Everyone Needs a Password Manager
With password breaches in the news just about every day, you might think there’s no point in worrying about using strong, unique passwords for every site. You’d be wrong. If you’re using the same password on multiple sites, one breach could expose many of your accounts. And sometimes the breach doesn’t capture the passwords themselves, only the verification hash. Hackers run thousands of common passwords against those verification hashes—if they get a match, your password is toast. To do passwords right, you need help, because there’s no way you can remember a password like g5F*’a-K3+?D^”A8 for every single website. You need a password manager.
What’s that you say? You can’t afford to buy yet another security tool? In truth, you can’t afford not to. The potential hit, financial and otherwise, that could result from using weak passwords could cost you plenty. Never fear. Quite a few password managers cost precisely nothing, and some of them come close to the best paid password managers.
Your typical password manager integrates with the browser and captures the username and password when you log in to a secure site. Occasionally, you’ll find one that doesn’t automate password capture and replay, but these may have other virtues, such as filling in passwords for secure applications, not just webpages.
The best password managers capture your credentials during account creation; when you change your password online, they offer to update the stored password for that site. Of course, password capture only works if the password manager recognizes that you’re logging in to a secure site, so non-standard login pages can cause trouble. Some products cleverly solve this problem by letting you manually capture all data fields on a page. Others actively analyze popular secure sites whose login pages don’t fit the norm, creating scripts to handle each site’s oddball login process.
When you revisit a site for which you’ve saved credentials, most password managers automatically fill the saved data, offering a menu if you’ve saved more than one set of credentials. Another handy (and common) feature is a browser toolbar menu of available logins, so that with one click you can navigate to a site and log in. One great thing about free password managers is that you can try several and find out which one you like best. If you’re thinking of making such a survey, look for products that can import from other password managers. Otherwise, you’ll have to go through the password capture process over and over for each candidate.
The point of adding a password manager to your security arsenal is to replace your weak and duplicate passwords with strong, unguessable passwords. But where do you get those strong passwords? Most password managers can generate strong passwords for you; many let you take control of things like password length, and which character sets to use. The very best ones offer a password strength report that eases the process of identifying and fixing poor passwords. A very few can even automate the password-change process.
Filling in usernames and passwords automatically isn’t so different from filling other sorts of data in Web forms. Many commercial password managers take advantage of this similarity and thereby streamline the process of filling forms with personal data. Not many free password managers offer this feature.
When you put all of your passwords into one repository, you had better be really, really careful to protect that repository. Yes, your master password should be as strong as possible, but you really need two-factor authentication to foil any possible hack attack. Two-factor authentication could be biometric, requiring a fingerprint, facial recognition, or even voice recognition. Some password managers rely on Google Authenticator or apps that emulate Google Authenticator; others use an authentication code texted to your smartphone. Allowing access only from registered, trusted devices is yet another form of two-factor authentication.
Speaking of smartphones, many of us are just as likely to log into a secure site from a mobile device as from a desktop computer. If that describes you, look for a password manager that can sync your credentials between your desktop and the mobile devices that you use. Most password managers use encrypted cloud storage to sync between devices. A few keep your data entirely local, syncing between databases on different devices without keeping anything in the cloud.
In addition to using your passwords on multiple devices, you may find you want to share certain logins with other users. Not all free password managers support secure sharing; many of those that do allow you to share the login without making the password visible. A very few let you define an inheritor for your passwords, someone who will receive them in the event of your demise.
Free Editions of Paid Programs
If you’re willing to give up a little something, you can use many for-pay password managers for free. If you see a paid password manager with features you like, check out its conditions. You may be able to get it without paying. For example, some companies let you use all the features of their product for free if you give up syncing across multiple devices.
Another common tactic is to let you use the product for free, but limit the number of passwords you can store. The limit for free usage tends to range between about five and 15 passwords. If you can stick to that, you needn’t pay. If not, the company will happily accept your payment for upgrading to the paid edition.
The Top Free Password Managers
Our Editors’ Choice for free password manager is LastPass; LogMeOnce Password Management Suite Premium is also quite good. Both offer a breadth of features just not found in most free competition. If you’re concerned about security, you should also read our best antivirus and best VPN roundups.
