It’s not a silly question at all.
Password managers, aka vaults, use several techniques and indicators to decide when, where, and how to fill in your information.
I’ll review some of the basic concepts that apply to most password vaults, as well as some of the complexity they have to deal with — including sites that seem to explicitly prevent their use.
Become a Patron of Ask Leo! and go ad-free!
Password vaults are for website logins
To begin with, we need to be clear that password vaults exist primarily to make logging in to online services easier. They make it possible to use long, complex passwords you couldn’t easily remember and type in.
Put another way, password vaults work in your web browser. Other password uses — say Windows itself asking for a password — is not where they come into play.
Now, there is one interesting exception, and that’s mobile. If your password vault has a mobile app, then it is likely to offer to manage passwords required by some (or perhaps most) of the apps installed on that device, in addition to working in the web browser.
Vaults save three pieces of information
At their core, each time you create a new entry in a password vault, three pieces of information are stored. If you have an account here at Ask Leo! and sign in via the “My Account” page, your password vault will care about:
- The URL: https://askleo.com/my-account/.
- Your username. That can be the email address associated with your account, or in some cases, an actual name (like “Leo”, in my case).
- Your password.
Creating a vault entry automatically
Most password vaults notice when you successfully sign in to a site it doesn’t already have an entry for. Then it asks if you want to save that information.
When you say “Yes” or “Add”, the information is saved in your password vault.
It may also give the entry a “name”, making it easier to find in the future. Here, LastPass created a name for the entry: “askleo.com” — the name of the site the entry applies to. (This isn’t used for anything other than display purposes.) It’s the URL field that matters for what’s next.
Using a saved entry
In most cases, using an entry saved in your password vault requires almost no work at all. Simply return to the URL of the log-in page, and the vault fills in the appropriate information, including your saved password, automatically. (Some vaults may not enable this feature by default, in which case you can typically right click and click on an item provided by the vault to fill in the fields, or perhaps click on the vault’s toolbar icon for the open to fill.)
All you need to do is click “Log in”.
Occasionally, you might be given a choice — for example, if you have more than one account with a given service. Exactly how that’s handled depends on your specific password vault, but generally there’s a control of some sort to click on (or right-click on) that will expose the saved credentials that apply, allowing you to choose which to use.
Creating vault entries manually
Occasionally, a password vault fails to recognize that you’ve logged in to a website or service for the first time, and doesn’t offer to create a vault entry for you.
There are two approaches to dealing with this situation:
- Create the entry manually. Most password vaults let you create entries from scratch. As we’ve seen, all you need to save is the URL, the login ID, and your password.
- Tell the vault to save before login. After filling in your user ID and password, but before you sign in, most vaults let you say, “Save this information now”, at which point they create a new vault entry for you with the fields and the URL found on the page. Exactly how, or even if, each vault allows you to do this varies.
In either case, signing out and then returning to the sign-in page will tell you if the vault got the information in a way that will allow it to sign in for you in the future.
When saved entries don’t work – reason #1
The #1 reason a password vault might not automatically fill in fields for you when you visit a website’s login page is that the URL is different. It’s not uncommon for the URL in your browser to be completely different at account creation time than it is at sign-in time. For example:
might be where you created your account and password, and thus what your password vault saved as the URL for the site. Yet when it comes time to sign in again, the URL of the login page might be something like:
— which is, of course, different. Same site, different page.
This is where the different password vaults differ. Some simply fail at this point. Others, however, look at those two URLs, notice they’re for the same site (albeit different pages), and offer, or fill in, the credentials you saved.
Fortunately, most vaults allow you to edit the URL manually. When this happens to me in LastPass, I edit the URL field to be just the domain:
LastPass then recognizes login attempts on any page on that domain. Your vault may, of course, behave differently, so you’ll want to save what was there to begin with before you change anything, just in case you need to set it back.
When saved entries don’t work – reason #2
Honestly, this frustrates me.
Some websites, or website designers, or perhaps their more bureaucratic and less tech savvy bosses, don’t like password vaults. They want you to manually type in your password every single time, without the assistance of technology. (Never mind that this leads to people choosing weaker passwords, or storing them in significantly less secure ways.) I discuss this in some more detail in Why Are Sites Making It Difficult for Password Managers?
Because of this misguided mandate, websites sometimes take steps to prevent password vaults from working. Period.
When this happens, most of the time you can still use your vault, though doing so is a little more cumbersome: open the vault and copy/paste the password from the vault to the password field of the website’s login page.1 This allows you to continue to use those long and strong passwords you have no hope of remembering.
There’s so much more
Saving your login information is the most basic of features across all password vaults, but most do much, much more. They securely save information and fill in forms other than sign in forms, save secure notes about anything you want to record, and more.
Once you find a password vault you’re comfortable with that meets your sign-in and password-saving needs, I encourage you to explore its additional features.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 7:33 — 3.5MB)
Footnotes & References
1: Yes, there are a few — thankfully, a very few — that even disable pasting in the password. At that point, typing is almost the only solution. Avoiding that site or service is typically my next step, as they clearly don’t understand security and favor misguided bureaucracy instead.
