Password managers are the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For seven years running that’s been “123456” and “password”—the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.
Now that so many people are working from home, outside the office intranet, the number of passwords you need may have significantly increased. The safest (if craziest) way to store them is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our memory.
A password manager offers convenience and, more important, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. Read our guide to VPN providers for more ideas on how you can upgrade your security, as well as our guide to backing up your data to make sure you don’t lose anything if the unexpected happens.
Updated August 2022: We’ve updated pricing throughout and added some notes about the FIDO Alliance’s efforts to get rid of the password, and why we no longer feature LastPass.
Special offer for Gear readers: Get a 1-year subscription to WIRED for $5 ($25 off). This includes unlimited access to WIRED.com and our print magazine (if you’d like). Subscriptions help fund the work we do every day.
Why Not Use Your Browser?
Most web browsers offer at least a rudimentary password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox ask if you’d like to save a password.) This is better than reusing the same password everywhere, but browser-based password managers are limited.
The reason security experts recommend you use a dedicated password manager comes down to focus. Web browsers have other priorities that haven’t left much time for improving their password manager. For instance, most of them won’t generate strong passwords for you, leaving you right back at “123456.” Dedicated password managers have a singular goal and have been adding helpful features for years. Ideally, this leads to better security.
WIRED readers have also asked about Apple’s MacOS password manager, which syncs through iCloud and has some nice integrations with Apple’s Safari web browser. There’s nothing wrong with Apple’s system. In fact, I have used Keychain Access on Macs in the past, and it works great. It doesn’t have some of the nice extras you get with dedicated services, but it handles securing your passwords and syncing them between Apple devices. The main problem is that if you have any non-Apple devices, you won’t be able to sync your passwords to them, since Apple doesn’t make apps for other platforms. All in on Apple? Then this is a viable, free, built-in option worth considering.
What About the “Death of the Password?”
There has been a concerted effort to get rid of the password since roughly two days after the password was invented. Passwords are a pain—there’s no argument there—but we don’t see them going away for the foreseeable future. The latest effort to get rid of the password comes from the FIDO Alliance, an industry group aimed at standardizing authentication methods online. It has the support of many of the big browser makers, but we’ve yet to see a working demo. Still, this is one effort we’re keeping an eye on because it has more promise than those that have come before. For now at least, you still need a password manager.
How We Test
The best and most secure cryptographic algorithms are all available via open source programming libraries. On one hand, this is great, as any app can incorporate these ciphers and keep your data safe. Unfortunately, any encryption is only as strong as its weakest link, and cryptography alone won’t keep your passwords safe.
This is what I test for: What are the weakest links? Is your master password sent to the server? Every password manager says it isn’t, but if you watch network traffic while you enter a password, sometimes you find, well, it is. I also dig into how mobile apps work: Do they, for example, leave your password store unlocked but require a pin to get back in? That’s convenient, but it sacrifices too much security for that convenience.