Sadly, most people still use terrible passwords. According to Troy Hunt, when a survey for cash site, CashCrate, was breached in November 2016, 86% of the passwords had already been revealed in previous breaches… of other sites. So, not only are people not changing breached passwords, they’re continuing to use them on other sites. And many of these breached passwords included things like “123456” and, yes, “password.” In 2016, people were still using ‘password’ as their password. Which means they probably still are.
Most of us do at least know better than to do that, but there are ongoing problems. Many people reuse passwords across different sites, which allows for “credential stuffing” in the event of a breach. Other people may find that the “rules for strong passwords” equate to “Rules to make sure I can never remember my password” and end up writing passwords down, storing them in plain text, etc. For this problem, pass phrases are very helpful, as they can actually be both easier to remember and harder to hack using brute force methods. This issue is also a main reason why more and more people are reusing passwords.
For added security, many sites now offer (or even enforce in some circumstances) two factor authentication, usually by means of sending a text to your phone. This is excellent, until you are overseas and don’t have roaming on your phone. It also means that some people think that because they have two-factor authentication, they can get away with a weaker password. (A good analogy for two-factor authentication is a debit card and pin. This uses both something you have, the card, and something you know, the pin number). Also 2FA (Two-factor authentication) which is based on SMS is insecure.
Which brings us to the problem: unless you have some kind of crazy eidetic memory, it is humanly impossible to remember a different secure password for each and every website you log into. Even a normal user may have multiple banking logins (one for your bank account, one for your credit card, likely PayPal). Then there’s all those e-commerce sites, unless you buy everything from Amazon Prime. Add in cloud storage, collaboration sites like Google Drive, bulletin boards, online games, newspaper subscriptions, and most people have tens of passwords. A cyber warrior may have hundreds.
Why Password Manager is a Solution
The solution is a password manager that does the work of remembering (and often choosing) your passwords for you. Modern browsers have password managers built in, but although better than nothing, they are a rather half-assed solution. Chrome’s, for example, stores the master password in unencrypted form, making it vulnerable to a hacker who can then get into all of your websites. This defeats the point of having a password manager in the first place.
With a password manager, you only have to remember one password. We recommend using a pass phrase so you can remember it. If you lose your master password, you will lose access to all of your passwords and will have to reset every single one of them. (However, do not use a password manager that allows you to retrieve the master password. As annoying as a mass reset is, if your master password is compromised you will have far worse problems.
Password managers can also help protect you from certain phishing attempts. You might not notice that the site’s URL has been “typo squatted,” but your password manager will. If you are expecting your password manager to auto fill your PayPal login and it doesn’t, you may be on a cloned site.
In other words, for the sake of security and convenience, absolutely everyone should be using a password manager. Which brings us to the next problem: There are a lot of password managers out there. Which one should you use? This guide goes through some of the best offerings and gives you the pros and cons. There is no single best password manager as a lot depends on your needs and what devices you own, but the list below should help you work out which one fits you.
Pros & Cons of Different Password Managers
LastPass is one of the most popular password managers out there and may well be the only one some people have heard of. It’s popular for a reason – the free version covers almost anything an individual (or even business owner with no employees) could need except for application logins, and it’s known for having good security requirements.
- Free version is quite usable
- Encryption at the device level means that even LastPass can’t get into your passwords and the device keys are never sent over the internet and thus can’t be taken
- Two factor authentication
- The paid version includes 1gb of encrypted cloud storage
- The free version includes credit monitoring
- Works across all devices
- The paid version doesn’t offer enough over the free version, which might cause problems for the company in the long run
- Because it is so popular, it tends to be a target for hackers and has had vulnerabilities in the past
- It has disastrous UX
Dashlane is a newer password manager. It has apps for almost every platform, extensions for every browser, and can store passwords locally.
