We argue why use a password manager; basic and advanced features and benefits of password managers; links to third-party reviews of leading password managers; names of the leading password managers; considerations in choosing the right password manager for your needs; cautions using any of them.
In a previous post (password management best practices), we noted that many users choose weak passwords that are easily hackable, use the same password across multiple sites, or use different passwords on different sites but follow some discernable pattern. This leaves many users exposed to online account piracy or identity theft.
Why use a password manager
The 10th of the best practices identified in the prior blog post on password management was to choose and use a password manager (PM) that will provide automated support for many of the recommendations. A PM stores your passwords in an encrypted “vault” in a single location, with a single master password to the password list. It then automatically fills in your credentials (login user ID and password) as you revisit each site’s login page. A PM can also create very strong passwords and enforce best practices. At the same time, it is faster and more convenient than typing strong passwords each time you log in.
A side-benefit of a PM is that email “spoofing” or “phishing” attacks that have links to a fake web site disguised to look like a real, trusted website by changing a couple of letters, are prevented (for example, a phishing link might take you to “arnazon.com” instead of “amazon.com” in which case the login page will not be recognized by the PM and no auto-fill of credentials will occur, a dead give-away that you are not really on amazon.com).
Common features of Password Managers
There are a number of common core features and benefits that virtually all PMs provide:
Encrypted vault in which you enter or capture website credentials upon each site’s first login
A master password or biometric input (e.g., fingerprint) to provide access to the credentials list
Generate random strong passwords, which you do not have to remember
Auto-fill credentials that you have saved when it detects a login page for a web site you visit
Multiple login credentials for the same site give you a menu from which to select (e.g., two family members)
Multi-platform: run on all popular desktop and mobile platforms
The benefits of the core features above are that strong passwords can be used; no need to remember passwords; the password list is encrypted meaning that if the file were hacked it would be unreadable without knowing the master password; and the convenience of rapid login on all your regularly-used sites. If you find that the basic features above meet your needs, there are a number of free PMs (see reviews further below) available, and a few even provide several of the advanced features identified below.
Additional or advanced features of password managers
In addition to the common core features above, most PMs offer a premium version for a fee with additional features and benefits as follows:
Sync across devices: If you use desktops, laptops, tablets, and/or phones, this feature synchronizes the credentials list across all your devices, so you do not need to re-enter them on each device
Audit: Detect and flag weak or duplicate passwords
Apps: Will auto-login on apps as well as websites
Store other data: store address, credit card, and other data in the encrypted vault to be auto-filled in online forms, so you don’t need to type them repeatedly
Family plans: enables sharing of the credentials list among family members along with a pricing plan
Two-factor authorization support
Import/Export to/from files or spreadsheets
Transfer upon death: means to deliver master list to a trusted family member upon death
Unlimited number of credentials: some free versions limit the number of logins you can have
Data breach alert: Notify you of known data breaches on sites you list
Price: Prices range from free for a basic version to pricey advanced versions; consider whether you will give up some frills for a better price or free version.
Ultra-privacy in a password manager
There are a few features that only a minority of PMs provides for those seeking more ironclad security and privacy.
Local vault vs. Cloud-based vault: Most of the PMs are cloud based; the vendor reassures you of “end-to-end” encryption in that the credentials list is encrypted on their servers as well as in transit. Almost all claim that they do not store the unencrypted master password nor any unencrypted passwords, so that even if the vault were to be hacked, therefore, it would be unreadable. For those, however, leery of handing over the master list of passwords to any cloud-based vendor, a few products offer a local vault alternative whereby you store the encrypted list on your computer or a thumb drive. An implication of storing the vault locally may be that if you have multiple devices, you may need to synchronize the credentials list manually (check the specific product).
Open source: A few products are “open source” with the key implication being that security experts have vetted or can audit the source code and verify that their vault is secure, which should give some reassurance about open-source, cloud-based vaults.
Reviews of password managers
There are many reviews of PMs available on third-party sites, so we refer you to them. We suggest you first check off features that are “must have” vs. “nice to have” or “do not need” from the above lists before you read the reviews. The following are sample PM reviews:
PC Magazine’s The best password managers for 2020
Techradar pro’s The best password manager 2020: store all your logins securely
Tom’s Guide’s The best password managers in 2020
Not-so-short list of password managers
The following is an alphabetical list of PMs presented in at least two of the review articles above. A single “+” sign next to the name means it was listed in at least three of the review articles, and two “+” signs means in at least four.
NordPass (bundled with a suite of tools, including their popular NordVPN)
Norton Password Manager (bundled as part of a security package, including anti-virus, VPN, backup, etc.)
Other considerations in choosing a password manager
When comparing products, we suggest you consider the following additional factors:
Compare apples-to-apples: most products have a free version with basic features and perhaps a few of the advanced features sometimes with restrictions, as well as a premium version with many advanced features for a fee.
Suite or point product: If you consider a bundled product suite do not compare it to a point PM-only solution.
Local vault vs. the cloud: We already touched on this as a key decision. You need to be comfortable that an encrypted vault on the cloud is secure. If you go with a cloud-based PM, check that the vendor asserts and the reviews confirm that only you have the master key, and that the vendor does not store it. Those seeking greater peace of mind should opt for a PM whose vault is stored locally.
VPN: use VPN online as well as a PM and other privacy and security tools we discuss, as those tools are complementary.
Caution for any PM: The biggest risk factor in using any PM is that a single master password gives one access to the entire list of credentials. Therefore, use an ultra-strong master password that is used solely for the PM vault, memorize it, and if you want to keep a hard copy of it, put it in a safe place, locked along with your other valuable documents. Note that if you lose or forget your master password, you will have no way to retrieve it, and you will need to start from scratch in setting up your next PM.
Choose and use a password manager not only for the convenience but also to strengthen your passwords and thus fight account piracy and identity theft.