One of the smartest moves you can make to protect yourself online is to use a password manager. It’s one of the easiest, too. We’ll help you find the best password manager for you.
A properly designed password manager is an excellent first step in securing your online identity. It can create a unique strong password for every account and application, without requiring you to memorize or write down these random strings of characters. These strong passwords help shield against traditional password attacks such as dictionary, rainbow tables or brute-force attacks and makes them convenient to use even if you don’t have a photographic memory.
Some top password managers store your credentials locally, while others rely on cloud services for storage and synchronization. Others take a hybrid approach. Some of the options using local storage (such as KeePass) still support synchronization through Dropbox or other storage services. Deciding which password manager is best for you will come down to features and ease of use, as well as to whether you’re comfortable using a cloud-based password manager that stores your passwords on the internet.
Keep in mind that while the majority of the options listed here store your password data in the cloud, none of them store that password data (or even transmit it in most cases) without being encrypted using advanced encryption methods and the master password you define. This means that the password management solution couldn’t easily decrypt your data even if they had the desire. In fact, consider the process for most online services when you forget a password. In many cases you can simply reset your account password by entering your email address, clicking the link you receive, and potentially answering a security question or validating a CAPTCHA field.
With the online services listed here the account recovery process if you’ve forgotten your master password is in many cases impossible, but in a few cases may be accomplished only by using a device that already contains a local version of your password vault. This is due to the architecture involved with encrypting and decrypting your data. It can only be done with your master password, therefore if the master password is changed, all that data must be decrypted using your old password and re-encrypted using the new. If you’ve forgotten your old password this process cannot occur.
In my judgment, KeePass is the best of the options using local storage. KeePass is free open source, and with the right combination of plug-ins, it can be made to do almost anything you could require of a password manager. Among the cloud options, I’m split: I like LastPass for its low cost and its consistent implementation of features across all of the clients, but Dashlane has a slightly more aggressive approach to security.
Each LastPass client I tested was easy to work with, stable and remarkably uniform from a usability perspective. Plus, a LastPass Free account includes features like synchronization, sharing and multi-factor authentication that competitors only offer with premium plans, making it an extremely compelling option.
One feature that could make a big difference in your decision between LastPass and Dashlane involves your family. Many of us have a spouse, kids, or elderly family members with whom we need to be able to securely share account credentials, or in some cases even manage their accounts. Both Dashlane and LastPass have excellent options for families: LastPass Families for $4 a month (total, billed annually) for up to six users and Dashlane Business for $4 each month (per user, billed annually). The difference really comes down to cost and personal preference, as both offerings are solid.
One of these products offers a middle path that may appeal to some users. 1Password combines the security benefits of offline vault storage with the convenience of full synchronization through an online service. With 1Password you can choose to synchronize most of your credentials using the cloud service while selectively opting to store certain information offline or to synchronize through an alternative such as Dropbox.
Really, you can’t go wrong with any of these password managers. Along with the six full-featured options I focus on below, there are even a few other tools you might consider.
The best password managers
- Keeper Security
1Password is the brainchild of AgileBits, a long-time developer on MacOS, though 1Password runs on multiple platforms including Mac, Windows, iOS and Android.
1Password has long supported the use of a local file to store encrypted passwords, and now offers synchronization, monitoring and other benefits through their cloud service. 1Password also supports synchronization of password vaults using Dropbox (all platforms) or iCloud (MacOS and iOS only). If you would prefer not to use the cloud for password synchronization and you’re comfortable going through the setup process, 1Password can also synchronize password vaults from a MacOS computer to iOS and Android clients via Wi-Fi.
Because a 1Password vault is contained in a single file, you can control how individual vaults, and therefore passwords, are managed. A downside to vault management with a 1Password account is that new vaults can be created only through the web app, which caused some confusion for me in testing.
For those who want to share passwords securely, 1Password offers a family account that allows you to selectively share password vaults with other members, and even control which members can make changes to passwords. 1Password also allows you to use the family account’s secure storage to share sensitive documents among members. Each member can create and manage their own password vaults and accounts in addition to gaining access to shared vaults. Unfortunately, sharing vaults is limited to family or team accounts. You can’t simply share with another individual with a 1Password account.
1Password provides a number of different tools that analyze your passwords and the services they secure to identify potential vulnerabilities. The 1Password Watchtower service keeps track of compromised websites and services that could impact your personal security and alerts you to change your passwords or to be on the lookout for potential problems. Tools like Security Audit can help you identify weak passwords in order to strengthen your critical accounts. You also have the ability to put your account into travel mode, which can be leveraged to automatically remove sensitive vaults from your devices when you travel.
