Quick Answer
You can store passwords securely without using a password manager, but it requires discipline and the right tools.
Password Hashing
To securely store passwords without a password manager, use a strong hashing algorithm like Argon2, PBKDF2, or Bcrypt. These algorithms take your password and transform it into a fixed-length string of characters, known as the hash. The hash is one-way, meaning it cannot be reversed to obtain the original password. Use a salt value (a random string) and a work factor (a measure of computational effort) to make the hash more resistant to brute-force attacks. For example, use a work factor of at least 1,000,000.
Password Storage Techniques
Store the hashed password in a secure location, such as an encrypted database or a Hardware Security Module (HSM). Use a secure random number generator to generate the salt value and store it alongside the hashed password. When verifying a password, hash the input password with the same algorithm and salt value, and compare the resulting hash with the stored hash. If they match, the password is correct. To further enhance security, use a password stretching technique, such as repeating the hashing process multiple times or using a slow hashing algorithm.
Implementation Considerations
When implementing password hashing without a password manager, consider the following: use a secure coding language and framework to ensure proper password handling; implement rate limiting to prevent brute-force attacks; and regularly update and rotate the hashing algorithm to stay ahead of potential security vulnerabilities. For example, use a modern framework like Node.js with the argon2 package or Python with the passlib library. Also, consider using a Hardware Security Module (HSM) or a Trusted Platform Module (TPM) to store sensitive data, such as the salt values and hashed passwords.
Find more answers
Browse the full Q&A library by topic, or jump back to the topic this question belongs to.