How to choose (and use) a password manager

Security professionals like to point out that every measure you put in place to tighten security typically involves some sacrifice of convenience. There’s one noteworthy exception to that general rule, however: Using a password manager can dramatically improve the security of your online date while also making it much easier to safely access crucial resources.

That’s why I regularly recommend that anyone who cares about security pick a password manager and install it on every PC, Mac, and smartphone they own. But as I wrote in the introduction to this series two weeks ago, just installing an app isn’t enough:

Online security is a process, not a product. Even the best security software is more difficult to use than it should be. Understanding why you should use a password manager is every bit as important as knowing which one to use, and learning how to use that tool is even more important.

So, where do you begin? Part 1 in this series, “Get your passwords organized (in 30 minutes or less)” covered the essential first steps in putting together a password management strategy: consolidating your passwords in a single location, identifying your most important online accounts, and creating strong, unique passwords for each of those accounts.

With those prerequisites out of the way, let’s talk about putting that strategy into action.

This is Part 2 of a four-part series.

How a password manager works

The simplest password manager of all is the trusty analog version: a paper notebook. (You would be amazed how many variations on this theme are available online.) If you know someone using one of these old-school tools, tell them it’s a terrible idea. Looking up saved credentials and then typing them into web forms is tedious, updating passwords is messy, and there’s no easy way to protect your passwords if the notebook’s lost or stolen.

You could transfer all that analog data to digital format, storing it in a password-protected document or spreadsheet. It’s still tedious to look up saved passwords in that document, but at least you can make backups and move your password file between devices. Using document encryption offers basic protection from casual snoops, too. Good luck keeping copies in sync across different devices, though.

That’s where a password manager app comes in. A good password manager can be installed on PCs and Macs, in desktop browsers (with the help of browser extensions), and on mobile devices running Android and iOS. Those software tools allow you to save online credentials (usernames, passwords, and much more) in a database file that’s protected with strong encryption. To unlock that database, you have to provide an encryption key, in the form of a master password, which only you know.

Browser extensions and smartphone apps make it easy to fill in saved credentials automatically, without tedious retyping. Because I have the 1Password browser extension installed, for example, this is what I see when I go to the login page at ChargePoint.com.

When I click the button beneath the login box, it fills in my username, and when I click Next, it takes me to the next page and fills in the password automatically. Easy.

Password managers that are connected to cloud services allow you to sync the encrypted password database between devices; if you save a new login or change an existing password on your desktop PC or Mac, those changes are available within seconds on your smartphone.

One advantage of a dedicated password manager that isn’t immediately obvious is protection from phishing attacks. If an attacker convinces you to click a link in an email that takes you to a perfect replica of your bank’s website, you might be tempted to type in your username and password. Your password manager won’t be fooled, however, because it knows to automatically fill in credentials only when the domain you’re visiting is a perfect match.

There are dozens of dedicated password managers out there, including well-established commercial products and open-source projects. But before we get to those alternatives, let’s talk about some tools you might already be using.

Are built-in password managers good enough?

Maybe you don’t need a separate app to manage your passwords. Depending on the existing platform choices you’ve made, built-in password-management tools from Apple, Google, or Microsoft might be able to cover your needs.

A few years back, I wrote an extensive piece on this subject for ZDNet: "Is it OK to use your browser’s built-in password management tools?" That article holds up pretty well today. The bottom line: If you’re willing to forgo some advanced features, like the ability to customize auto-generated passwords or to securely share a password vault with other family members, one of these options might be good enough. And the best part is, they’re all free and can be managed using an account you already have.

Here are specifics on each platform.

Apple’s Keychain

If you’re an Apple loyalist, Apple’s Keychain is an obvious choice. It stores, syncs, and automatically fills in passwords and other personal information on Macs, iPhones, and iPads where you’re signed in using the same Apple ID. It works with apps and the Safari browser.

