Goddy Ray Devoted online security and privacy advocate 10 min read

Use of the tried and true password is not dead — and not likely to be dead for some time to come. Even as biometrics and other forms of authentication become popular, the vast majority of sites and applications still require a password. Even biometrics have a downside as it’s easier to force somebody to put a finger on a detector than enter a password.

Sadly, most people still use terrible passwords. According to Troy Hunt, when a survey for CashCrate, a website resource for making money online, was breached in November 2016, 86 percent of the passwords had already been revealed in previous breaches that occurred with other sites. So, not only are people not changing breached passwords, but they’re continuing to use them on other sites. Many of these breached passwords include entries like “123456,” and yes, “password.” In 2016, people were still using ‘password’ as their password, which means they probably still are.

Most of us do at least know better than to do that, but there are still ongoing problems. Many people reuse passwords across different sites, which allows for “credential stuffing” in the event of a breach. Other people may find that the “rules for strong passwords” equates to “rules to make sure I can never remember my password” and end up writing their passwords down, storing them in plain text or leaving them open to discovery in some other way. To alleviate this problem, passphrases can be used and are very helpful as they can actually be both easier to remember and harder to hack when brute force methods are used. This issue is also the main reason why more and more people are reusing passwords.

People know the dangers of weak passwords, but create and use them anyway

For added security, many sites now offer or even enforce two-factor authentication, which is usually done by means of sending a text to your phone. This is excellent until you are overseas and don’t have roaming available on your phone. It also means that some people think that because they have two-factor authentication, they can get away with a weaker password. (A good analogy for two-factor authentication is a debit card and pin. This uses both something you have, the card, and something you know, the pin number). Also, two-factor authentication (2FA), which is based on SMS is insecure.

This presents us with a problem: unless you have some kind of crazy eidetic memory, it is humanly impossible to remember a different secure password for each and every website you log into. Even a normal user may have multiple banking logins (one for your bank account, one for your credit card and likely PayPal). Then there are all those e-commerce sites to remember unless you buy everything from Amazon Prime. Add in cloud storage, collaboration sites like Google Drive, bulletin boards, online games and newspaper subscriptions, and you’ll discover that most people have 15, 25 or 30 passwords that they must remember, while a cyber warrior may have hundreds.

Why Password Manager is a Solution

The solution to this dilemma is a password manager that does the work of remembering (and often choosing) your passwords for you. Modern browsers have password managers built in. However, while this is better than having nothing, they are a rather half-assed solution. For example, Chrome’s solution stores the master password in an unencrypted form, making it vulnerable to a hacker who can then get into all of your websites. This defeats the point of having a password manager in the first place.

With a password manager, you only have to remember one password. We recommend using a passphrase that you can remember. If you lose your master password, you will lose access to all of your passwords and will have to reset every single one of them. However, do not use a password manager that allows you to retrieve the master password. As annoying as a mass reset is, if your master password is compromised, you will have far worse problems.

Password managers can also help protect you from certain phishing attempts. You might not notice that the site’s URL has been “typo-squatted” but your password manager will. If you are expecting your password manager to auto-fill your PayPal login and it doesn’t, you may be on a cloned site.

In other words, for the sake of security and convenience, absolutely everyone should be using a password manager. Which brings us to the next problem: there are a lot of password managers out there. Which one should you use? This guide goes through some of the best offerings and gives you the pros and cons. There is no single best password manager as a lot depends on your needs and what devices you own, but the list below should help you work out which one fits your needs best.

Pros & Cons of Different Password Managers

The article was updated on the 21st of January due to a recent report by ISE about severe vulnerabilities found in popular password managers. The researchers tested 1Password4 for Windows (4.6.2.626), 1Password7 for Windows (7.2.576), Dashlane for Windows (6.1843.0), KeePass Password Safe (2.40), and LastPass for Applications (4.1.59). You can read the findings HERE. And HERE you can find what the providers told ZDNet.com.

LastPass

LastPass is one of the most popular password managers out there and may well be the only one some people have heard of. It’s popular for a reason — the free version covers almost anything an individual (or even business owner with no employees) could need, except for application logins, and it’s known for having good security requirements.

Pros:

The free version is quite usable

Encryption at the device level means that even LastPass can’t get into your passwords, and the device keys are never sent over the internet and thus can’t be taken

Two-factor authentication

The paid version includes 1gb of encrypted cloud storage

The free version includes credit monitoring

Works across all devices

Cons:

The paid version doesn’t offer enough over the free version, which might cause problems for the company in the long run

Due to its popularity, it tends to be a target for hackers and has had vulnerabilities in the past

It has disastrous UX

Dashlane

Dashlane is a newer password manager. It has apps for almost every platform, extensions for every browser and can store passwords locally.

