Choosing a password manager

Martin Shelton

User Researcher

Combination lock header
Source: Doug Focht (CC BY-NC-ND 2.0) https://flic.kr/p/3BEauj

As password breaches become more frequent, learning how to protect online accounts is more important than ever.

Imagine if every combination lock required the same combination to unlock. To get past every lock, all you would need to do is find one person’s combination. This would be pretty flimsy protection. It sounds silly, but this is actually how most people treat their online accounts. When you reuse the same password on multiple accounts, you are creating a single point of failure in locking down your accounts. It’s not a great idea to reuse passwords because someone only needs one password to access multiple accounts.

Password breaches happen all the time, and because hackers know you’re likely reusing passwords, they’ll try your credentials on multiple websites. The safest thing to do is use unique passwords on each website. At the same time, it feels hard to remember more than a handful of  passwords. So what do you do?

This is what password managers are for.

Password managers help us keep our accounts safer by generating long, unique passwords for each one, allowing us to securely store them on all of our devices, and automatically filling them out when we log in. While we will have easy access to unique passwords on every website, we only need to remember one password to unlock our password manager “vault.”

Amazon Login Gif

Logging in with 1Password, a popular password management tool 

After setting up a password manager on your devices, you will be able to log into websites much more quickly and safely.

What to look for in a password manager

There are a few obvious things that password managers should offer.

Of course, a good password manager needs to be able to generate long, unique passwords. This allows us to use random characters, and customize the length of the password. For example, 1Password offers a password generator that allows us to tinker with the number of characters, digits, and symbols in a generated password. Alternatively, it can generate a series of random words.

Password Generator Screenshot

A 1Password password generation tool

A 1Password password generation tool

A good password manager should protect passwords from third parties. This means anyone who has access to our devices should not be able to easily access our passwords without our permission. We should be able to read our login credentials only after unlocking the secured password “vault” using our master password — the one password we need to remember to access the rest.

Likewise, the password management service itself should not be able to access our passwords. If a password is on a service that can read them (e.g., saving a document on your computer and syncing with iCloud), you’re entrusting the safety of your passwords to the good will of the company, and their legal obligations to turn over data to third-parties.

Many password managers (e.g., LastPass1PasswordDashlane) have online services that allow users to keep remote copies of their password vaults. This can be helpful for keeping information synced across multiple devices, and for the assurance that we can access our vault again, in case we lose a device.  

When choosing a password manager that makes remote vault backups, investigate whether they are end-to-end encrypted. This simply means that no one but you, the user, have access to the master password for the vault. If the password manager is end-to-end encrypted, the service provider can’t read any of our passwords, even if they wanted to.

Because the service provider has no way to get into your vault without your master password, this also means that they won’t be able to help you get back into your account if you forget your master password, so you really do need to remember the master password. Of course, this is a good thing because this conservative approach keeps your accounts much safer.

A good password manager also requires active development. What does this mean? The developers need to release regular software updates to improve the password manager’s features and ease-of-use. But more importantly, holes in all software are found by hackers and security researchers regularly, and we need regular security updates to stay safe.

One example of a password manager with a track record of active development is LastPass, which has promptly issued security patches, and provided details about their decision-making after learning about vulnerabilities, particularly over their blog.

Finally, one of the most important things we can do is look for password managers that have undergone, and responded to an independent security audit. This just means that security researchers have taken a close, critical look at the code for a piece of software, and published their findings on its safety. This allows software builders to learn how to improve their software, but also holds them more accountable for creating reliable and safe tools.

When choosing a password manager, first turn to your favorite search engine to look for a security audit. We can feel more confident in the safety of the software if we find an audit that has been fairly recent — within the last year or two.

And ideally, a password manager should also have support for web browser extensions. These features provide another great defense against phishing attacks because passwords will only be filled in the correct webpage (and not imposter pages). Of course, finding the right password manager for you may depend on what web browsers and operating systems you use most.

Dispelling password manager myths

So you’re concerned that your password manager will give up your credentials to a fake website. A good password manager will only fill out password forms on the correct website.

Let’s say you’ve saved a password on Instagram, and later, try to automatically fill out Instagram’s login page. When the password is automatically filled out, this means the password manager recognized that you’re on Instagram.com. But if it doesn’t work, it probably means your password manager recognizes this is a different website designed to steal your credentials (e.g., accounts-instagram.com), and to be safe, you should stop to navigate to Instagram.com yourself.

It’s also important to understand that a good password manager should not give up your credentials, even if someone has your password. When done well, the encryption key needed to unlock the password vault should only work on your personal devices, and should not be accessible from an unfamiliar device.

The truth is that someone who wanted to break in would need an extraordinary level of access to get to your password manager — and if they already have this access, you have bigger problems. In other words, regular use of a password manager will nearly always make hackers’ jobs much harder.

There’s no such thing as unbreakable software, but a good password manager creates major hurdles for unwanted third parties to access your encrypted password vault.

The short version

In short, we need to look for a few characteristics when choosing a password manager:

  • A random password generator

  • A secure password-protected “vault”

  • End-to-end encrypted

  • Under active development

  • Audited by independent researchers

  • Should support extensions for well-used browsers

  • Should support well-used operating systems

While it’s less critical, password managers are most practical for daily use when they easily integrate into commonly-used web browsers and operating systems, and can securely sync password databases across devices.

The shortlist

These three password managers all have the features described above:

  • 1Password ($36 annually)

  • LastPass (Free, or $24 annually for extra features, such as password sharing and encrypted file storage)

  • Dashlane ($60 annually)

We’re also fans of the free and open source KeePassXC project. There are many related projects with similar names and functionality, but KeePassXC is being actively developed and supports multiple platforms with up-to-date features. It’s also one of the few reliable password management options that allow you to keep passwords entirely offline, if you prefer not to use third party services to keep passwords syncing across devices. Just note: KeePassXC has not undergone a formal audit.

There may be other password managers that work better for your situation. Be sure to look out for our must-have features to help keep your passwords safe.

Our digital security trainers assist members of the press in getting set up with an airtight account security practice. Contact our trainers to learn more about our educational offerings.

Photo by Doug Focht. (CC BY-NC-ND 2.0)