Everyone Needs a Password Manager
Nearly every website you visit insists you create a user account and think up a password, from dating apps to hyper-secure banking sites. The human memory can’t keep up with dozens and dozens of these. Some folks get the bright idea to use the simplest possible passwords, things that are easy to remember, like “123456789” or “password.” Others memorize one superbly random password and use it for everything. Either path is likely to make you the latest victim of identity theft.
Don’t be like them—use a password manager. With a password manager, you don’t have to remember that strong, unique password for every website. The password manager stores them for you and even helps you generate new, random ones. We’ve tested and analyzed dozens, so you can pick the password manager that best fits your needs. Not happy with your initial choice? Don’t worry. Most services allow you to export your saved data or import from other products, easing the process of switching password managers.
All of the products in this roundup earned at least three-and-a-half stars and cost money (though you can use some of them for free if you accept certain limitations). If you don’t want to spend money and don’t want limitations, don’t worry. We’ve rounded up the best free password managers in a separate article. Most of the free tools lack the most advanced features, but they get the job done. We don’t include any password managers in that roundup that either restrict the number of passwords you can save or inhibit cross-device syncing. In light of LastPass’s upcoming syncing restrictions for free users, we have removed it from that roundup. If you are considering leaving LastPass because of this change, check out our top LastPass alternatives.
Secure Your Passwords on Every Platform
When you sign up for a password manager, one of the first things you need to do is create a master password for your account. Your master password is used to encrypt the contents of your password vault, so you should make it something difficult for anyone else to guess or find out. However, it can’t be so random that you forget it; your master password is likely unrecoverable if you do. Read our tips on creating secure, complicated passwords for guidance.
As an additional precaution, you should set up two-factor authentication to secure your password manager account, be it biometric, SMS-based, or via time-based one-time passwords (TOTPs) stored in an authenticator app such as Google Authenticator or Microsoft Authenticator. The best password managers support authentication via U2F- or OTP-based hardware keys such as from YubiKey and Titan Security.
Before you commit to any password manager, you need to make sure it supports each device platform you use. One thing to keep in mind is that many browser extensions rely on a local desktop component, which might not support every desktop operating system. The best password managers have browser extensions that can operate independently wherever you install it, as well as allow you to fully manage your vault.
Full support for mobile platforms is a requirement for any modern password manager as many people frequently use their mobile devices to access secure sites and apps. Most experiences and features translate to mobile platforms without issue, but no one wants to enter a password like @2a&[email protected] on their smartphone’s tiny keyboard. Fortunately, password manager apps typically let you authenticate using your fingerprint or face and directly fill in-app credentials with the tap of a button.
The Password Basics
Most people primarily use a password manager to manage website credentials. In practice, when you log in to a secure site, the service offers to save your credentials. When you return to that site, it offers to fill in those credentials. If you’ve saved multiple logins for the same site, the password manager lists all those options. Most also offer a browser toolbar menu of saved logins, so you can go straight to a saved site and log in automatically.
Some products detect password-change events and offer to update the existing record. Some record your credentials when you create a new account for a secure website. For maximum convenience, you should avoid password managers that don’t automatically capture passwords.
Getting all of your existing passwords into a password manager is a good first step. Next, you need to identify the weak and duplicate passwords and replace them with tough ones. Many password managers flag weak, duplicate, or compromised passwords and help you improve them.
When you create a new secure account or update a weak password, don’t strain your brain trying to come up with something strong and unique. Let your password manager take care of that. You don’t have to remember it, after all. Make sure your generated passwords are at least 20 characters long and include all of the major character types (uppercase, lowercase, numbers, and symbols); all too many products default to a shorter length.
Fill Forms Automatically
Since most password managers can autofill stored credentials, it’s just a small step for them to automatically fill in personal data on web forms—first and last name, email address, phone number, bank cards, passport numbers, and so on. After all, storing payment and identity details in an encrypted vault is a much safer way than saving them to a website or browser.
Most of the top-rated products include a web form-filling component. The breadth and flexibility of their data collections vary, as does their accuracy when matching web form fields with their stored items. Even if they miss a field or two, the ones they do fill are ones you don’t have to type. Think about how many sites you go to that want all the same information; this feature is a huge time-saver.
Each password manager handles form filling differently. Some immediately fill all recognized fields, some wait for you to click in a field, some pop up and ask what you’d prefer. You’ll even find products that use realistic images of credit cards with the correct color and bank logo to store your payment options.
Advanced Password-Management Features
Given that all these products take care of basic password management tasks, how do any of them stand out from the pack?
One handy advanced feature is managing passwords for applications, not just websites. Another is a secure browser, designed to protect sensitive transactions and invoked automatically when you visit a financial site. The ability to automate the password change process seems to be less and less common these days. Some password managers never offered this feature to maintain zero-knowledge policies.
Most password managers include a built-in mechanism for securely sharing passwords with other users, but some go a step further with advanced permissions. For instance, a few password managers allow you to share a login without making the password visible, revoke sharing, or make the recipient an owner of the item. On a grimmer note, what happens to your secure accounts after you’ve died? A growing number of products include some provision for a digital legacy, a method to transfer your logins to a trusted individual in the event of your death or incapacity.
Logging in with your secure username and password to a website that doesn’t use a secure HTTPS connection is a big no-no. Some password managers even warn you about insecure login pages. Even when you do use HTTPS, sniffers and snoops can still learn some things about your activity, such as the simple fact that you’re logging in to the secure site, and the IP address from which you’re connecting. Running your secure connections through a virtual private network, or VPN, adds a layer of protection. Dashlane now includes a simple built-in VPN and RememBear comes from the same source as Editor’s Choice winner TunnelBear VPN.
Secure storage is an increasingly common feature among password managers, too. The storage allocation won’t replace the need for a dedicated cloud storage and syncing service, but in many cases, it’s enough for storing important documents in an encrypted state.