Photo: getty/Corbis via Getty Images
The days of using your first child’s name and birth date for all your passwords are long gone. That’s just too easy to crack, security experts say. Instead, we were told to use assortments of words and numbers — until that wasn’t hard enough, either. Eventually, the instructions were to come up with seemingly random strings of characters, numbers, and symbols. This made for a tough password to crack, with one downside: It was an equally tough password to remember. With a password manager, however, you only need to remember one master password. The manager safely stores all of your other passwords for you, often allowing you to access your passwords from any computer,tablet, or phone. According to the security experts we consulted, it’s the best option for protecting everything from financial data to drugstore loyalty accounts. And considering that many password managers offer free versions, there’s really no excuse not to have one.
“Password managers are essential for everyone,” says Rachel Tobac, CEO of the cybersecurity company SocialProof Security. She says it’s a matter of “when, not if, one of the websites you use gets breached.” At that point, “any services you use that password for are at risk.” From January to March of 2021, 51 million people had their data compromised in a breach, according to the Identity Theft Resource Center, a nonprofit dedicated to helping victims of identity theft. More recent data breaches include McDonald’s, Peloton, and Volkswagen. Despite this, a 2020 survey from the credit-scoring company FICO found that only 23 percent of Americans use an encrypted password manager. Forty-two percent reuse passwords across accounts, and 17 percent of us recycle as few as two to five passwords for everything.
One of the biggest fears with password managers, Tobac says, is that saving all your passwords in an account with a single password would make you more vulnerable to data theft. She says it isn’t “computationally possible” for hackers to break the encryption of most password managers at the moment, so you can be assured your passwords are safe in a password manager. Still, “if you need an extra layer of security for peace of mind, I recommend salting your passwords. That means you store passwords in a password manager but have a special code you know to add into each password that isn’t stored in your manager,” she says. “After your password is autofilled by the password manager, add in the code manually.” Even on the off chance that a password manager is hacked, hackers still won’t be able to access any of your accounts, since only you know the extra characters.
Convinced? Good. Now you just have to pick one. Fortunately, Lorrie Cranor, the director of Carnegie Mellon University’s security and privacy research institute CyLab, says you can feel confident with nearly any of them. “There are a number of excellent password managers out there, and it is more important that people use one than which one they use,” she says. Topher Tebow, a cybersecurity analyst at the international cybersecurity company Acronis, agrees. “No matter what route you take, any password manager is better than no password manager,” he says.
Karen Renaud, a senior lecturer of cybersecurity at the University of Strathclyde, recommends sticking with an established company (like 1Password or Bitwarden). The differences among these password managers are, for the most part, minimal. Some have special features for traveling, for example, while others have slightly enhanced security. If you still can’t decide, Leigh Honeywell, the CEO of the online employee-safety company Tall Poppy and a former fellow at the ACLU’s Project on Speech, Privacy, and Technology, advises people to choose password managers that have faced and responded quickly to significant outside security scrutiny. For example, in 2017, the password manager Keeper sued a journalist for reporting on a vulnerability in the app. “That kind of attitude doesn’t help anyone be safer,” she says. “I’d also advise people to be careful in searching the Apple App Store and Google Play Store for general terms like ‘password manager,’” rather than looking up specific apps by name. There are a lot of unverified look-alike apps that try to pass themselves off as more established, secure programs, she says.
After talking to more than a dozen online-security experts, here are the best password managers for nearly everyone, including you.
If you want a password with a legacy of top-of-the-line security, 1Password is your best bet. Yael Grauer, an investigative tech reporter at Consumer Reports who specializes in tech and privacy, says she likes that the interface is easy to use and that it can generate passwords based on a user’s specifications. “You can add digits or symbols, or specify that you want a password with words, which can make it easier to enter passwords that you can’t copy-paste or use the autofill feature for,” she says. 1Password also has something called Watchtower, a feature that alerts users to reused, compromised, or vulnerable passwords, as well as any passwords that don’t yet have multi-factor authentication enabled. Nitesh Saxena, a professor of computer science at the University of Alabama at Birmingham who researches cybersecurity and applied cryptography, says 1Password has better security than competitors like LastPass, citing situations in which password managers were under the coercion of law enforcement.
Dashlane Premium has a very rare and convenient feature: You can change your passwords for your accounts directly within the app. If you signed up for a bunch of accounts with terrible passwords, with Dashlane, you can change the password without having to visit every site. Candid Wüest, the vice-president of cyber protection research at Acronis, calls Dashlane one of the best password managers and says it has “interesting additional features.” Dashlane is one of the few options with identity-theft protection, dark-web monitoring, and a VPN. It’s also easy to use, even for kids. “I use the Dashlane family plan so I could get my kids in the habit of using a password manager too,” says Cranor.
Note: Dashlane also offers a free version that works on one device, and an Essentials version ($4 a month) that works on two and allows automatic password changes.
If you want a free password manager, Wüest says Bitwarden is a good option — though he warns that the optimal security you get from paid services is worth it. Our colleagues at The Verge also recommend Bitwarden, calling it the best free password manager. Although Bitwarden stores passwords in the cloud (as opposed to locally, on your own computer), its data is encrypted and has been audited by a third-party security company. Since Bitwarden doesn’t offer password checkups or breach reports, users will want to regularly keep an eye on their password hygiene via free online sites like HaveIBeenPwned.com.
Although it’s less convenient, since you can’t access your passwords from anywhere, if you don’t like the idea of storing passwords in the cloud, a password manager that stores your data locally is your best bet. Tebow says that for years he used KeePass, a free, open-source password manager. “I could keep it on a USB drive and not have to worry about the cloud service being breached,” he says. One warning: This is not the slickest option. Its interface is a bit dated, like an old Microsoft program from 2009. That means it’ll take a little tech know-how to use properly. And though users can contact the developers for some questions not covered by the program’s FAQ page, there’s better help to be found in the program’s robust Reddit community.
If you don’t want to bother with a dedicated app, three of our experts say the free password-management tools like Apple’s iCloud Keychain or the managers built into your browsers are all you need. They’ve “really made leaps and bounds in recent years,” says Florian Schaub, an assistant professor at the University of Michigan’s School of Information whose research focuses on empowering users to manage their privacy. Megan Squire, a professor of computer science and a cybersecurity expert at Elon University, is a fan, as is Jungwoo Ryoo, a professor of information sciences and technology at Penn State who specializes in cybersecurity. “The passwords are always available as long as you are signed on through your favorite browser,” Ryoo says. Plus, they’re free, and some even offer multi-factor verification. Microsoft Edge’s password manager, for example, offers two-factor authentication via a PIN or fingerprint sensor, and this year it launched Password Monitor, which alerts users when any passwords have been compromised.
The Strategist is designed to surface the most useful, expert recommendations for things to buy across the vast e-commerce landscape. Some of our latest conquests include the best acne treatments, rolling luggage, pillows for side sleepers, natural anxiety remedies, and bath towels. We update links when possible, but note that deals can expire and all prices are subject to change.