PASSWORD MANAGERS are the vegetables of the internet. We are aware of their benefits, but the majority of us find that nibbling on the digital version of fast food makes us happy. The two most frequently used passwords on the internet have been “123456” and “password” over the past seven years. The issue is that most of us are unable to remember hundreds of passwords and are unaware of what constitutes a decent password.
The safest (if craziest) way to store your passwords is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our memory.
A password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. Read our guide to VPN providers for more ideas on how you can upgrade your security, as well as our guide to backing up your data to make sure you don’t lose anything if the unexpected happens.
Read More: 5 Best Password Managers for Your Business
Table of Contents
Why Not Use Your Browser?
The majority of web browsers have at least a basic password manager. (When Google Chrome or Mozilla Firefox ask you whether you’d like to save a password, this is where they save it.) Although browser-based password managers have some limitations, this is preferable to having the same password across the board. Although Google has made improvements to the built-in password manager in Chrome over the past few years, it is still less feature-rich and supported than a dedicated password manager like those listed below.
It all comes down to focus, which is why security experts advise using a specialized password manager. There hasn’t been much time for web browsers to enhance their password manager because of their other objectives. For instance, the majority of them will just give you “123456” as a strong password. Dedicated password managers have a single objective and have been progressively introducing useful functionality. In theory, this results in increased security.
Regarding Apple’s macOS password manager, which syncs via iCloud and has some great integrations with Apple’s Safari web browser, TechMag readers have also asked about it. There’s nothing wrong with Apple’s system. In fact, I have used Keychain Access on Macs in the past, and it works great. It takes care of protecting your credentials and syncing them between Apple devices, but it lacks some of the wonderful bonuses you get with specialized services. The primary issue is that since Apple doesn’t produce apps for other platforms, if you have any non-Apple devices, you won’t be able to sync your passwords to them. Everything on Apple? Then this is a practical, cost-free, built-in choice to think about.
Apple Passkeys and the “Death of the Password”
About two days after the password was created, a coordinated campaign to eliminate it started. We won’t argue that passwords are annoying, but we don’t see them disappearing anytime soon. The latest effort to get rid of the password comes from the FIDO Alliance, an industry group aimed at standardizing authentication methods online.
Although it is still early, Apple has included the FIDO protocols in what it refers to as passkeys. Similar to passwords, passkeys are created and handled by your device. Nothing needs to be done by you. They will be kept by Apple in the iCloud Keychain and will function on Safari, the company’s web browser. In iOS 16 and macOS Ventura, passkeys are now available, but there are some restrictions. The FIDO Alliance’s protocols must be supported by websites and services, although currently, few do. However, we anticipate that to alter quickly. The FIDO Alliance’s work is being utilized by Apple in the background, so passkeys will eventually work with systems from Google, Microsoft, Meta, and Amazon.
You might be wondering how passkeys and passwords differ from one another. Actually, they aren’t. Instead of passwords, they are created key pairs. If you’re familiar with GPG keys, you’ll see that they have a public and private key structure. The website has a public key and requests your device’s private key to verify your identity. Passkeys aren’t a revolutionary change, but they are still an upgrade because they are already installed for those who won’t read this post and instantly sign up for one of the services listed below. A victory for security would be if the 12345678 password was suddenly abandoned by millions of users.
Do you need to use them? Jump in anywhere Apple devices are supported if you’re all in. With time, support from outside the Apple ecosystem will surface. You can manage both legacy passwords and passkeys in one service with Dashlane, one of our recommendations below, which has already made the announcement that it will support passkeys. Other current services should follow suit.
You might wish to wait to adopt passkeys if you use a range of devices. Although there is a solution for other devices, it uses QR codes and appears to be a bit laborious. When platforms like Android, Windows, and others start rolling out their own support for FIDO Alliance protocols, we’ll start testing and determining the best course of action for the password-less future.
The variety of things 1Password provides sets it distinct from the other options on this list. Although it’s not the most affordable (for that, see our next recommendation), it will notify you when a password is insecure or has been compromised by checking it against Troy Hunt’s outstanding Have I Been Pwned database.
1Password includes apps for almost every platform, including macOS, iOS, Android, Windows, Linux, and Chrome OS, just like other password managers. Even a command-line utility that operates wherever exists. Additionally, there are plugins for your preferred online browser that make it simple to instantly create and modify new passwords.
I’ve had a mixed experience with 1Password 8, the most recent version of its apps. On the plus side, it now functions with ARM-based Windows laptops. However, I’ve encountered troubles with MacOS Monterey, including the inability of autofill and a temporary suspension of keyboard shortcuts until I restart the browser. Even if the current issues are not enough to convince me to reconsider our favorite choice, I am definitely keeping a watch on them. Additionally, the company recently shortened the free trial period from 30 to 14 days.
