Use of the tried and true password is not dead — and not likely to be dead for some time to come. Even as biometrics and other forms of authentication become popular, the vast majority of sites and applications still require a password. Even biometrics have a downside as it’s easier to force somebody to put a finger on a detector than enter a password.
Sadly, most people still use terrible passwords. According to Troy Hunt, when a survey for CashCrate, a website resource for making money online, was breached in November 2016, 86 percent of the passwords had already been revealed in previous breaches that occurred with other sites. So, not only are people not changing breached passwords, but they’re continuing to use them on other sites. Many of these breached passwords include entries like “123456,” and yes, “password.” In 2016, people were still using ‘password’ as their password, which means they probably still are.
Most of us do at least know better than to do that, but there are still ongoing problems. Many people reuse passwords across different sites, which allows for “credential stuffing” in the event of a breach. Other people may find that the “rules for strong passwords” equates to “rules to make sure I can never remember my password” and end up writing their passwords down, storing them in plain text or leaving them open to discovery in some other way. To alleviate this problem, passphrases can be used and are very helpful as they can actually be both easier to remember and harder to hack when brute force methods are used. This issue is also the main reason why more and more people are reusing passwords.
For added security, many sites now offer or even enforce two-factor authentication, which is usually done by means of sending a text to your phone. This is excellent until you are overseas and don’t have roaming available on your phone. It also means that some people think that because they have two-factor authentication, they can get away with a weaker password. (A good analogy for two-factor authentication is a debit card and pin. This uses both something you have, the card, and something you know, the pin number). Also, two-factor authentication (2FA), which is based on SMS is insecure.
This presents us with a problem: unless you have some kind of crazy eidetic memory, it is humanly impossible to remember a different secure password for each and every website you log into. Even a normal user may have multiple banking logins (one for your bank account, one for your credit card and likely PayPal). Then there are all those e-commerce sites to remember unless you buy everything from Amazon Prime. Add in cloud storage, collaboration sites like Google Drive, bulletin boards, online games and newspaper subscriptions, and you’ll discover that most people have 15, 25 or 30 passwords that they must remember, while a cyber warrior may have hundreds.
Why Password Manager is a Solution
The solution to this dilemma is a password manager that does the work of remembering (and often choosing) your passwords for you. Modern browsers have password managers built in. However, while this is better than having nothing, they are a rather half-assed solution. For example, Chrome’s solution stores the master password in an unencrypted form, making it vulnerable to a hacker who can then get into all of your websites. This defeats the point of having a password manager in the first place.
With a password manager, you only have to remember one password. We recommend using a passphrase that you can remember. If you lose your master password, you will lose access to all of your passwords and will have to reset every single one of them. However, do not use a password manager that allows you to retrieve the master password. As annoying as a mass reset is, if your master password is compromised, you will have far worse problems.
Password managers can also help protect you from certain phishing attempts. You might not notice that the site’s URL has been “typo-squatted” but your password manager will. If you are expecting your password manager to auto-fill your PayPal login and it doesn’t, you may be on a cloned site.
In other words, for the sake of security and convenience, absolutely everyone should be using a password manager. Which brings us to the next problem: there are a lot of password managers out there. Which one should you use? This guide goes through some of the best offerings and gives you the pros and cons. There is no single best password manager as a lot depends on your needs and what devices you own, but the list below should help you work out which one fits your needs best.
Pros & Cons of Different Password Managers
The article was updated on the 21st of January due to a recent report by ISE about severe vulnerabilities found in popular password managers. The researchers tested 1Password4 for Windows (18.104.22.1686), 1Password7 for Windows (7.2.576), Dashlane for Windows (6.1843.0), KeePass Password Safe (2.40), and LastPass for Applications (4.1.59). You can read the findings HERE. And HERE you can find what the providers told ZDNet.com.
LastPass is one of the most popular password managers out there and may well be the only one some people have heard of. It’s popular for a reason — the free version covers almost anything an individual (or even business owner with no employees) could need, except for application logins, and it’s known for having good security requirements.
- The free version is quite usable
- Encryption at the device level means that even LastPass can’t get into your passwords, and the device keys are never sent over the internet and thus can’t be taken
- Two-factor authentication
- The paid version includes 1gb of encrypted cloud storage
- The free version includes credit monitoring
- Works across all devices
- The paid version doesn’t offer enough over the free version, which might cause problems for the company in the long run
- Due to its popularity, it tends to be a target for hackers and has had vulnerabilities in the past
- It has disastrous UX
Dashlane is a newer password manager. It has apps for almost every platform, extensions for every browser and can store passwords locally.
