, and remote desktop connections. Credential managers are limited in scope and do not typically offer features like password generation, autofill for websites, or cross-platform sync. The exam may ask you to identify which tool is appropriate for a given scenario: use a password manager for web accounts, use Credential Manager for Windows network credentials.
There is no set rule, but best practices suggest changing the master password only if you suspect it has been compromised. Frequent changes may lead to weaker passwords or forgetting them. Instead, focus on making the initial master password strong and unique. Enable two-factor authentication to add an extra layer of security. Some organizations enforce periodic password changes, but for personal use, changing the master password every 1-2 years is reasonable if there are no security incidents. The exam may test that the master password should be changed immediately if there is any suspicion of compromise.
You've just covered Password Managers and Best Practices — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?