Pros:

Stores passwords locally

Has a low memory footprint

Can keep passwords either locally or in the cloud

Simple interface

Digital wallet for tracking and making purchases at online retailers

Will automatically reset passwords when a site is hacked

Includes a VPN

Cons:

You can’t sync passwords over multiple devices without paying a fee

It’s expensive, especially if you already have a VPN, and the built-in VPN lacks the ability to choose the server country

Does not work well with Internet Explorer. However, this browser probably isn’t used much anymore

After a test on Windows version 6.1843.0, it was found that in extreme cases when a device has been entirely compromised, the following can occur:

When entries are updated, the entire database is left in memory in plaintext form and remains, even after it’s locked or logged out of

KeePass

The big difference with KeePass is it does not store anything on the cloud. This is extra security for the paranoid or those who handle extremely sensitive data. It’s open source and completely free.

Pros:

Completely free

Open source code makes for transparency

Can export your passwords to a text file, which might also be considered as a con

Has an app for iPhone — MiniKeePass

Cons:

Takes time to understand for ‘non-technical’ types

When testing version 2.40, it showed that when a device is completely compromised, the following can occur:

Unencrypted data can be found in memory when searching data, displaying data in standard controls, replacing placeholders (during copying to clipboard, drag& drop, auto-type) and when importing or exporting (not with KDBX)

Keeper

Keeper is less well known but has a strong focus on security and supports most devices and browsers. It integrates with Duo for one-tap authentication. It can also stop people from logging into your account from other parts of the world, (which is good until you forget to change it when you go on vacation).

Pros:

Excellent security

A wide range of supported devices, including Blackberry and Windows Phone

Allows you to designate an emergency contact

Can lock out people in other parts of the world, which can protect you in the event of a breach

One-tap authentication

Cons:

Free trial version works only on a single device

Relatively expensive

Weak form-filling capabilities

Limited functionality on ChromeOS

Takes longer than most managers to change a password

Does not have PIN numbers to access apps, forcing you to type in the master password all the time if your phone or tablet does not support biometrics

Enpass

Enpass is a pretty basic password manager but has the advantage of charging a (low) one-time fee rather than a subscription. It has great device support, including Windows Phone but does not support Blackberry anymore.

Pros:

Does not offer master password retrieval, which makes it more secure

Cheap – $10 per mobile device OS

Defaults to an offline story

Cons:

Does not automatically sync, and there is no easy way to sync between devices

You have to download each browser extension separately

No two-factor authentication but does use TOTP. However, a lot of people won’t use that

The password generator is buried in the user interface on the desktop

LogMeOnce

LogMeOnce calls itself “LogMeOnce Password Management Suite Ultimate” and has more features than any other password manager. It has a default passwordless login method that uses your phone (which may not be the best for people who travel a lot). Confusingly, they call their free version “Premium.” The issue is that many of the features are offered a la carte, so even paying for “Ultimate” doesn’t get you everything. Some of the more interesting add-ons cost extra too such as Account Freeze, which lets you lock down accounts, or Password Shock, which is designed to annoy somebody who stole your phone into giving up.

Pros:

Has a lot of features including photo login

Allows you to locate your phone and control it remotely, including making it ring, which is useful if you lose your phone, but these features are also available in standalone security apps

Does allow you to wipe LogMeOnce settings remotely from a stolen phone

Works well in Linux and ChromeOS

Has a good tutorial for new users

Includes the weather forecast for some reason

Cons:

Confusing UI

Nickels and dimes users with extra charge add ons

The free version has ads

You have to install each browser extension separately

1Password

This password manager has been gaining in popularity because of some very useful features on mobile and the fact that it can act as an authentication app. Comes solely as a paid only version.

Pros:

“Travel mode” allows you to lock down most of your passwords when taking a device overseas, protecting you from overzealous customs or law enforcement or if your phone is stolen

Acts as an authenticator app

Integrates with a large number of mobile apps

Runs across almost all platforms, except Blackberry

Checks for compromised passwords and reminds you which sites use two-factor authentication

Has an account key needed to add new devices, which is more secure, but the account key is impossible to remember. You can use a QR reader to snap it, though

Allows remote deactivation of devices

Stores password neatly by category

Requires that you press a keystroke to fill in saved credentials, which can protect you from invisible login forms

Will create passphrases as well as random passwords

Cons:

Does not have automated password updates

Does not support Internet Explorer (if you are even still using this outdated browser)

Have to install a separate extension for each browser you use

Can only import passwords from Chrome, LastPass, Dashlane and RoboForm

No password updating

Requires a separate authenticator app to operate its own two-factor authentication

Fails to capture two-page logins

There are a few extreme cases where a master password can be seen due to a compromised computer. These include the following:

In 1Password4 for Windows version 4.6.2.626, certain user actions can leave the master password in clear text form in the memory, even if it’s locked

In 1Password4 for Windows version 4.6.2.626, the master password has been shown to remain in the memory when unlocked during the unlocked to locked transition

In 1Password7 for Windows 7.2.576, it fails to scrub the secret key, master password and individual passwords from the memory when the unlocked to locked transition occurs

RoboForm

RoboForm is one of the oldest password managers, which puts it at a disadvantage. Even the latest update is a bit behind newer software.