- Stores passwords locally
- Has a low memory footprint
- Can keep passwords either locally or in the cloud
- Simple interface
- Digital wallet for tracking and making purchases at online retailers
- Will automatically reset passwords when a site is hacked
- Includes a VPN
- You can’t sync passwords over multiple devices without paying a fee
- It’s expensive, especially if you already have a VPN, and the built-in VPN lacks the ability to choose the server country
- Does not work well with Internet Explorer. However, this browser probably isn’t used much anymore
After a test on Windows version 6.1843.0, it was found that in extreme cases when a device has been entirely compromised, the following can occur:
- When entries are updated, the entire database is left in memory in plaintext form and remains, even after it’s locked or logged out of
The big difference with KeePass is it does not store anything on the cloud. This is extra security for the paranoid or those who handle extremely sensitive data. It’s open source and completely free.
- Completely free
- Open source code makes for transparency
- Can export your passwords to a text file, which might also be considered as a con
- Has an app for iPhone — MiniKeePass
- Takes time to understand for ‘non-technical’ types
When testing version 2.40, it showed that when a device is completely compromised, the following can occur:
- Unencrypted data can be found in memory when searching data, displaying data in standard controls, replacing placeholders (during copying to clipboard, drag& drop, auto-type) and when importing or exporting (not with KDBX)
Keeper is less well known but has a strong focus on security and supports most devices and browsers. It integrates with Duo for one-tap authentication. It can also stop people from logging into your account from other parts of the world, (which is good until you forget to change it when you go on vacation).
- Excellent security
- A wide range of supported devices, including Blackberry and Windows Phone
- Allows you to designate an emergency contact
- Can lock out people in other parts of the world, which can protect you in the event of a breach
- One-tap authentication
- Free trial version works only on a single device
- Relatively expensive
- Weak form-filling capabilities
- Limited functionality on ChromeOS
- Takes longer than most managers to change a password
- Does not have PIN numbers to access apps, forcing you to type in the master password all the time if your phone or tablet does not support biometrics
Enpass is a pretty basic password manager but has the advantage of charging a (low) one-time fee rather than a subscription. It has great device support, including Windows Phone but does not support Blackberry anymore.
- Does not offer master password retrieval, which makes it more secure
- Cheap – $10 per mobile device OS
- Defaults to an offline story
- Does not automatically sync, and there is no easy way to sync between devices
- You have to download each browser extension separately
- No two-factor authentication but does use TOTP. However, a lot of people won’t use that
- The password generator is buried in the user interface on the desktop
LogMeOnce calls itself “LogMeOnce Password Management Suite Ultimate” and has more features than any other password manager. It has a default passwordless login method that uses your phone (which may not be the best for people who travel a lot). Confusingly, they call their free version “Premium.” The issue is that many of the features are offered a la carte, so even paying for “Ultimate” doesn’t get you everything. Some of the more interesting add-ons cost extra too such as Account Freeze, which lets you lock down accounts, or Password Shock, which is designed to annoy somebody who stole your phone into giving up.
- Has a lot of features including photo login
- Allows you to locate your phone and control it remotely, including making it ring, which is useful if you lose your phone, but these features are also available in standalone security apps
- Does allow you to wipe LogMeOnce settings remotely from a stolen phone
- Works well in Linux and ChromeOS
- Has a good tutorial for new users
- Includes the weather forecast for some reason
- Confusing UI
- Nickels and dimes users with extra charge add ons
- The free version has ads
- You have to install each browser extension separately
This password manager has been gaining in popularity because of some very useful features on mobile and the fact that it can act as an authentication app. Comes solely as a paid only version.
- “Travel mode” allows you to lock down most of your passwords when taking a device overseas, protecting you from overzealous customs or law enforcement or if your phone is stolen
- Acts as an authenticator app
- Integrates with a large number of mobile apps
- Runs across almost all platforms, except Blackberry
- Checks for compromised passwords and reminds you which sites use two-factor authentication
- Has an account key needed to add new devices, which is more secure, but the account key is impossible to remember. You can use a QR reader to snap it, though
- Allows remote deactivation of devices
- Stores password neatly by category
- Requires that you press a keystroke to fill in saved credentials, which can protect you from invisible login forms
- Will create passphrases as well as random passwords
- Does not have automated password updates
- Does not support Internet Explorer (if you are even still using this outdated browser)
- Have to install a separate extension for each browser you use
- Can only import passwords from Chrome, LastPass, Dashlane and RoboForm
- No password updating
- Requires a separate authenticator app to operate its own two-factor authentication
- Fails to capture two-page logins
There are a few extreme cases where a master password can be seen due to a compromised computer. These include the following:
- In 1Password4 for Windows version 22.214.171.1246, certain user actions can leave the master password in clear text form in the memory, even if it’s locked
- In 1Password4 for Windows version 126.96.36.1996, the master password has been shown to remain in the memory when unlocked during the unlocked to locked transition
- In 1Password7 for Windows 7.2.576, it fails to scrub the secret key, master password and individual passwords from the memory when the unlocked to locked transition occurs
RoboForm is one of the oldest password managers, which puts it at a disadvantage. Even the latest update is a bit behind newer software.
