summaryrefslogtreecommitdiff
path: root/password-managers.txt
blob: 334feda046934ae76b48d3a5162a697750650d46 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
Password managers are the vegetables of the internet. We know they're good for us, but most of us are happier snacking on the password equivalent of junk food. For seven years running that's been "123456" and "password", the two most commonly used passwords on the web.

The problem is most of us don't know what makes a good password and aren't about to remember hundreds of them every day.

If you can memorize strong passwords for hundreds of sites, by all means do it. Assuming you're using [secure passwords](https://www.wired.com/2016/05/password-tips-experts/) -- which is shorthand for, first and foremost, *long* passwords -- this is the most secure, if slightly insane way to store passwords. It might work for [Memory Grandmaster Ed Cooke](https://en.wikipedia.org/wiki/Ed_Cooke_(author)), but most of us are not willing to put in the effort. We need to offload that work to a password manager, which offer secure vaults that can stand-in for our faulty, overworked memories.

A password manager offers convenience and, more importantly, will help you create better passwords, which in turn makes your online existence less vulnerable to password-based attacks.

*(Note: When you buy something using the retail links in our stories, we may earn a small affiliate commission. [Read more](https://www.wired.com/2015/11/affiliate-link-policy/) about how this works.)*

### Why Not Use Your Browser?

Most web browsers offer at least a rudimentary password manager -- this where your passwords are stored when Chrome or Firefox ask if you'd like to save a password. While this is better than reusing the same password everywhere, browser-based password managers are limited.

The reason security experts recommend you use a dedicated password manager comes down to focus. Web browsers have other priorities. Dedicated password managers have a singular goal, which, ideally leads to a more secure result.

### Password Manager Basics

A good password manager stores, generates, and updates passwords for you with the press of a button. If you're willing to spend a few dollars a month, a password manager can sync your passwords across all your devices. If you don't want to pay, your best bet is Lastpass.

Most password manager are systems rather than a single thing. They consist of apps for each of your devices, which have tools to help you create secure passwords, store them securely, as well as evaluate the security your existing passwords. All that information is then sent to a central server where your passwords are encrypted, stored, and shared between devices.

To access all your passwords you only have to remember one password, which the password manager uses to unlock the vault containing your all your actual passwords. Only needing to remember one password is great, but it means there's a lot riding on that one password. Make sure it's a good one.

If you're having trouble coming up with that one password to rule them all, check out our guide to [better password security](https://www.wired.com/2016/05/password-tips-experts/). You might also consider using the [Diceware](http://world.std.com/~reinhold/diceware.html) method to generate a strong master password.

Some password managers will automatically fill in and even submit web forms for you. This is super convenient, but for additional security we suggest you disable this feature. Automatically filling forms in the browser has made password managers [vulnerable to attack](https://www.wired.com/story/password-manager-autofill-ad-tech-privacy/) in the past. For this reason our favorite password manager, 1Password, requires you to opt-in to this feature. We suggest you do not.

While password managers can help you create more secure passwords and keep them safe from prying eyes, they can protect your password if the website itself is breached. That doesn't mean they don't help in this scenario though. All three of the cloud-based password managers below offer tools to alert you to potentially compromised passwords. Password managers also make it easier to quickly change a compromised password and search through your passwords to ensure you didn't reuse that compromised password.

###Best All Around

**1Password**

1Password began life as a Apple-centric password solution, but it has since broadened its offerings to include iOS, Android, Windows, and ChromeOS. There's even a command line tool that will work anywhere. There are plugins for your favorite web browser too, which makes it easy to generate and edit new passwords on the fly.

What sets 1Password apart from the rest is the number of extras it offers. In addition to managing passwords, it can act as an authentication app (like Google Authenticator), and, for added security, it adds a secret key to the encryption key it using, meaning no one can decrypt your passwords without that key (the downside is that if you lose this key, no one, even 1Password, can decrypt your passwords).

Another reason 1Password offers the best experience is its tight integration with other mobile apps. Rather than needing to copy/paste passwords between your password manager and other apps, 1Password is integrated with many apps and can autofill. This is more noticeable on iOS, where inter-app communication is more restricted.

The other reason I like 1Password is the "Travel Mode", which allows you to delete any sensitive data from your devices before you travel and then restore it with a click after you've crossed the border. This prevents anyone, even law enforcement at international borders, from accessing your complete password vault.

1Password is $36 per year for one person, $60 per year for a family of up to five people. There's a 30-day free trial for either plan so you can test it out before committing.

