Each term explained
without jargon

A secret string of characters you use to prove it is you when accessing a service. It is the digital key that protects your accounts. A strong password is long, unique for each service, random, and hard to guess.

The encrypted container where a password manager stores all your credentials, secure notes and sensitive data. It is like a digital safe: it can only be opened with your master password. Everything inside is encrypted and unreadable without the correct key.

The one password you need to remember in a password manager. It acts as the master key that unlocks your vault and generates the cryptographic key that decrypts all your data. It is the only password that is not stored anywhere — it only exists in your head.

The process of identifying yourself to a system or application by entering your credentials (usually username and password) to access your account. "Login" is the noun (the sign-in process) and "log in" is the verb (the action of signing in).

The process of formally ending an active session in an app or service. When you log out, session tokens are invalidated and data is cleared from memory, preventing other users of the same device from accessing your account.

The set of data that identifies you to a system: usually a username (or email) plus a password. It can also include digital certificates, hardware tokens, or biometric data.

Any sensitive data that must remain private: passwords, API keys, tokens, certificates, or any information that grants access to systems. Modern password managers allow storing secrets of all kinds, not just passwords.

The process of transforming readable data into an unreadable format using a mathematical algorithm and a key. Only someone with the correct key can reverse the process (decrypt) and read the original information. It is the foundation of all security in password managers.

The most widely used encryption standard and currently considered unbreakable. The number "256" refers to the key size in bits: 2^256 possible combinations. Breaking it by brute force would take longer than the age of the universe even with all computers in the world. It is the same standard governments use for classified information.

An algorithm that turns your master password (readable text) into a 256-bit cryptographic key suitable for encryption. It does this by performing thousands of repeated mathematical operations, making brute-force attacks extremely slow. If a hacker tried to test millions of passwords, PBKDF2 would make it take years instead of seconds.

The process of generating a cryptographic key from a secret (usually your master password) using a specialized algorithm like PBKDF2, Argon2, or bcrypt. The result is a fixed-length binary key that is deterministic (the same password always produces the same key) and irreversible (you cannot get the password from the key).

A unique random value added to a password before deriving or storing it. It ensures that two users with the same password end up with completely different keys. It protects against dictionary attacks and rainbow tables (precomputed lists of common hashes).

A model where data is encrypted on the origin device and only decrypted on the destination device. No intermediary (neither the service provider nor the server) can read the data in transit. It is the basis of WhatsApp, Signal, and Zero Knowledge managers like Cleverpass.

A security system that requires two independent proofs of identity to access: something you <em>know</em> (password) and something you <em>have</em> (your phone, a temporary code) or something you <em>are</em> (biometrics). Even if your password is stolen, without the second factor they cannot get in.

A 6-digit numeric code that changes every 30 seconds and is used as a second authentication factor. Your authenticator app (Google Authenticator, Authy…) generates it using a mathematical algorithm that combines a secret key with the current time. Without your device, the code is impossible to guess.

The ability to unlock the password manager using unique physical data from your body: fingerprint (Touch ID), facial recognition (Face ID), or iris. It is faster and more convenient than typing your master password, although it is still required periodically or when reinstalling the app.

A system that lets you authenticate once to access multiple services without re-entering credentials. The most common example is "Sign in with Google" or "Continue with Apple." A central identity manages access to all federated services.

A cryptographic credential that completely replaces passwords. It uses a public/private key pair: the website stores the public key and you keep the private key on your device. To authenticate, you prove you own the private key using local biometrics or PIN. It resists phishing because the private key is never shared.

The feature that automatically detects username and password fields in apps and browsers and fills them with your saved credentials in one tap. It removes the need to type long, complex passwords manually.

A measure of how hard it would be to guess or crack a password using automated attacks. It is calculated based on length, character variety (uppercase, lowercase, numbers, symbols), and randomness. It is often expressed in bits of entropy or as a weak/medium/strong/very strong score.

A tool that creates random, secure passwords automatically based on the parameters you set: length, character types, words vs. symbols. It removes the human habit of creating predictable passwords or reusing the same ones.

The process of keeping the vault updated and consistent across all your devices (phone, tablet, computer). When you add or modify a credential on one device, the changes are propagated automatically to the others via cloud storage.

A string of data that represents an identity or verified access permission. Instead of sending your password with every request to a server, the system issues a token when you authenticate. Later requests use that token. If the token expires or is revoked, you need to authenticate again.

A short-lived token (minutes or hours) that authorizes access to specific resources. It is sent with each request to prove you have permission. Because it is short-lived, if someone intercepts it the attack window is small. It is common in APIs and OAuth systems.

A long-lived token (days or months) used only to obtain new access tokens when they expire, without requiring the user to re-enter credentials. It is only sent to the authentication server, not with every request, which reduces its exposure to theft.

A system design model where the service provider has no technical access to the user’s sensitive data. Data is encrypted on the user’s device before leaving it, and the provider only stores (or transmits) data that is already encrypted and cannot be decrypted. Even under a court order, it cannot reveal passwords because it mathematically cannot access them.

A standard protocol that allows an app to access resources from another on your behalf without sharing your password. When an app asks you to "Connect with Google," it uses OAuth. You give that app permission to access certain Google data (for example, your Drive), but Google never shares your password with the app.

A measure of the randomness and unpredictability of a password or cryptographic key, expressed in bits. More bits of entropy mean more possible combinations and harder to guess. A password with 128 bits of entropy has 2^128 possible combinations — practically impossible to break.

A security incident where confidential data is accessed, copied, or stolen without authorization. It can affect millions of users at once when a company is hacked. Passwords leaked in breaches often appear on the dark web and are used in follow-up attacks.

A password that has been exposed in a data breach or is known to attackers. A compromised password should be changed immediately on every service where it is used. Modern password managers compare your passwords against breach databases and alert you.

A social engineering attack where an attacker impersonates a trusted entity (bank, social network, company) to trick you into entering your credentials on a fake site. It usually arrives by email, SMS, or instant message with a link to a copy of the legitimate site.

An attack technique where all possible password combinations are systematically tried until the correct one is found. With modern computers, a simple 8-character password can be cracked in hours. That is why length matters and why PBKDF2 slows down each attempt.

An automated attack where username/password combinations leaked in previous breaches are tried against other services. It works because many people reuse the same password on multiple sites. If your password is leaked from one forum, attackers test that same one on your bank or email.

An attack where a third party intercepts communications between two parties (for example you and a website) without either knowing. The attacker can read, modify, or inject data. End-to-end encryption makes intercepting the data useless: even if they capture it, it is encrypted.