Pros:

Very good at handling nonstandard login pages such as two-page logins or multiple passwords

Started as a form filler, so it handles that task better than almost any other password manager

Can also save names and addresses for your contacts and automatically fill them in when shipping to them

Handles applications as well as websites. In Windows, it will even automatically launch the application from within RoboForm

Cons:

The UI is something of a mess, and you have to log into RoboForm online to access some features, rather than using the app

Has a function that actively encourages password reuse by allowing you to fill in your favorite user ID and password

Default password strength is less than other password managers, but it can be increased

Very limited two-factor authentication

Zoho Vault

Zoho Vault is most useful for people who take their laptop to work or bring their work home. It’s key feature lets you have separate work and personal master passwords and vaults.

Pros:

Has a really good password strength reporting

The free edition is available

Lets admin get to work passwords in an emergency — without exposing personal passwords

Imports from the most popular password managers

Cons:

Does not support unusual browsers

Does not support two-page logins

No form filling ability

Cheaper than most paid password managers

Does not import from in-browser password managers

Password capture is not always reliable

Tech support is not available on weekends

Sticky Password

Sticky Password is made by the former AVG executives. It’s known for supporting a wide variety of browsers.

Pros:

Supports off beat browsers such as SeaMonkey and Pale Moon

Intuitive navigation, especially on mobile

Has secure local sync over WiFi

Good with oddball logins such as multi-page

Handles application passwords

Part of your payment goes to help protect manatees because their mascot is a manatee

Supports password sharing

Cons:

The free version does not sync across devices but has a manual export and import, which can work

Requires a separate authenticator app for two-factor authentication

Does not do a full password audit

True Key by Intel Security (soon to be True Key by McAfee)

True Key has more emphasis on multi-factor authentication than other managers. It’s highly secure but lacks some of the features of its competitors.

Pros:

The paid version is affordable

Easy setup

Highly secure multi-factor authentication, including requiring a second device

Easy to go password free

Cons:

The free version limits you to 15 passwords. Does anyone have less than 15 passwords anymore?

Does not support Safari on Mac

Has been known to fail to capture popular sites and has no easy workaround

No password strength report

No secure sharing

F-Secure KEY

F-Secure KEY handles the basic password manager tasks well but lacks advanced features and charges for syncing.ng.

Pros:

Good interface

Handles application passwords

No way to reset the master password, but you can make a recovery QR code and store it somewhere safe

Creates the longest default password

Cons:

It tells you — or a snoop — the moment you type the old password into the password change field. This could make guessing passwords a lot faster

No password capture -– you have to enter the username and password manually

You can’t organize your password entries

Does not support Safari on the Mac

Avast Passwords

Created by the anti-virus company Avast, this is a completely free password manager. However, the Windows version is only available built into Avast.

Pros:

Almost completely free -– the only features they charge for are one-touch login and alerting on compromised passwords.

The paid version is very affordable

Integrates with antivirus on Windows

One touch login, allowing you to log in on Windows by tapping your phone

Easy to find saved credentials

Can alert on duplicate or compromised passwords

Allows for a different master password on each device

Encrypts credentials locally

Cons:

Basic compared with its competitors

Browser extension only allows you to open the vault, fill credentials and save and generate passwords

Need to install all browser extensions manually

Need an Avast account to access syncing

The PC version vault can only be automatically locked twice a day

Tech support is by email only

Bitwarden

Bitwarden is a relatively new open-source password manager, which works on multiple devices.

Pros:

Open source

Audited by Cure53

Simple sync across devices and browsers

Firefox addon for desktop and mobile

Passwords stored encrypted

All devices

Easy setup

Chrome plugin

FIDO UTF support

Cons:

It’s fairly new so doesn’t offer a lot of features

No passphrase generator

Doesn’t ask to save updated passwords

Tech support is by email only

Our Final Thought on Password Managers

There are other password managers available, but they are generally more obscure and thus not covered in this guide.

Again, there is no one “best” password manager. The best choice depends on the devices you use and what you need. Some offer higher security than others and may be priced for features you require. The key is to find the right software for you, and hopefully, this guide helped you at least narrow down your decision.

Get Surfshark for $2.49/mo 30-day money-back guarantee with every plan Buy NOW

Still have an aching question about password managers? Drop as a line in the comment section!