It might still be an option even if you use an iPhone or iPad (or both) and a Windows PC. The Safari browser isn’t available on Windows, but you can install the iCloud app for Windows and then add the iCloud Passwords extension to Google Chrome or Microsoft Edge. (There’s also an extension for syncing iCloud bookmarks.) With that setup complete, iCloud syncs your passwords between your Apple and Windows devices.

Google Password Manager

If you’re all in on Google services and use Google’s Chrome browser on all your devices, you can easily set it up to fill in passwords in apps and on webpages. Passwords are synced using your Google account. For instructions on how to configure Google Password Manager so that you can use it on iPhones, iPads, and Android devices as well as on PCs and Macs, see this Google support article: "Save, manage & protect your passwords."

Microsoft Authenticator

Microsoft has taken a slightly different tack for its cross-platform password management strategy. On Windows PCs and Macs, use the password management features in the Microsoft Edge browser to save, sync, and fill passwords and other information using your Microsoft account. (There’s also a Microsoft Autofill extension for Google Chrome.) On mobile devices, install the Microsoft Authenticator app to handle multi-factor authentication (more on that next week); open that app’s settings and scroll down to the Autofill section to select the Microsoft account you want to use for syncing and to manage Autofill settings on the current device.

As I mentioned earlier, all of those options offer a fairly basic feature set, although they’ve all improved dramatically in the past few years. If you want more advanced features, you’ll need a third-party app, with or without a matching cloud service to sync your information across devices.

What should you look for in a password manager?

I’m always shocked when I see just how many password manager apps are on the market. It’s not that difficult to cobble together an app using standard libraries, apparently. In fact, most of those apps can tick all the required boxes:

• Ultra-strong (AES256) encryption
• Zero-knowledge architecture (the developer does not have access to your encryption keys)
• Supported on every platform you use
• Able to generate strong, unique passwords
• Support for time-based one-time (TOTP) passwords (more on this two-factor authentication option in the next installment in this series)

Given the stakes, though, I won’t even consider a new app from a developer I’ve never heard of, even if they claim to have built the easiest user interface ever. And I’m not especially interested in a non-security product that decided to add password management as a feature. I’m far more interested in backing a developer that has a proven track record in this technology, built over many years.

Beyond those basics, there are two key questions that you need to ask before making a choice.

• Free or paid? Most commercial developers charge a nominal fee for their subscriptions, with hefty discounts for family plans. If you can afford to pay, this is one category where you will absolutely get your money’s worth.

Cloud or not? I understand the visceral distrust that some people have when it comes to commercial cloud providers. This is one of those trade-offs I mentioned at the opening of this column. If your goal is to sync your information between multiple devices, using a commercial cloud provider is the most convenient option by far. If you’ve chosen a provider with a great track record in handling cloud data (absolutely do not choose LastPass) and you have a strong master password (more on that later), the risk is minimal.

There are options for those who absolutely refuse to sync their password database using someone else’s cloud service, but they generally require more effort to manage and run a constant risk that password files on different devices will be out of sync.

With all that in mind, these are the four options I recommend:

• 1Password When you sign in to a 1Password account on a new device, you need to provide your master password AND a 34-character secret key that only you have. You can also add the option to require verification from an authenticator app or a hardware security key before allowing access to your passwords on a new device. These design decisions make 1Password the most secure product in its category.
• Bitwarden The base version of this open-source project is free. You need to pay for a premium account ($10 a year, $40 annually for a family account) if you want access to advanced authentication options and family sharing features. It’s not as polished or as usable as 1Password, but it’s a solid, reliable product.
• RoboForm Everywhere These folks have been around forever, quietly building a first-rate product and keeping it up to date. The RoboForm Free version is really free and allows you to store your password file locally, but the Everywhere version offers sync options that are worth the premium. Note: the company regularly offers promotions that can cut the cost significantly.
• KeePass This open-source project is for geeks only, but it’s free and well supported. It’s ideal for anyone who doesn’t want to upload their encrypted password file to the cloud and understands the inconvenience that decision entails.

