Best password managers to secure your digital life

http://www.wired.com/story/best-password-managers/?

NOV 18, 2022 10:00 AM

The Best Password Managers to Secure Your Digital Life

Keep your logins locked down with our favorite apps for PC, Mac, Android, iPhone, and web browsers.

    PASSWORD MANAGERS ARE the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For seven years running, that’s been “123456” and “password”—the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.

    The safest (if craziest) way to store your passwords is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our memory.

    A password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. Read our guide to VPN providers for more ideas on how you can upgrade your security, as well as our guide to backing up your data to make sure you don’t lose anything if the unexpected happens.

    Updated November 2022: We’ve updated pricing throughout, noted the new pricing plans Dashlane is offering, and added a link to details about the latest Lastpass security breach.

    Special offer for Gear readers: Get a 1-year subscription to WIRED for $5 ($25 off). This includes unlimited access to WIRED.com and our print magazine (if you’d like). Subscriptions help fund the work we do every day.

    If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. 

    Why Not Use Your Browser?

    Most web browsers offer at least a rudimentary password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox ask if you’d like to save a password.) This is better than reusing the same password everywhere, but browser-based password managers are limited. In recent years Google has improved the password manager built into Chrome, and it’s better than the rest, but it’s still not as full-featured, or widely-supported as a dedicated password manager like those below.

    The reason security experts recommend you use a dedicated password manager comes down to focus. Web browsers have other priorities that haven’t left much time for improving their password manager. For instance, most of them won’t generate strong passwords for you, leaving you right back at “123456.” Dedicated password managers have a singular goal and have been adding helpful features for years. Ideally, this leads to better security.

    WIRED readers have also asked about Apple’s MacOS password manager, which syncs through iCloud and has some nice integrations with Apple’s Safari web browser. There’s nothing wrong with Apple’s system. In fact, I have used Keychain Access on Macs in the past, and it works great. It doesn’t have some of the nice extras you get with dedicated services, but it handles securing your passwords and syncing them between Apple devices. The main problem is that if you have any non-Apple devices, you won’t be able to sync your passwords to them, since Apple doesn’t make apps for other platforms. All in on Apple? Then this is a viable, free, built-in option worth considering.

    Apple Passkeys and the “Death of the Password”

    A concerted effort to get rid of the password began roughly two days after the password was invented. Passwords are a pain—you’ll get no argument here—but we don’t see them going away in the foreseeable future. The latest effort to get rid of the password comes from the FIDO Alliance, an industry group aimed at standardizing authentication methods online. 

    It’s still early days, but Apple has implemented the FIDO protocols in what the company calls passkeys. Passkeys are a lot like passwords but are generated and managed by your device. You don’t need to do anything. Apple will store them in iCloud’s Keychain so they’re synced across devices, and they work in Apple’s Safari web browser. Passkeys are now available in iOS 16 and macOS Ventura, but there are some limitations. Websites and services need to support the FIDO Alliance’s protocols, which, at the moment, most don’t. We expect that to change rapidly though. Since Apple is using the work of the FIDO Alliance behind the scenes, passkeys will eventually also function with Google, Microsoft, Meta, and Amazon’s systems.

    You might be wondering if passkeys are different from passwords. They really aren’t. They’re generated key pairs instead of passwords. If you are familiar with GPG keys, they’re somewhat similar in that there’s a public and private key; the site has a public key and verifies your identity by requesting the private key from your device. While passkeys aren’t a radical departure, they’re still an improvement by virtue of being pre-installed for people who aren’t going to read this article and immediately sign up to use one of the services below. If millions of people suddenly stop using 12345678 as a password, that’s a win for security. 

    Should you use them? If you’re all in on Apple devices, then jump in wherever they’re supported. Support outside the Apple ecosystem will come with time. Dashlane, one of our picks below, has already announced it will support passkeys so you can manage both legacy passwords and passkeys in a single service. Expect other existing services to follow suit. 

    If you use a variety of devices, you might want to hold off on adopting passkeys. While there is a workaround for other devices, it involves QR codes and looks a bit cumbersome. We expect Android, Windows, and other platforms to begin rolling out their own support for FIDO Alliance protocols in the future, at which point we’ll start testing and figure out the best way to navigate the passwordless future.