Pros: Syncs passwords across Windows, macOS, Android, and iOS devices. Two-factor authentication. Actionable password strength report. Secure sharing. Password inheritance. Automatic password change.
Cons: Some new personal data types rather complex. No new interface in Opera and Internet Explorer. Some components out of date.
Bottom Line: LastPass offers advanced password management features that few free competitors offer, and it has an updated user interface. However, some of its features are a bit dated.
Pros: Syncs across Windows, macOS, Linux, iOS, and Android. Many options for authentication. Secure Wallet fills credit card data, displays card images. New, streamlined interface. Vast number of features, many of them unique.
Cons: SMS-based two-factor authentication costs money. Vast number of features may overwhelm users. Displays advertisements.
Bottom Line: The free, skillfully redesigned LogMeOnce Password Management Suite Premium boasts more features than any competitor, free or paid. But do you need all of those features?
Pros: Browser extensions for any platform. Data stored on smartphone, not cloud. Free. One-click authentication. Replaces Google Authenticator. Password strength report. Secure sharing.
Cons: Can only use one smartphone. Doesn’t fill web forms using personal data. Password strength report is iPhone-only, no Android. Not all features worked correctly in testing.
Bottom Line: The free Myki Password Manager & Authenticator stores passwords on your smartphone, not in the cloud. Its slick interface and handy authentication abilities make it an excellent option.
Pros: Outstanding authentication through facial biometrics, including liveness detection. Sync among one Android/iOS device and multiple desktops. Predefined templates for popular sites. Secure password sharing. Free!
Cons: No import from competing products. Can’t capture two sets of credentials for one site. Syncing not entirely automatic. Some important features are mobile-only. Weak password generator. No password-strength rating.
Bottom Line: Powerful biometric authentication is the star feature in 1U Password Manager. The password manager itself is pretty basic, however, and it could use some user-interface work.
Pros: Syncs passwords across all your Windows, macOS, Android, and iOS devices. Two-factor authentication. Free.
Cons: Doesn’t fill web forms. Lacks secure sharing, digital inheritance. Security status details require upgrade to paid edition.
Bottom Line: Avira Password Manager performs the basics of password management on all your devices, but it doesn’t offer form-filling, secure sharing, and other advanced features in the best competitors.
Pros: Automatic password capture, near-automatic replay. Supports many platforms. Can generate two-factor authentication codes. Secure sharing. Password audit. Cloud-based syncing.
Cons: Not free for mobile use. No support for Internet Explorer. No web form filling. No account inheritance.
Bottom Line: Enpass Password Manager handles basic password management tasks and now generate two-factor authentication codes. It can’t challenge the best free password managers, however, because it lacks abilities like web form filling and account inheritance.
Pros: Handles passwords for any website or application. Powerful, versatile password generator. Two-factor authentication. Imports from many competitors. More than100 plug-ins add features. Includes keylogger-foiling features.
Cons: Lacks automatic password capture. Password replay launched manually. Synchronizing among devices is complicated. No mobile support.
Bottom Line: KeePass 2.34 is the most configurable password manager around, but many of the convenient features we’ve come to expect are available only through third-party plug-ins.
Pros: No master password required. Phone confirmation available for login or individual sites. In testing, handled unusual logins. Mobile editions available.
Cons: Device-only authentication dangerous without enhanced device security. No import/export. No password generator. No password strength rating. No Web form filling.
Bottom Line: With no master password required, managing your passwords with oneID is extremely simple. However, its device-based authentication can be risky unless you take proper precautions.
Pros: Syncs passwords across all your Windows, iOS, and Android devices. Norton Safe Web rates website safety. Actionable password strength report. Automatic password change. Free.
Cons: Form-fill feature currently does not handle address data. Features not in sync across different platforms and browsers. No macOS support. No two-factor authentication, secure password sharing, or digital inheritance.
Bottom Line: Symantec Norton Password Manager now offers an actionable password strength report with automatic updating. The new feature set isn’t consistent across all platforms, however, and you don’t get secure sharing or digital inheritance.