Choosing a Password Manager
Password breaches are a common occurrence, and if you use the same password on every site, that may grant access to bad actors who try out that password elsewhere to get into your accounts. The best way to protect yourself is to use a unique password everywhere (and two-factor authentication , when possible). A password manager is a program that makes this easier by creating and storing unique, strong passwords for you.
A password manager generates long, unique passwords, stores those passwords in what's typically called its "password vault," and then can fill out the username and password for you when you need to log in to a site. It protects all these passwords behind one single "master password ," meaning you only have to remember one password instead of dozens. Depending on the password manager’s implementation, this can mean it's important you make that master password as strong as possible and set up two-factor authentication on your password manager account. In most cases, a password manager also syncs your passwords between different devices—like your phone and computer—so you can log in from any device.
When You May Want to Avoid a Password Manager anchor link
A good password manager does its best to mitigate potential security problems, but it's still important to remember:
- Using a password manager creates a single point of failure.
- Password managers are an obvious target for adversaries.
This is why you should have a strong master password and enable two-factor authentication when possible. But if a powerful adversary like a government is targeting you, it’s important to carefully choose the right password manager and set it up for maximum security.
If you don’t want to use a password manager for whatever reason, you should still use a unique password for every login. We think writing them down, and storing them somewhere safe, like a wallet, is better than trying to memorize them.
How Do I Choose a Password Manager That's Right For Me? anchor link
Everyone has different needs for a password manager, and what works for one person might not work for another. Most quality password managers, even paid options, offer some sort of trial period to check them out, and we suggest taking advantage of that when you have the time to do so.
Business model anchor link
The company behind a password manager has to make money somehow. It might be through a subscription fee, or it might target enterprise users and offer free or cheap software to everyone else. Research what subscription plans the company offers, what features may be locked behind a payment, and what tools, if any, are free. With paid subscription fees, be especially cautious of plans that jump in price after the first year. Some paid password managers may offer family plans, where you and your family all get access to the service at a discounted price. These plans typically give each family their own private vault, but you can also often share passwords easily when needed. This can be helpful for shared accounts, like utilities or streaming services. Keep in mind that the manager of the account may be able to recover (and therefore reveal) a family member’s passwords, so you should trust your account manager to some extent.
Two-factor authentication support anchor link
Because a password manager locks all your important passwords behind a single password, it's best to look for a password manager that supports two-factor authentication. With two-factor authentication, if someone gains access to your master password, they still need that second factor to get into your account. Some password managers might also have other novel forms of security, like 1Password's "Secret Key" that are worth researching further.
Browser extensions and support for various platforms anchor link
Most password managers will work everywhere you need to access passwords, including desktop apps for Windows, Mac, or Linux, and mobile apps for Android or iPhone. When you create a password on one device, it will then be available everywhere else. Most password managers also support browser extensions on desktop, which allows the password manager to automatically fill passwords when you arrive on a login page, no copy and paste required. If a powerful adversary is targeting you, you may choose to not enable browser autofill, since browser extensions are the most common place for password manager vulnerabilities. But for most people, the functionality of automatically filling in a password is not just a convenience, but an important protection against phishing.
End-to-end encrypted backups anchor link
Since most password managers sync passwords between devices by storing your password vault online, it's important the company uses end-to-end encryption on those vaults. Nobody, not even the company that makes the password manager, should be able to access your passwords. Look through the features and documentation for a password manager to ensure it has details about its encryption methods before picking one.
Most popular password managers do not include a way to disable syncing to the cloud. But there are a handful of more specialty password managers, most notably KeePassXC, that give you more control over where (and if) your password vault is stored online. Note that while it is open-source, KeePassXC hasn't undergone security audits, and there are many projects with similar names (including KeePass, KeePassX, and KeeWeb), so make sure you use the correct one. Without password syncing or online backups provided by the password manager, it can be difficult to use this type of password manager on a day-to-day basis.
Independent security audits and bug bounty programs anchor link
Some popular password managers subject their software to independent security audits. While not perfect, offering just a snapshot of the software at a specific time, these audits signal the developer is actively working to secure its software. Sometimes these reports are made public, but not always. It can also be a bonus when the developer offers a bug bounty program, which provides a way for independent security researchers to submit any issues they may come across. Some examples of password managers that participate in security audits include:
This list is not exhaustive, nor should it be considered a recommendation, but gives you an idea of what these audits tend to look like.
It's a good idea to search for any news stories about a password manager to ensure it doesn’t regularly hit the news cycle for security flaws, breaches, privacy violations, or anything else that may make you second-guess using it.
Active software updates anchor link
Spend a few seconds looking through a mobile app's update history to ensure the app is updated frequently with support for the newest operating systems. Active development isn't always just about features, it's also about ensuring the software works consistently with each update—both minor and major ones—with the operating systems you use, and signals that the developers are staying on top of security updates.
Portability anchor link
Any good password manager will allow you to take your login and password information with you if you decide to change software. While this might sound complicated, moving passwords between password managers is typically a straightforward process where you'll export a CSV file with all your passwords, then import that same file into a new password manager. Check the password manager's documentation for more specific directions on how to do this.
What About My Browser's Built-in Password Manager? anchor link
Google, Apple, and Mozilla all offer their own versions of password managers. While technically you can usually access your passwords stored in these password managers across operating systems, apps, and devices, Google and Apple's solutions tend to work best when you use the browsers (Google's Chrome or Apple's Safari) or operating systems (Android, ChromeOS, iOS, or macOS). Mozilla's password manager only works in Firefox, and can't be easily integrated elsewhere. Other web browsers may offer a similar type of password manager, but be sure to research how it encrypts the data before using it.
Browser-based options also sometimes lack extra features offered by standalone software you may or may not use, like encrypted notes, storage of security question answers (which you should consider using random answers for), remembering where you've used single-sign on for accounts (like signing into a service with your Google account), and robust family password sharing options.
The best password manager is the one you'll use, and because they're so well-integrated into the operating system , browser-based options can be easier to get the hang of using if you've never used a password manager before. And since they’re integrated into their respective browsers, they offer phishing protection without the potential insecurity of browser extensions. The default security of each differs, though: Apple's iCloud Keychain is end-to-end encrypted by default, but Google's password manager is not. Instead, Google offers a way to enable a passphrase to turn on "on-device encryption," but you have to manually hop into the settings to turn that feature on yourself, which you should do. Mozilla provides details about how Firefox handles encryption.