    Best Overall

    1Password

    1Password app displayed on Mac

    $36 PER YEAR (SINGLE)$60 PER YEAR (FAMILY)

    What sets 1Password apart from the rest of the options in this list is the number of extras it offers. It’s not the cheapest (see our next pick for that), but in addition to managing passwords, it will alert you when a password is weak or has been compromised (by checking against Troy Hunt’s excellent Have I Been Pwned database).

    Like other password managers, 1Password has apps that work just about everywhere, including MacOS, iOS, Android, Windows, Linux, and Chrome OS. There’s even a command-line tool that will work anywhere. There are plugins for your favorite web browser, too, which makes it easy to generate and edit new passwords on the fly.

    MOST POPULAR

    1Password recently announced a new version of its apps, 1Password 8, and I’ve had a mixed experience. On one hand, it finally works with Windows laptops running on ARM architecture. But on MacOS Monterey, I’ve had problems with autofill not working and keyboard shortcuts stopping until I relaunch the browser, among other issues. The problems so far are not enough to make me change our top pick, but it’s definitely something I am keeping an eye on. The company also recently reduced its free-trial period from 30 days to 14 days.

    If you frequently travel across national borders, you’ll appreciate my favorite 1Password feature: Travel Mode. This mode lets you delete any sensitive data from your devices before you travel and then restore it with a click after you’ve crossed a border. This prevents anyone, even law enforcement at international borders, from accessing your complete password vault.

    In addition to being a password manager, 1Password can act as an authentication app like Google Authenticator, and for added security it creates a secret key to the encryption key it uses, meaning no one can decrypt your passwords without that key. (The downside is that if you lose this key, no one, not even 1Password, can decrypt your passwords.)

    1Password also offers tight integration with other mobile apps. Rather than needing to copy and paste passwords from your password manager to other apps (which puts your password on the clipboard at least for a moment), 1Password is integrated with many apps and can autofill. This is more noticeable on iOS, where interapp communication is more restricted.

    1Password Costs $3 Per Month ($36 Per Year, $60 a Year for Families)

    After signing up, download the app for Windows, MacOS, Android, iOS, Chrome OS, or Linux. There are also browser extensions for Firefox, Chrome, Brave, and Edge.

    Best Free Option

    Bitwarden

    Bitwarden app shown on two smartphones and desktop computer

    FREE (SINGLE)$40 PER YEAR (FAMILY)

    Bitwarden is secure, open source, and free with no limits. The applications are polished and user-friendly, making it the best choice for anyone who doesn’t need the extra features of 1Password.

    Did I mention it’s open source? That means the code that powers Bitwarden is freely available for anyone to inspect, seek out flaws, and fix. In theory, the more eyes on the code, the more airtight it becomes. Bitwarden has also been audited for 2020 by a third party to ensure it’s secure. It can be installed on your own server for easy self-hosting if you prefer to run your own cloud.

    MOST POPULAR

    There are apps for Android, iOS, Windows, MacOS, and Linux, as well as extensions for all major web browsers. Bitwarden also has support for Windows Hello and Touch ID on its desktop apps for Windows and MacOS, giving you the added security of those biometric authentication systems.

    Another thing I like is Bitwarden’s semiautomated password fill-in tool. If you visit a site that you’ve saved credentials for, Bitwarden’s browser icon shows the number of saved credentials from that site. Click the icon and it will ask which account you want to use and then automatically fill in the login form. This makes it easy to switch between usernames and avoids the pitfalls of autofill that we mention at the bottom of this guide. If you simply must have your fully automated form-filling, Bitwarden supports that as well.

    Bitwarden offers a paid upgrade account. The cheapest of the bunch, Bitwarden Premium, is $10 per year. That gets you 1 GB of encrypted file storage, two-factor authentication with devices like YubiKey, FIDO U2F, Duo, and a password hygiene and vault health report. Paying also gets you priority customer support.

    Bitwarden Is Free ($40 Per Year for Families)

    After signing up, download the app for Windows, MacOS, Android, iOS, or Linux. There are also browser extensions for Firefox, Chrome, Safari, Edge, Vivaldi, and Brave.

