Choosing a password manager

Martin Shelton

Principal Researcher

Combination lock header

Photo by Doug Focht. CC BY-NC-ND 2.0

As password breaches become more frequent, learning how to protect online accounts is more important than ever.

Imagine if every combination lock required the same combination to unlock. To get past every lock, all you would need to do is find one person’s combination. This would be pretty flimsy protection. It sounds silly, but this is actually how most people treat their online accounts. When you reuse the same password on multiple accounts, you are creating a single point of failure in locking down your accounts. It’s not a great idea to reuse passwords because someone only needs one password to access multiple accounts.

Password breaches happen all the time, and because hackers know you’re likely reusing passwords, they’ll try your credentials on multiple websites. The safest thing to do is use unique passwords on each website. At the same time, it feels hard to remember more than a handful of passwords. So what do you do?

This is what password managers are for.

Password managers help keep your accounts safer by generating long, unique passwords for each one, allowing you to securely store them on all of our devices, and automatically fill them out when you log in. While you will have easy access to unique passwords on every website, you only need to remember one password to unlock your password manager “vault.”

After setting up a password manager on your devices, you will be able to log into websites much more quickly and safely.

What to look for in a password manager

There are a few obvious things that password managers should offer.

Of course, a good password manager needs to be able to generate long, unique passwords. This allows you to use random characters, and customize the length of the password. For example, 1Password offers a password generator that allows you to tinker with the number of characters, digits, and symbols in a generated password. Alternatively, it can generate a series of random words.

A screenshot of the interface for generating a randomized password within 1Password, showing both the login username, as well as a randomized password with numberic characters, symbols, and upper-, and lower-cased letters.

A 1Password password generation tool

A good password manager should protect passwords from third parties. This means anyone who has access to your devices should not be able to easily access your passwords without your permission. You should be able to read your login credentials only after unlocking the secured password “vault” using your master password — the one password you need to remember to access the rest.

Likewise, the password management service itself should not be able to access your passwords. If a password is on a service that can read them (e.g., saving a document on your computer and syncing with iCloud), you’re entrusting the safety of your passwords to the good will of the company, and their legal obligations to turn over data to third-parties.

Many password managers (e.g., 1Password, Dashlane, Bitwarden) have online services that allow users to keep remote copies of their password vaults. This can be helpful for keeping information synced across multiple devices, and for the assurance that you can access your vault again, in case you lose a device.

When choosing a password manager that makes remote vault backups, investigate whether they are end-to-end encrypted. This simply means that no one but you, the user, have access to the master password for the vault. If the password manager is end-to-end encrypted, the service provider can’t read any of your passwords, even if they wanted to.

Because the service provider has no way to get into your vault without your master password, this also means that they won’t be able to help you get back into your account if you forget your master password, so you really do need to remember the master password. Of course, this is a good thing because this conservative approach keeps your accounts much safer.

A good password manager also requires active development. What does this mean? The developers need to release regular software updates to improve the password manager’s features and ease-of-use. But more importantly, holes in all software are found by hackers and security researchers regularly, and you need regular security updates to stay safe.

One example of a password manager with a track record of active development is 1Password, which has promptly issued security patches, and quickly pushes new features to adapt to new hardware, such as fingerprint readers built into newer desktop devices.

Finally, one of the most important things you can do is look for password managers that have undergone, and responded to an independent security audit. This just means that security researchers have taken a close, critical look at the code for a piece of software, and published their findings on its safety. This allows developers to learn how to improve their software, but also holds them more accountable for creating reliable and safe tools.

When choosing a password manager, first turn to your favorite search engine to look for a security audit. You can feel more confident in the safety of the software if we find an audit that has been fairly recent — within the last year or two.

And ideally, a password manager should also have support for web browser extensions. These features provide another great defense against phishing attacks because passwords will only be filled in the correct webpage (and not imposter pages). Of course, finding the right password manager for you may depend on what web browsers and operating systems you use most.

Dispelling password manager myths

So you’re concerned that your password manager will give up your credentials to a fake website. A good password manager will only fill out password forms on the correct website.

Let’s say you’ve saved a password on Instagram, and later, try to automatically fill out Instagram’s login page. When the password is automatically filled out, this means the password manager recognized that you’re on Instagram.com. But if it doesn’t work, it probably means your password manager recognizes this is a different website (e.g., accounts-instagram.com) which is potentially designed to steal your credentials, and to be safe you should stop to navigate to Instagram.com yourself.

It’s also important to understand that a good password manager should not give up your credentials even if someone has your password. When done well, the encryption key needed to unlock the password vault should only work on your personal devices, and should not be accessible from an unfamiliar device.

The truth is that someone who wanted to break in would need an extraordinary level of access to get to your password manager — and if they already have this access, you have bigger problems. In other words, regular use of a password manager will nearly always make hackers’ jobs much harder.

There’s no such thing as unbreakable software, but a good password manager creates major hurdles for unwanted third parties to access your encrypted password vault.

The short version

You should look for a few characteristics when choosing a password manager:

  • A random password generator
  • A secure password-protected “vault”
  • End-to-end encrypted
  • Under active development
  • Audited by independent researchers
  • Should support extensions for well-used browsers
  • Should support well-used operating systems

While it’s less critical, password managers are most practical for daily use when they easily integrate into commonly-used web browsers.

The shortlist

These password managers all have the features described above:

  • 1Password ($36 annually)
  • Dashlane ($60 annually)
  • Bitwarden (Free, or $10 annually for extra features such as encrypted storage and two-factor authentication with security keys)

Previously we have recommended LastPass. We no longer recommend it due to problematic changes in the company's ownership.

We’re also fans of the free and open source KeePassXC project. There are many related projects with similar names and functionality, but KeePassXC is being actively developed and supports multiple platforms with up-to-date features. It’s also one of the few reliable password management options that allow you to keep passwords entirely offline, if you prefer not to use third party services to keep passwords syncing across devices. Just note: KeePassXC has not undergone a formal audit.

There may be other password managers that work better for your situation. Be sure to look out for our must-have features to help keep your passwords safe.

Our digital security trainers assist members of the press in getting set up with an airtight account security practice. Contact our trainers to learn more about our educational offerings.

This article was updated on February 19, 2021.

Donate to protect press freedom.

Your support is more important than ever.