- Very good at handling nonstandard login pages such as two-page logins or multiple passwords
- Started as a form filler, so it handles that task better than almost any other password manager
- Can also save names and addresses for your contacts and automatically fill them in when shipping to them
- Handles applications as well as websites. In Windows, it will even automatically launch the application from within RoboForm
- The UI is something of a mess, and you have to log into RoboForm online to access some features, rather than using the app
- Has a function that actively encourages password reuse by allowing you to fill in your favorite user ID and password
- Default password strength is less than other password managers, but it can be increased
- Very limited two-factor authentication
Zoho Vault is most useful for people who take their laptop to work or bring their work home. It’s key feature lets you have separate work and personal master passwords and vaults.
- Has a really good password strength reporting
- The free edition is available
- Lets admin get to work passwords in an emergency — without exposing personal passwords
- Imports from the most popular password managers
- Does not support unusual browsers
- Does not support two-page logins
- No form filling ability
- Cheaper than most paid password managers
- Does not import from in-browser password managers
- Password capture is not always reliable
- Tech support is not available on weekends
Sticky Password is made by the former AVG executives. It’s known for supporting a wide variety of browsers.
- Supports off beat browsers such as SeaMonkey and Pale Moon
- Intuitive navigation, especially on mobile
- Has secure local sync over WiFi
- Good with oddball logins such as multi-page
- Handles application passwords
- Part of your payment goes to help protect manatees because their mascot is a manatee
- Supports password sharing
- The free version does not sync across devices but has a manual export and import, which can work
- Requires a separate authenticator app for two-factor authentication
- Does not do a full password audit
True Key by Intel Security (soon to be True Key by McAfee)
True Key has more emphasis on multi-factor authentication than other managers. It’s highly secure but lacks some of the features of its competitors.
- The paid version is affordable
- Easy setup
- Highly secure multi-factor authentication, including requiring a second device
- Easy to go password free
- The free version limits you to 15 passwords. Does anyone have less than 15 passwords anymore?
- Does not support Safari on Mac
- Has been known to fail to capture popular sites and has no easy workaround
- No password strength report
- No secure sharing
F-Secure KEY handles the basic password manager tasks well but lacks advanced features and charges for syncing.ng.
- Good interface
- Handles application passwords
- No way to reset the master password, but you can make a recovery QR code and store it somewhere safe
- Creates the longest default password
- It tells you — or a snoop — the moment you type the old password into the password change field. This could make guessing passwords a lot faster
- No password capture -– you have to enter the username and password manually
- You can’t organize your password entries
- Does not support Safari on the Mac
Created by the anti-virus company Avast, this is a completely free password manager. However, the Windows version is only available built into Avast.
- Almost completely free -– the only features they charge for are one-touch login and alerting on compromised passwords.
- The paid version is very affordable
- Integrates with antivirus on Windows
- One touch login, allowing you to log in on Windows by tapping your phone
- Easy to find saved credentials
- Can alert on duplicate or compromised passwords
- Allows for a different master password on each device
- Encrypts credentials locally
- Basic compared with its competitors
- Browser extension only allows you to open the vault, fill credentials and save and generate passwords
- Need to install all browser extensions manually
- Need an Avast account to access syncing
- The PC version vault can only be automatically locked twice a day
- Tech support is by email only
Bitwarden is a relatively new open-source password manager, which works on multiple devices.
- Open source
- Audited by Cure53
- Simple sync across devices and browsers
- Firefox addon for desktop and mobile
- Passwords stored encrypted
- All devices
- Easy setup
- Chrome plugin
- FIDO UTF support
- It’s fairly new so doesn’t offer a lot of features
- No passphrase generator
- Doesn’t ask to save updated passwords
- Tech support is by email only
Our Final Thought on Password Managers
There are other password managers available, but they are generally more obscure and thus not covered in this guide.
Again, there is no one “best” password manager. The best choice depends on the devices you use and what you need. Some offer higher security than others and may be priced for features you require. The key is to find the right software for you, and hopefully, this guide helped you at least narrow down your decision.
Get Surfshark for $2.49/mo
30-day money-back guarantee with every planBuy NOW
Still have an aching question about password managers? Drop as a line in the comment section!