    Best Full-Featured Manager

    Dashlane

    Dashlane app

    $42 PER YEAR (SINGLE)$90 PER YEAR (FAMILY)

    I first encountered Dashlane several years ago. Back then, it was the same as its competitors with no standout attributes. But recent updates have added several helpful features. One of the best is Site Breach Alerts, something other services have since added as well. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data, and then alerts you if your information has been compromised.

    Setup and migration from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like 1Password’s setup process. In practice, Dashlane is very similar to the others in this list. The company doesn’t offer a desktop app, but I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, it’s something to be aware of. Dashlane offers a 30-day free trial, so you can test it out before committing.

    Dashlane Advanced Costs $3.49 Per Month ($42 Per Year)

    After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

    Best DIY Option (Self-Hosted)

    KeePassXC

    KeePassXC app displayed on Microsoft Windows

    KEEPASSXC IS FREE

    Want to retain more control over your data in the cloud? Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both. The difference is that instead of a hosted service like 1Password syncing it for you, you sync that database file yourself using a file-syncing service like Dropbox or Edward Snowden’s recommended serviceSpiderOak. Once your file is in the cloud, you can access it on any device that has a KeePassXC client.

    Why do it yourself? In a word: transparency. Like Bitwarden, KeepassXC is open source, which means its code can be and has been inspected for critical flaws.

    KeePassXC Is Free to Use

    Download the desktop app for Windows, MacOS, or Linux and create your vault. There are also extensions for Firefox, Edge, and Chrome. It does not have official apps for your phone. Instead, the project recommends KeePass2Android or Strongbox for iPhone.

    Another Option

    NordPass

    NordPass app shown on Mac laptop

    FREE (LIMITED)$36 PER YEAR (PREMIUM)

    NordPass is a relatively new kid on the password manager block, but it comes from a company with significant pedigree. NordVPN is a well-known VPN provider, and the company brings to its password manager much of the ease of use and simplicity that made its VPN offering popular. The installation and setup process is a breeze. There are apps for every major platform (including Linux), browser, and device.

    The free version of NordPass is limited to one device, and there’s no syncing available. There is a seven-day free trial of the premium version, which lets you test device syncing. But to get that for good, you’ll have to upgrade to the $36-a-year plan. (Like its VPN service, NordPass accepts payment in cryptocurrencies.)

    MOST POPULAR

    NordPass uses a zero-knowledge setup in which all data is encrypted on your device before it’s uploaded to the company’s servers, like our picks above. Other nice features include support for two-factor authentication to sign in to your account, and a built-in password generator (which has plenty of options to handle those poorly designed sites that put weird requirements on your password). There’s also a personal information storage feature to keep your address, phone number, and other personal data safe and secure, but easy to access as well.

    NordPass also offers an emergency access feature, which allows you to grant another NordPass user emergency access to your vault. It works just like the same feature in 1Password, allowing trusted friends or family to access your account in the event you cannot.

    NordPass Is Free, But We Recommend the Premium Plan ($36 Per Year)

    After signing up, download the app for Windows, MacOS, Android, iOS, or Linux. There are also browser extensions for Firefox, Chrome, and Edge.

    Honorary Mentions

    Screenshot of Remembear password manager

    Password managers are not a one-size-fits-all solution. Our top picks cover most use cases and are the best choices for most people, but your needs may be different. Fortunately, there are plenty of very good password managers. Here are some more we’ve tested and like.