**[Sign up for 1Password for $36 per year](https://1password.com/sign-up/){: rel=nofollow}, then [grab the app](https://1password.com/downloads/){: rel=nofollow} for Windows, macOS, Android, iOS, ChromeOS or Linux. There are also browser extensions for [Firefox, Chrome and Edge](https://1password.com/downloads/#browsers){: rel=nofollow}.**

### Runner Up

**Dashlane**

I first encountered Dashlane several years ago when it lacked anything to set it apart from its competitors. But recent updates, especially Dashlane 6, have added some very nice features not found elsewhere. Dashlane is simple to set up and uses a key, much like 1Password's set up process.

The desktop client is easy to navigate and the mobile apps make getting your data everywhere a cinch, though as with the others there is no syncing without buying the Premium version ($5/month).

One of the best features of Dashlane is what it calls Site Breach Alerts. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data and then alerts you if your information is found.

Also interesting is an option to not store any password data on Dashlane's servers. This means you're responsible for managing and syncing your password vault between devices. If you want the convenience and polish of Dashlane's application, but don't want put your vault in the company's servers, there is a way to do it, which isn't possible with 1Password or Lastpass.

**[Sign up for Dashlane for $60 per year](https://1password.com/sign-up/){: rel=nofollow}, then [grab the app](https://www.dashlane.com/download){: rel=nofollow} for Windows, macOS, Android, iOS, or Linux. There are also browser extensions for [Firefox, Chrome and Edge](https://www.dashlane.com/download){: rel=nofollow}.**

###Best Free Option

**Lastpass**

LastPass is one of the most popular and well-known password managers out there. It works on nearly every platform and device available and it is the only service here to allow device syncing on its free plan.

Upgrading to Premium will add support for two-factor authentication (like a fingerprint reader or Yubikey), 1 GB of encrypted file storage, priority support, and emergency access. Premium is $36/year.

Like 1Password and Dashlane, LastPass stores your credentials and other sensitive data encrypted on its server and you access your data through apps or browser extensions. You can control whether or not Lastpass autofills forms, alert you about potentially compromised accounts, and even search your password vault for weak passwords.

The main drawback to LastPass is its mixed security track record. Lastpass has had a number of [high-profile, critical bugs](https://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard/) and some data breaches. Overall though, LastPass remains a good choice for those on a tight budget.

**[Sign up for Lastpass](https://lastpass.com/create-account.php){: rel=nofollow}, then [grab the app](https://lastpass.com/misc_download2.php){: rel=nofollow} for Windows, macOS, Android, iOS, or Linux. There are also browser extensions for [Firefox, Chrome and Edge](https://lastpass.com/misc_download2.php){: rel=nofollow}.**

###Best Self-Hosted Option

**KeepassXC**

Want to retain control over your data in the cloud? Instead of using a service like those above, you can sync your encrypted passwords using secure file-syncing services like SpiderOak. If you go this route you'll need to do more work -- connecting apps on various platforms yourself -- but you won't have to trust any third-party with your passwords.

If you want to roll your own, [KeePassXC](https://keepassxc.org/){: rel=nofollow} is your best bet.

KeePassXC stores encrypted versions of all your passwords in a vault -- just like the hosted services above -- which you secure with a master password, a key file or both. The difference is that instead of syncing it for you, you sync that database file yourself, using a service like SpiderOak or Dropbox. Once your file is in the cloud you can access it on any device that has a KeePassXC client.

There are clients available for Windows, macOS, and Linux, as well as most web browsers. What it does not have are official apps for mobile. Instead the project recommends [Keepass2Android](https://play.google.com/store/apps/details?id=keepass2android.keepass2android){: rel=nofollow} or, for iOS, [Strongbox](https://itunes.apple.com/us/app/strongbox-password-safe/id897283731){: rel=nofollow}.

Why do it yourself? In a word: transparency. Of all the solutions on this list, only KeepassXC is open source, which means its code can, and has, been inspected for critical flaws.  

**[There's nothign to sign up for with KeePassXC. Grab the [desktop app](https://keepassxc.org/download/) create your vault, then install [Keepass2Android](https://play.google.com/store/apps/details?id=keepass2android.keepass2android){: rel=nofollow} or, for iOS, [Strongbox](https://itunes.apple.com/us/app/strongbox-password-safe/id897283731){: rel=nofollow}. There are also extensions for [Firefox](https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/){: rel=nofollow}, and [Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk){: rel=nofollow}, but not Edge.**