You’ll enjoy Travel Mode, my favorite 1Password function, if you cross countries frequently. This mode enables you to remove any private information from your devices before a trip and then quickly restore it once you’ve crossed a border. This prohibits anyone from accessing your entire password vault, not even law enforcement at foreign borders.
1Password is a password manager that also doubles as an authentication tool similar to Google Authenticator. For added security, it generates a secret key for the encryption key it uses, making it impossible for anyone else to decrypt your passwords. (On the negative side, no one, not even 1Password, can decrypt your passwords if you lose this key.)
Furthermore, 1Password allows seamless connection with other mobile programs. 1Password is integrated with many apps and can autofill passwords, eliminating the need to copy and paste passwords from your password manager to other apps (which leaves your password on the clipboard at least temporarily). On iOS, where interapp communication is more constrained, this is more obvious.
Bitwarden is safe, open source, and limitless free. It is the greatest option for anyone who doesn’t require the additional capabilities of 1Password because the applications are well-designed and simple to use.
Have I mentioned that it is open source? This implies that anyone can examine, find, and correct bugs in the code that powers Bitwarden. Theoretically, the code becomes more secure the more people that are looking at it. Additionally, Bitwarden has undergone a security audit for 2020 by a third party. If you’d rather manage your own cloud, it can be easily self-hosted on your own server.
Apps and extensions are available for all of the main web browsers, as well as for Android, iOS, Windows, MacOS, and Linux. You may benefit from the increased security offered by those biometric authentication systems by using Bitwarden’s desktop programs for Windows and MacOS, which also support Windows Hello and Touch ID.
I also enjoy the semi-automated password filler provided by Bitwarden. When you visit a website for which you’ve saved credentials, Bitwarden’s browser icon displays the quantity of those credentials. When you click the icon, a prompt will appear asking you to select an account before automatically populating the login form. This makes switching between usernames simple and stays clear of the drawbacks of autofill that we discuss at the end of this tutorial. Bitwarden also supports fully automated form filling if that’s what you absolutely must have.
A premium upgrade account is available from Bitwarden. Bitwarden Premium, the least expensive option, costs $10 a year. You will also receive a password hygiene and vault health report, as well as 1 GB of encrypted file storage and two-factor authentication using gadgets like the YubiKey, FIDO U2F, and Duo. Additionally, paying grants you priority customer service.
It has been a while since I initially came upon Dashlane. It had no distinguishing characteristics at the time and was identical to its rivals. However, recent updates have added a number of beneficial features. Site Breach Alerts is among the best, and other providers have now included it as well. Dashlane actively scans the shadowy areas of the internet for stolen or leaked personal information and notifies you if it happens.
You’ll need a secret key to encrypt your passwords, much as 1Password’s setup procedure, and setup and migration from another password manager are both straightforward. Dashlane functions similarly to the other services on this list in practice. As opposed to 1Password and Bitwarden, the company did drop its desktop client earlier this year and switch to a web-based user experience. I already use my web browser to enter passwords the majority of the time, and Dashlane offers add-ons for all the popular browsers as well as iOS and Android apps. If a desktop application is vital to you, you should be aware of this. You may try Dashlane risk-free for a month before making a purchase.
Want to have more control over your cloud-based data? Consider utilizing a desktop program like KeePassXC. It keeps you safe using a master password, a key file, or both by storing encrypted versions of all your passwords in an encrypted digital vault. The distinction is that you sync that database file yourself using a file-syncing service like Dropbox or Edward Snowden’s suggested solution, SpiderOak, as opposed to having a hosted service like 1Password do it for you. Any device with a KeePassXC client can access your file after it is in the cloud.
Why not try it yourself? Simply put: transparency. KeepassXC, like Bitwarden, is open source, allowing for the inspection of its code for serious flaws.
Although NordPass is a relative newcomer to the password management scene, its parent firm has a long history. The well-known VPN provider NordVPN adds to its password manager a lot of the simplicity and ease of use that makes its VPN solution so well-liked. The process of installation and configuration is simple. Every major platform, browser, and gadget has apps, including Linux.
One device can only use the NordPass free version, and there is no option for synchronizing. The premium version’s seven-day free trial allows you to test device synchronisation. However, you’ll need to upgrade to the $36/year plan in order to get that for good. (NordPass accepts payment in cryptocurrencies, just like its VPN service.)
Similar to our top recommendations, NordPass employs a zero-knowledge system in which all data is encrypted on your device before being uploaded to the company’s servers. Support for two-factor authentication when logging into your account as well as a built-in password generator are additional great features. Your address, phone number, and other sensitive information can be stored and kept safe and private while still being accessible.
You can now provide another NordPass user emergency access to your vault thanks to a function that NordPass has enabled. It functions exactly like the same functionality in 1Password, giving your close relatives or trusted friends access to your account in case you are unable to.