(If you’ve already chosen another option, such as Dashlane, Keeper, or Enpass, don’t let my recommendations dissuade you. Those are all perfectly good products.)

The best way to evaluate any of these options is to download the software and use it for a while with a small subset of credentials for sites you visit regularly. Three of the options I recommend have free versions; the one exception, 1Password, offers a 14-day free trial that should be sufficient to help you make your decision.

Install the matching app and browser extension on every device you own and put those products to the test.

Tips for using your password manager

Most of the big review sites offer a recommendation and then leave you to figure things out on your own. I know how frustrating that is, so here are some tips to help you be more productive after you’ve settled on a winning password manager app.

Make a great master password.

This is the part where I jump up and down and scream about how important your master password is. It’s the encryption key that keeps an attacker from reading your saved credentials, so please, please, please make this password strong and unique. Do not use a password (or a variation of a password) you use elsewhere. This password should be at least 12 characters, and preferably longer. It should be something that is easy for you to remember and impossible for anyone else to guess. Use one of the password generators I recommended in the previous installment to generate a passphrase consisting of three words separated by hyphens, and you’ll be in good shape.

Store your master password and encryption key in a safe place.

Write down your password on paper and store it in the safest place available to you: in a sealed, unmarked envelope in a locked file cabinet is ideal. 1Password includes a convenient Emergency Kit that includes the 34-digit encryption key and a space to write down your password. Keep it in the same place you keep documents like your will and other important documents. If something happens to you, that paper will make it easier for someone else to help manage your affairs.

Use a PIN and biometrics to manage signing in to the vault on trusted devices.

Typing your master password is a pain in the ass. On trusted devices where you have already established your identity, you can and should enable the option to replace that sign-in with a simpler PIN or biometric option. If you use Bitwarden, check out your options here. If you use 1Password, you have multiple options: Windows Hello here, TouchID on iOS here, Android biometrics here.

Always use a PC or Mac to do major password management tasks.

Smartphones are awesome. They’re also limited in capabilities. In my experience, every password manager offers the richest set of features when you’re using it on a PC or Mac. Both Bitwarden and iPassword have standalone apps for Windows and Mac that you should install and use.

Check your work every time you create or update an account.

After creating a new password-protected account or modifying an existing one and saving its credentials, I recommend that you immediately sign out and then sign in again. That allows you to confirm that the username and password are correctly saved. I often find, for example, that I have to add the username to a new login, especially for sites that use a two-step process, in which you enter a username or email address on one screen and then enter the password on a separate screen.

Signing in with a trusted third-party account (Google, Apple, Microsoft) is really convenient.

If an online service offers the option to sign in with your Google or Apple or Microsoft account, feel free to take it. That’s one less password you have to manage. I do not recommend that you use Facebook, Twitter, or other social media services for authentication purposes, however. An emerging technology called passkeys offers the best option of all, eliminating the need for passwords completely and replacing them with digital credentials that are stored on a device and unlocked using biometrics. More on that later in this series.

It’s OK to use (relatively) weak passwords on unimportant sites.

Yes, for important sites you should absolutely use strong, unique passwords that consist of upper- and lower-case characters, numbers, and symbols. But for sites that are strictly for entertainment and don’t represent a potential threat to your identity or your finances, it’s OK to use a shorter password, especially if you have to type that password in using your TV remote. Do make sure it’s unique, however.

Multi-factor authentication (also known as 2-factor authentication, or 2FA) is really important.

That’s the subject of next week’s installment.

Read the entire series

Introduction: “Getting your online security in order”

Part 1: “Get your passwords organized (in 30 minutes or less)”

Part 2: “How to choose (and use) a password manager”

Part 3: “Multi-factor authentication is easier than you think”

Part 4: “Do you need advanced security options?”