17 comments on “How Do Password Vaults Enter Passwords?”
If you copy and paste your password, be sure to delete it from the Clipboard History (accessed by typing Windows Key + v) if you are using Windows 10, version 1903 or later, or a clipboard manager.
I use Last pass free and it works great for most sites, but is troublesome for some, like you said. When I get an error message, I’am usually too busy to look into it then and forget about it till later. Later never comes. Some error messages are no help at all. It tells me I have used this password on other sites and what I should do to correct it, but it doesn’t tell me what sites are affected which is next to no help at all when there are so many. I always have trouble with last pass when I have to change passwords. always! I think it is just cock pit trouble for which I guess there is no cure. Still when I’am away from my password manager I appreciate it all the more. Those helpful, long and varied passwords become a pain in the neck.
I’ve run into other problems using the password manager. Some sites have their own password generator, which you can bet doesn’t work the same way Last Pass does. It is confusing to say the least, and sometimes results in not recording the right password. After that there is nothing to do but start over. More carefully!
I use LastPass. One of my frequently used web sites is for a credit card. This site blocks auto LastPass entries. Accidentally discovered if I open a “Private Window” in Firefox, it works just like all other sites
and auto fills.
I have found at least one site which disables the paste function in my browser (when I use CNTRL V). Really annoying.
I have run into cases where the password manager (RoboForm in this case) can’t fill in the password. So, i use copy & paste — but the password box will not accept paste. This is very frustrating when I have a password like: PX!pNvivtmYZ72#RQXn*n6yQgsg3Jhu3
Good Lor d, how many characters is that?! Twenty characters would be mire than sufficient…!!!
Leo, I see RockFox and me have the same problem. Can you tell us how to fix that? Thanks, Mike
My favorite peeve is the universal idiocy of showing a string of dots for the characters that I enter for a password. Some original idiot decades ago thought it was a good idea, and all the rest of the lame brains are following this misguided routine. When I enter a password on my computers, I seldom have to be concerned with a spy looking over my shoulder. If I were, I would tell him to get lost. Then I enter the password, and mistype it. Then I have to try again until I get it right. Even when pasting into a password window works, I want to see the result. I never want to be saved from the 1/1,000,000,000 chance of some schmuck seeing what I type as a password and have him remembering it, and using it against me. Can we at least have an option to show the passwords instead of the dots?
Imre, you wrote, “Can we at least have an option to show the passwords instead of the dots?”
Many sites — Amazon.COM, among others — very often do exactly that. Look at the extreme right-hand end of the password field, and you may see any one of a few different symbols that you can click on to reveal the password. Usually, that symbol is an eye, but I’ve seen it (strangely) in the form of what looks like a telephone, and I’m sure there are others as well.
Hope this helps!
While I bristle at terms like “lame brain” and “idiot” — the feature is there for a very valid reason even if you feel it doesn’t apply to you — I have noted that more sites, particularly on mobile, will now include a toggle that allows the password to be displayed as you type. Best of both worlds.
I have tried all the ways to have LastPass enter my user ID and password at one particular website that I use several times a week: my bank. It used to work, and then a year or so ago it stopped accepting the LastPass information. I have been using copy and paste, and that works. I have tried the suggestions found in this article, but I still cannot pass the need for manual entry. I live with it, but I don’t like it.
As a LastPass (LP) user, all worked fine untill LP changed hands and is now operated by “Log me in”.
This changed system as run by “Logmein” creates many difficulties not least in some cases preventing ‘auto-fill’ and preventing ‘copy&paste’.
It’s a total pain in the butt when this happens and I’ve seriously considered changing to another password manager but with so many passwords secured in the vault, it would be a somewhat onerous ans pretty well thankless task!
I had one website for a credit card that I use stop working with Last Pass. I actually wrote them an Email complaining about the fact that this discouraged the use of long, secure passwords as you also suggest. Within a couple of weeks, Last Pass was working again. Whether my Email had any impact or not, I’ll never know, but I’m happy that they changed it back.
Some very annoying sites forbid even the copy+paste possibility.
Similar problem but a password change page allowed copy & paste a p/w generated by app into one field BUT had to type confirmation into second field and that one was covered in “***” so could not see why it kept insisting that the passwords did not match. Took many careful attempts to work.
In addition to sites which block password there are some which don’t automatically enter the password but if you click on the LastPass logo to the right of the login entry field, it will bring up the LastPass login(s) for that site.
The fake security measure of preventing copy-paste is often applied when creating the password or changing it. It’s not as bad as preventing it in the log-in screen, but it’s still exceedingly stupid and annoying.
And it does limit password security, because typing a long and complex password even once is impossible past a certain limit.
There’s a browser extension for that, however. It’s called DFWP, which means, ahem, Don’t Fuck With Paste. I’ve successfully used it on a few sites, and it restored the pasting ability as promised.
I use Auto-Type in Kee Pass (no online password manager).