- Stores password locally
- Has a low memory footprint
- Can keep passwords either locally or in the cloud
- Simple interface
- Digital wallet for tracking and making purchases at online retailers
- Will automatically reset passwords when a site is hacked
- Includes a VPN
- You can’t sync passwords over multiple devices without paying a fee
- Expensive, especially if you already have a VPN. The built-in VPN lacks the ability to choose server country
- Does not work well with Internet Explorer. Although, if you are still using Internet Explorer…
The big difference with KeePass is it does not store anything on the cloud. This is extra secure for the paranoid or those who handle extremely sensitive data. It’s open source, and completely free
- Completely free
- Open source code makes for transparency
- Can export your passwords to a text file. That might also be a con
- Has an app for iPhone – MiniKeePass
- Takes time to understand for ‘non technical’ types
Keeper is less well known but has a strong focus on security and supports most devices and browsers. It integrates with Duo for one-tap authentication. It can also stop people from logging into your account from other parts of the world (which is good until you forget to change it when you go on vacation).
- Excellent security
- Wide range of supported devices, including Blackberry and Windows Phone
- Allows you to designate an emergency contact
- Can lock out people in other parts of the world, which can protect you in the event of a breach
- One-tap authentication
- Free trial version works only on a single device
- Relatively expensive
- Weak form-filling capabilities
- Limited functionality on ChromeOS
- Takes longer than most managers to change a password
- Does not have PIN numbers to access apps, forcing you to type in the master password all the time if your phone or tablet does not support biometrics
Enpass is a pretty basic password manager but has the advantage of being a (low) one-time fee rather than a subscription. It has great device support including Windows Phone, but does not support Blackberry any more.
- Does not offer master password retrieval, which makes it more secure
- Cheap – $10 per mobile device OS
- Defaults to offline story
- Does not automatically sync and there is no easy way to sync between devices
- You have to download each browser extension separately
- No two-factor authentication but does use TOTP. However, a lot of people won’t use that
- Password generator is buried in the user interface on desktop
LogMeOnce calls itself “LogMeOnce Password Management Suite Ultimate” and has more features than any other password manager. It has a default passwordless login method that uses your phone (which may not be the best for people who travel a lot). Confusingly, they call their free version “Premium.” The issue is that many of the features are offered a la carte, so even paying for “Ultimate” doesn’t get you everything. Some of the more interesting add-ons are extra cost, such as Account Freeze, which lets you lock down accounts, or Password Shock, which is designed to annoy somebody who stole your phone into giving up.
- Has a lot of features including photo login
- Allows you to locate your phone and control it remotely, including making it ring (useful if you lose your phone, but these features are also available in standalone security apps). Does allow you to wipe LogMeOnce settings remotely from a stolen phone
- Works well in Linux and ChromeOS
- Has a good tutorial for new users
- Includes the weather forecast, for some reason
- Confusing UI
- Nickels and dimes users with extra charge add ons
- Free version has ads
- You have to install each browser extension separately
This has been gaining in popularity because of some very useful features on mobile and the fact that it can act as an authentication app. It is paid only, however.
- “Travel mode” allows you to lock down most of your passwords when taking a device overseas, protecting you from overzealous customs or law enforcement or if your phone is stolen
- Acts as an authenticator app
- Integrates with a large number of mobile apps
- Runs across almost all platforms, except Blackberry
- Checks for compromised passwords and reminds you which sites use two-factor authentication
- Has an account key needed to add new devices. This is more secure, but the account key is impossible to remember. You can use a QR reader to snap it, though
- Allows remote deactivation of devices
- Stores passwords neatly by category
- Requires that you press a keystroke to fill in saved credentials, which can protect you from invisible login forms
- Will create pass phrases as well as random passwords
- Does not have automated password updates
- Does not support Internet Explorer (again, if you are still using Internet Explorer…)
- Have to install a separate extension for each browser you use
- Can only import passwords from Chrome, LastPass, Dashlane and RoboForm
- No password updating
- Requires a separate authenticator app to operate its own two factor authentication
- Fails to capture two-page logins
RoboForm is one of the oldest password managers, which puts it at a disadvantage – even the latest update is a bit behind newer software.