    • Roboform ($24 per year, $48 per year for five-user family plan): Roboform has most of same features as the rest in this list, but it lacks some of the things that differentiate our top picks, like the travel feature of 1Password or the open source aspect of Bitwarden. I’ve been testing the free plan for a while and haven’t run into any problems. There are apps for every common platform, and it’s easy to use. That said, Roboform hasn’t published a full, independent security audit.
    • Enpass (free, $24 per year or one-time $80 for Premium): Like KeePassXC, Enpass does not store any data on its servers. Syncing is handled through third-party services like Dropbox or NextCloud. Enpass doesn’t do the syncing, but it does offer apps on every platform. That means once you have syncing set up, it works just like any other service. And you don’t have to worry about Enpass being hacked, because your data isn’t on its servers. If you’re comfortable setting up the secure syncing yourself, Enpass makes a great password manager.
    • LastPass ($36 per year): LastPass used to be our favorite free option, but then it changed its free plan. It now limits you to a single device, so we removed it in favor of BitWarden. Lastpass’ paid plan offers most of the same features you’ll find in our other top picks, though it lacks the travel features of 1Password and isn’t open source like BitWarden. We just don’t see any reason to suggest it over our top picks, and it was recently hacked.
    • Keeper Password Manager ($35 per year for Unlimited): Keeper offers a variety of security-related tools, including a password manager. Keeper works much like 1Password and others, storing only your encrypted data, and offers two-factor authentication for logging in to your account. Like Dashlane, Keeper has a lot of extras, including dark-web monitoring, meaning it will check publicly posted data to make sure yours isn’t available.
    • Pass (free): Pass is a command-line wrapper around GPG (GNU Privacy Guard), which is to say, this is only for the nerdiest of users. It has support for managing encrypted .gpg files in Git, and there are third-party mobile apps available. It’s definitely not for everyone, but since everyone asks, it’s what I use.

    How We Test

    The best and most secure cryptographic algorithms are all available via open source programming libraries. On one hand, this is great, as any app can incorporate these ciphers and keep your data safe. Unfortunately, any encryption is only as strong as its weakest link, and cryptography alone won’t keep your passwords safe.

    This is what I test for: What are the weakest links? Is your master password sent to the server? Every password manager says it isn’t, but if you watch network traffic while you enter a password, sometimes you find, well, it is. I also dig into how mobile apps work: Do they, for example, leave your password store unlocked but require a pin to get back in? That’s convenient, but it sacrifices too much security for that convenience.

    MOST POPULAR

    No password manager is perfect, but the ones below represent the very best I’ve tested. They’re as secure as they can be while still remaining convenient and easy to use.

    Password Manager Basics

    A good password manager stores, generates, and updates passwords for you with the press of a button. If you’re willing to spend a few dollars a month, a password manager can sync your passwords across all your devices. Here’s how they work.

    Only one password to remember: To access all your passwords, you only have to remember one password. When you type that into the password manager, it unlocks the vault containing all of your actual passwords. Only needing to remember one password is great, but it means there’s a lot riding on that one password. Make sure it’s a good one. If you’re having trouble coming up with that one password to rule them all, check out our guide to better password security. You might also consider using the Diceware method for generating a strong master password.

    Apps and extensions: Most password managers are full systems rather than a single piece of software. They consist of apps or browser extensions for each of your devices (Windows, Mac, Android phones, iPhone, and tablets), which have tools to help you create secure passwords, safely store them, and evaluate the security of your existing passwords. All that information is then sent to a central server where your passwords are encrypted, stored, and shared between devices.

    Fixing compromised passwords: While password managers can help you create more secure passwords and keep them safe from prying eyes, they can’t protect your password if the website itself is breached. That doesn’t mean they don’t help in this scenario though. All the cloud-based password managers we discuss offer tools to alert you to potentially compromised passwords. Password managers also make it easier to quickly change a compromised password and search through your passwords to ensure you didn’t reuse any compromised codes.

    You should disable auto form-filling: Some password managers will automatically fill in and even submit web forms for you. This is super convenient, but for additional security, we suggest you disable this feature. Automatically filling forms in the browser has made password managers vulnerable to attacks in the past. For this reason, our favorite password manager, 1Password, requires you to opt in to this feature. We suggest you do not.

    Don’t panic about hacks: Software has bugs, even your password manager. The question is not what do you do if it becomes known that your password manager has a flaw, but what do you do when it becomes known that your password manager has a flaw. The answer is, first, don’t panic. Normally bugs are found, reported, and fixed before they’re exploited in the wild. Even if someone does manage to gain access to your password manager’s servers, you should still be fine. All of the services we list store only encrypted data, and none of them store your encryption key, meaning all an attacker gets from compromising their servers is encrypted data.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    This site uses Akismet to reduce spam. Learn how your comment data is processed.