The first password manager software designed to securely store passwords was called Password Safe. It was created by security expert Bruce Schneier and released as a free utility on September 5, 1997. Designed for Microsoft Windows 95, it used encryption to protect sensitive data.
The commercial password manager market, though young, has become a vital instrument in the orchestra of cybersecurity. This treatise delves into its origins, the rising crescendo of adoption, and the key movements shaping its future. A crescendo of complexity followed in the 2000s. The new millennium saw businesses adopt web applications, requiring robust password management for employee access. Security breaches like the high-profile TJX Companies hack in 2003 highlighted the vulnerability of weak password practices. This created fertile ground for commercial password managers.
The mid-2000s witnessed the arrival of prominent players, many of which are still key vendors, like LastPass, Dashlane, and Keeper Security. These companies offered cloud-based solutions, enabling access from any device. Features like secure password sharing and data breach monitoring further enhanced their appeal. One of the largest vendors today, 1Password, was founded in 2005 with the official public release happening in 2006. Given that these companies still exist, there was clearly a need for this type of software.
The late 2000s saw a debate ignite: free vs. paid password managers. While free versions offered basic functionalities, paid subscriptions unlocked features like multi-factor authentication and secure file storage. Businesses, recognizing the value of robust security, began favoring paid solutions.
The rise of smartphones and cloud computing in the 2010s further propelled the market. Password managers became essential for managing credentials across a growing digital ecosystem. Features like automatic login and password generation streamlined user experience. It had taken from 1997 for the password manager market to become a $100 million market, but it then expanded to $1.74 billion in 2023 and is expected to reach $7.32 billion in 2025. That’s with Chrome adding a password manager in 2016 and Apple having had a password manager called Keychain since the early 1990s, initially developed for their email system, PowerTalk.
Today, the password manager market is a vibrant chorus of innovation. Integration with single sign-on (SSO) solutions, biometric authentication, and advanced threat detection are key trends. Businesses are increasingly adopting enterprise-grade password management solutions with features like centralized administration and user access controls. Further, there are free tools, such as the Chrome password manager, Microsoft Autofill, and Apple’s Keychain, which Secret Chest uses as our database.
The future of the commercial password manager market promises further refinement. As threats evolve, password managers will integrate with advanced security frameworks like Zero Trust architecture. Artificial intelligence (AI) could be leveraged for password risk assessment and personalized security recommendations. The challenge is to do this while keeping user data private. The future of password managers seems to be headed in two main directions: working alongside passwordless authentication and offering even more sophisticated security features. At Secret Chest, we’ve embraced trying to do both.
Let’s start with a discussion about “passwordless” authentication. This is primarily passkeys, or webauthn. Passwordless logins, using biometrics like fingerprint, facial, and optic recognition, are gaining traction - especially in the Apple ecosystem (but a TPM is required for the latest version of Windows as well). Password managers don’t become obsolete in these scenarios, but we must adapt to seamlessly integrate with these methods. That means native technologies, not just one browser extension to work with all of the vendors out there. For example, Secret Chest stores the encryption key used for a passkey, adding an extra layer of security.
We’re also concerned about security breaches of password managers themselves, which has happened multiple times thus far. While unlikely due to strong encryption, a major breach of a password manager could significantly impact the market. Just three recent ones to consider:
2015 - LastPass: Hackers infiltrated LastPass's servers, gaining access to user email addresses and password reminders. However, strong encryption protocols protected the actual passwords themselves.
2022 - LastPass (again): This breach involved a compromised employee account, allowing unauthorized access to a portion of LastPass's source code and some encrypted customer vaults. While the severity is debated, it highlighted the importance of robust internal security practices.
2022 - LifeLock: This wasn't a traditional data breach, but rather a credential stuffing attack. Hackers used previously compromised credentials to gain access to over 6,000 LifeLock password manager accounts. This emphasizes the importance of using strong, unique passwords everywhere.
All of these software tools have millions of lines of code - and so none of us are immune to getting attacked. These are just some that were recent. No shame on the vendors, but when we designed Secret Chest, from the ground up, we didn’t want to have a full secret on our servers or on a single device, in case one of those was compromised. Now that those features are done, we’ve developed an advanced policy system and plan to complete layering on the AI threat detection and begin integrating with popular identity, zero trust, and device management solutions.
We think we can do all of this without losing that focus on security and user experience. For example, features that make it easier to manage a large number of credentials, some of which can now require at least two people to authenticate in order to access them (at least with Secret Chest). But here’s the thing, we believe that you can’t have a good user experience without being secure. After all, it’s a terrible user experience to be a part of a breach. We’re stil working on a number of things - like Keychain will tell users if they have a compromised or re-used password, but Secret Chest splits those up, so we can only inform users when they access the credential. We want to retoractively apply password policies - so we can store the complexity checks in json without storing the actual password. There are dozens of other places where we’re currently working hard, but thinking a little about how this market has evolved helps us better prioritize how we want to attack all these spaces.
Have any features you want - just let us know. We love building cool stuff, whether it was our idea or not! Heck, we may even name the feature after you!