Choosing a password manager

Martin Shelton

Principal Researcher

Combination lock header

Photo by Doug Focht. CC BY-NC-ND 2.0

As password breaches become more frequent, learning how to protect online accounts is more important than ever.

Imagine if every combination lock required the same combination to open it. To get past every lock, all you would need to do is find the one combination. This would be pretty flimsy protection. It sounds silly, but this is actually how most people treat their online accounts. When you reuse the same password on multiple accounts, you are creating a single point of failure in locking down your accounts.

Password breaches happen all the time, and because hackers know you’re likely reusing passwords, they’ll try your credentials on multiple websites. The safest thing to do is use unique passwords on each website. At the same time, it feels hard to remember more than a handful of passwords. So what do you do?

This is what password managers are for.

Password managers help keep your accounts safer by generating long, unique passwords for each one then automatically filling out that password when you log in. While you'll have easy access to those unique passwords on every website, you only need to remember the one password that unlocks your password manager “vault.”

After setting up a password manager on your devices, you’ll be able to log into websites much more quickly and safely.

What to look for in a password manager

Of course, a good password manager needs to be able to generate long, unique passwords. This allows you to use random characters, and customize the length of the password. For example, 1Password’s password generator allows you to tinker with the number of characters, digits and symbols in a generated password. Alternatively, it can generate a series of random words.

A screenshot of the interface for generating a randomized password within 1Password, showing both the login username, as well as a randomized password with numberic characters, symbols, and upper-, and lower-cased letters.

A 1Password password generation tool

A good password manager should protect passwords from third parties. This means anyone who has access to your devices should not be able to easily access your passwords without your permission. You should be able to read your login credentials only after unlocking the secured password “vault” using your master password — the one password you need to remember to access the rest.

Likewise, the password management service itself should not be able to access your passwords. If a password is on a service that can read them, like a document on your computer that syncs with iCloud, you’re entrusting the safety of your passwords to the good will of the company and their legal obligations to turn over data to third parties.

Many password managers (1Password, Dashlane, Bitwarden) have online services that allow users to keep remote copies of their password vaults. This can be helpful for keeping information synced across multiple devices, and for the assurance that you can access your vault again if you lose a device.

When choosing a password manager that makes remote vault backups, investigate whether it is end-to-end encrypted. This simply means that no one but you, the user, has access to the master password for the vault. If the password manager is end-to-end encrypted, the service provider can’t read any of your passwords, even if it wanted to.

Because the service provider has no way to get into your vault without your master password, this also means that they won’t be able to help you get back into your account if you forget your master password. So you really do need to remember the master password.

A good password manager also requires active development. What does this mean? Regular software updates improve the password manager’s features and ease-of-use, and security updates keep your information safe.

One example of a password manager with a track record of active development is 1Password, which has promptly issued security patches and pushed new features to adapt to new hardware, such as fingerprint readers, that were built into newer desktop devices.

Finally, one of the most important things you can do is look for password managers that have undergone, and responded to, an independent security audit. This just means that security researchers have taken a close, critical look at the code for a piece of software and published their findings on its safety. This allows developers to learn how to improve their software, and also holds them more accountable for creating reliable and safe tools.

When choosing a password manager, first turn to your favorite search engine to look for a security audit. You can feel more confident in the safety of the software if you find an audit that is fairly recent — within the last year or two.

Ideally, a password manager should also have support for web browser extensions. These features provide another great defense against phishing attacks because passwords will only be filled in the correct webpage — and not an imposter page.

Dispelling password manager myths

You may be concerned that your password manager will give up your credentials to a fake website. But a good password manager will only fill out password forms on the correct website.

It’s also important to understand that a good password manager should not give up your credentials even if someone has your password. When done well, the encryption key needed to unlock the password vault should only work on your personal devices, and should not be accessible from an unfamiliar device.

The truth is that someone who wants to break in would need an extraordinary level of access to get to your password manager — and if they already have this access, you have bigger problems.

There’s no such thing as unbreakable software, but a good password manager creates major hurdles for unwanted third parties to access your encrypted password vault.

The short version

You should look for a few characteristics when choosing a password manager:

  • A random password generator
  • A secure password-protected “vault”
  • End-to-end encrypted
  • Under active development
  • Audited by independent researchers
  • Supports extensions for well-used browsers
  • Supports well-used operating systems

These password managers all have the features described above:

We’re also fans of the free and open source KeePassXC project. There are many related projects with similar names and functionality, but KeePassXC is being actively developed and supports multiple platforms with up-to-date features. It’s also one of the few reliable password management options that allow you to keep passwords entirely offline, if you prefer not to use third party services to keep passwords syncing across devices. Just note: KeePassXC has not undergone a formal audit.

Our digital security trainers assist members of the press in getting set up with an airtight account security practice. Contact our trainers to learn more about our educational offerings.

This article was updated on November 17, 2022.

Donate to protect press freedom.

Your support is more important than ever.