The security features behind 1Password include the use of a secret key, which is a random string of characters generated when you initially create your 1Password account. This security key, which is not recoverable by 1Password, is used to secure your account and each client. 1Password does offer the ability to easily authenticate a new client using a QR code. Two-factor authentication (2FA) is available but limited to one-time passwords. Both the iOS and Android clients support authentication using the fingerprint reader on your device.
You have several options for getting started using 1Password. Each of the 1Password clients for Windows, MacOS, iOS and Android are free. An account is required only if you are going to use the 1Password service for synchronization. A basic 1Password account costs $2.99 per month with an annual commitment, while 1Password Families has a cost of $4.99 per month (billed annually) for up to five users.
Dashlane is another password manager that toes the line between cloud service and local password manager in an attempt to answer every security concern. You can store your password database on Dashlane’s servers and take advantage of synchronization across devices, or you can store your password vault locally and forgo synchronization. It’s your choice. If you store your password database in Dashlane’s cloud, your master password remains with you only. Rather than storing a hash of the master password on its servers, Dashlane only uses your password to encrypt and decrypt the data on your local device.
Authentication is performed against devices that are registered with Dashlane through a two-step process, incorporating your master password and a device registration code sent via email.
Two pricing tiers are offered for Dashlane users. A free account allows you to manage up to 50 passwords through a single device of your choice. Premium accounts, which cost $4.99 per month, let you synchronize your passwords across multiple devices, perform account backups, share more than five items, give you access to the web app, use the Dashlane VPN service for improved privacy, and entitle you to Dashlane’s customer support. Dashlane’s Premium Plus tier adds credit monitoring and identity theft insurance for $9.99 a month.
With Dashlane, your retention of your master password is an absolute must. The company states that it is unable to perform password recovery in the event of loss, a necessary side effect of its decision not to store a copy of your password in any form. Two-factor authentication is supported through the use of time-based one-time passwords (TOTP) for free accounts, and universal second factor (U2F) such as a Yubico Yubikey for premium accounts. Support for 2FA must be enabled through the Windows or Mac client.
Dashlane’s team features allow you to securely share login information with other Dashlane users. Shared items can be provided with limited rights, which restrict the ability to change permissions or reshare an item, or with full rights to the data. Dashlane also offers the ability to designate emergency contacts, making it easy to allow family or co-workers access to critical accounts or information in the event of an emergency. The data shared with an emergency contact can be fine-tuned to provide only certain information to specific contacts.
A mature open-source project (GNU GPL version 2), KeePass is a free password management solution for Windows, with ports to a host of other platforms. Many of the benefits of open-source software are prevalent in KeePass, including comprehensive language support and a robust plug-in ecosystem. With the extensibility offered by plug-ins for KeePass, you can change the encryption algorithm, automate logins through your browser, integrate an on-screen keyboard, and even create scripts you can run against the password manager.
KeePass was designed to store a local copy of the password vault. Cloud backup and support for synchronization across multiple devices are obtained through plug-ins that work with the likes of Dropbox, Google Docs, Microsoft OneDrive or even your own FTP server. A side benefit of a local password database such as KeyPass is the ability for multiple users to share a database or for one user to keep multiple databases, sharing some and keeping others private.
Mobile support for KeePass is more obtuse than for the commercial options. Ports are available for iOS and Android, but the big question becomes synchronization support. Not all mobile ports support cloud synchronization, and those that do support only a subset of the cloud options. Some mobile KeePass clients carry a cost, though most are in the $1 to $2 range.
Note that a couple of web-based KeePass clients allow you to work with a key database stored on your local hard drive or a cloud storage account. KeeWeb is particularly sleek, and it’s available in native Windows, MacOS and Linux versions as well. Like KeePass, KeeWeb is itself open source.
If you’re more concerned about the security of your password vault than mobile clients and device synchronization, you’ll be pleased to know that KeePass supports multiple authentication methods by default. KeePass database files can be locked by a combination of password, key file and Windows user account. With a key file stored on removable media such as a USB thumb drive, 2FA can be used to secure access to your critical passwords.
The biggest downside to KeePass is complexity. Getting all the advanced functionality offered by the competition will require quite a bit of research, setup and maintenance. Heck, you even have several options for multifactor authentication, but you’re largely on your own to get it working. While KeePass is a great solution for fans of free open source and maximum flexibility, it is certainly not as straightforward as some of the cloud-based services and hybrid solutions listed here.