- Very good at handling nonstandard login pages such as two-page logins or multiple passwords
- Started as a form filler, so handles that task better than almost any other password manager
- Can also save names and addresses for your contacts and automatically fill them in when shipping to them
- Handles applications as well as websites. In Windows, it will even automatically launch the application from within RoboForm
- The UI is something of a mess, and you have to log into RoboForm online to access some features, rather than using the app
- Has a function that actively encourages password reuse by allowing you to fill in your favorite user ID and password
- Default password strength is less than other password managers, but it can be increased
- Very limited two-factor authentication
Zoho Vault is most useful for people who take their laptop to work or bring their work home. It’s key feature lets you have separate work and personal master passwords and vaults.
- Has a really good password strength reporting
- Free edition is available
- Lets admin get to work passwords in an emergency…without exposing personal passwords
- Imports from most popular password managers
- Does not support unusual browsers
- Does not support two-page logins
- No form filling ability
- Cheaper than most paid password managers
- Does not import from in-browser password managers
- Password capture is not always reliable
- Tech support is not available on weekends
Sticky Password is made by AVG Antivirus. It’s known for supporting even the weirdest browsers.
- Supports off beat browsers such as SeaMonkey and Pale Moon
- Intuitive navigation, especially on mobile
- Has secure local sync over WiFi
- Good with oddball logins such as multi page
- Handles application passwords
- Part of your payment goes to help protect manatees. Because their mascot is a manatee
- No password sharing or digital inheritance
- Password strength assessment is a bit weak, for example not flagging Password1
- Free version does not sync across devices but has a manual export and import which can work
- Has some difficulty handling multiple logins for the same site
- Requires a separate authenticator app for two-factor authentication
- Does not do a full password audit
True Key by Intel Security (soon to be True Key by McAfee)
True Key has more emphasis on multi-factor authentication than other managers. It’s highly secure but lacks some of the features of its competitors.
- Paid version is affordable
- Easy setup
- Highly secure multi-factor authentication including requiring a second device
- Easy to go password free
- Free version limits you to 15 passwords. Does anyone have less than 15 passwords anymore?
- Does not support Safari on Mac
- Has been known to fail to capture popular sites and has no easy workaround
- No password strength report
- No secure sharing
F-Secure KEY handles the basic password manager tasks well but lacks advanced features and charges for syncing.
- Good interface.
- Handles application passwords.
- No way to reset the master password, but you can make a recovery QR code and store it somewhere safe
- Creates the longest default password
- It tells you…or a snoop…the moment you type the old password into the password change field. This could make guessing passwords a lot faster
- No password capture – you have to enter the username and password manually
- You can’t organize your password entries
- Does not support Safari on the Mac
Created by the anti-virus company Avast, this is a completely free password manager. However, the Windows version is only available built in to Avast.
- Almost completely free – the only features they charge for are one touch login and alerting on compromised passwords. Paid version is very affordable
- Integrates with antivirus on Windows
- One touch login, allowing you to log in on Windows by tapping your phone
- Easy to find saved credentials
- Can alert on duplicate or compromised passwords
- Allows for a different master password on each device
- Encrypts credentials locally
- Basic compared with its competitors
- Browser extension only allows you to open the vault, fill credentials, and save and generate passwords
- Need to install all browser extensions manually
- Need an Avast account to access syncing
- The PC version vault can only be automatically locked twice a day
- Tech support is by email only
Bitwarden is a relatively new open-source password manager which works on multiple devices.
- Open source
- Audited by Cure53
- Simple sync across devices and browsers
- Firefox addon for desktop and mobile
- Passwords stored encrypted
- All devices
- Easy setup
- Chrome plugin
- FIDO UTF support
- Pretty new, thus, doesn’t offer a lot of features
- No passphrase generator
- Doesn’t ask to save updated passwords
- Tech support is by email only
Our Final Thought on Password Managers
There are other password managers available, but they are generally more obscure and thus not covered in this guide.
Again, there is no one “best” password manager. The best choice depends on the devices you use and what you need. Some offer higher security than others, but it may be at the price of features you need. The key is to find the right software for you, and hopefully this guide helped you at least narrow down your decision.
Get Surfshark for $1.99/mo
30-day money-back guarantee with every planBuy NOW
Still have an aching question about password managers? Drop as a line in the comment section!