Password managers are not a one-size-fits-all solution. Our top picks cover most use cases and are the best choices for most people, but your needs may be different. Fortunately, there are plenty of very good password managers. Here are some more we’ve tested and like.
- Roboform: Roboform shares many of the same features as the other products on this list, but it doesn’t have some of the features that set our top choices apart, such as 1Password’s travel feature or Bitwarden’s open source nature. I’ve been evaluating the free plan for some time, and I haven’t encountered any issues. Every popular platform has apps, and they are simple to use. Nevertheless, Roboform hasn’t released a thorough, impartial security audit.
- Enpass: Enpass does not keep any information on its servers, just like KeePassXC. Third-party services like Dropbox or NextCloud manage the syncing. Although Enpass doesn’t perform the syncing, it does provide apps for all platforms. That implies that once synchronization is configured, it functions exactly like any other service. Additionally, since your information is not stored on Enpass’ servers, you don’t need to worry about it being hacked. Enpass is a great password manager if you feel confident setting up the secure syncing on your own.
- LastPass: Before changing its free plan, LastPass was our favorite free option. We eliminated it in favor of BitWarden because it now restricts you to a single device. Although it lacks the travel features of 1Password and is not open source like BitWarden, Lastpass’ premium subscription has most of the same features as our other top options. There is nothing wrong with LastPass, but we can’t see why we should recommend it over our top choices.
- Keeper Password Manager: A password manager is one of the security-related technologies available from Keeper. Similar to 1Password and other similar programs, Keeper stores only your encrypted data and provides two-factor verification for account logins. Like Dashlane, Keeper has a ton of extra features, such as dark-web monitoring, which verifies that your data isn’t available by looking at publicly posted information.
- Pass (free): Pass is a command-line wrapper for GPG (GNU Privacy Guard), so only the geekiest users should use it. It supports managing.gpg files that are encrypted in Git, and third-party mobile apps are also accessible. Although it’s undoubtedly not for everyone, I utilize it.
How We Test
Open-source programming libraries provide access to all of the top cryptography algorithms. On the one hand, this is fantastic because any app can use these ciphers to protect your data. Unfortunately, the security of any encryption depends on the strength of its weakest link, therefore cryptography by itself cannot protect your passwords.
What I check for is this: Which connections are weakest? Is the server sent your master password? Every password manager claims it’s not, but if you observe network activity as you input a password, you might occasionally discover that it actually is. I also investigate how mobile apps function: Do they, for instance, leave your password storage facility unlocked yet need a pin to reenter? That is practical, but it trades too much security for that practicality.
The following password managers are the best I’ve tested, while no password manager is perfect. They are as safe as they possibly can be while yet being practical and simple to use.
Password Manager Basics
With the click of a button, a good password manager generates, stores, and refreshes passwords for you. A password manager can sync your credentials across all of your devices for a few dollars a month. Here is how they function.
Only one password to remember: You simply need to remember one password in order to access all of your passwords. The vault containing all of your actual passwords is unlocked when you enter that into the password manager. It’s nice to only need to remember one password, but that also implies a lot depends on it. Ensure it is a quality one. Check out our guide to better password security if you’re having trouble coming up with the one password that will rule them all. You might also think about creating a strong master password using the Diceware method.
Apps and extensions: The majority of password managers are complete systems rather than a single program. For each of your devices (Windows, Mac, Android phones, iPhones, and tablets), they consist of browser extensions or apps with tools to help you create secure passwords, store them safely, and assess the security of your current passwords. Your passwords are then shared between devices, encrypted, and sent with all of that data to a central server.
Fixing compromised passwords: Password managers can make your passwords more secure and keep them hidden from prying eyes, but they won’t be able to protect you if the website itself is compromised. But that doesn’t imply they don’t provide assistance in this case. All of the cloud-based password managers we’ve talked about have tools that can notify you when a password might have been hacked. Additionally, password managers make it simpler to search through your passwords to make sure you didn’t reuse any compromised codes and to quickly change a compromised password.
You should disable auto form-filling: Some password managers will fill out and even submit web forms for you automatically. Although it is quite convenient, we advise you to turn off this function for added security. Password managers have historically been vulnerable to assaults since they automatically fill out forms in the browser. This is why 1Password, our preferred password manager, asks you to opt into this feature. We advise against it.
Don’t panic about hacks: Even the password manager you use has problems. What to do when it is discovered that your password management has a flaw is the question, not what to do if it is discovered that your password manager has a flaw. Don’t panic first, is the solution. Before they are used in real-world situations, bugs are typically discovered, addressed, and fixed. You should be okay even if someone does manage to access the servers of your password management. All of the services we list only save encrypted data, and none of them keep a copy of your encryption key, so if their servers are compromised, an attacker only receives encrypted data.