Blog Layout

The Best Password Managers to Secure Your Digital Life

Feb 15, 2022

PASSWORD MANAGERS ARE  the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the  password equivalent of junk food. For seven years running that’s been “123456” and “password”—the two  most commonly used passwords  on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.

Now that so many people are  working from home , outside the office intranet, the number of passwords you need may have significantly increased. The safest (if craziest) way to store them is to memorize them all. (Make sure they are long, strong, and  secure !) Just kidding. That might work for  Memory Grand Master Ed Cooke , but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our faulty, overworked memories.

A password manager offers convenience and, more important, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. Be sure to also have a look at  our guide to VPN providers  for more ideas on how you can upgrade your security, as well as  our guide to backing up your data  to make sure you don’t lose anything if the unexpected happens.

Why Not Use Your Browser?

Most web browsers offer at least a rudimentary password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox ask if you’d like to save a password.) This is better than reusing the same password everywhere, but  browser-based password managers are limited.

The reason security experts recommend you use a dedicated password manager comes down to focus. Web browsers have other priorities that haven’t left much time for improving their password manager. For instance, most of them won’t generate strong passwords for you, leaving you right back at “123456.” Dedicated password managers have a singular goal and have been adding helpful features for years. Ideally, this leads to better security.

WIRED readers have also written me asking about Apple’s MacOS password manager, which syncs through iCloud and has some nice integrations with Apple’s Safari web browser. There’s nothing wrong with Apple’s system. In fact, I have used  Keychain Access  on Macs in the past, and it works great. It doesn’t have some of the nice extras you get with dedicated services, but it handles securing your passwords and syncing them between Apple devices. The main problem is if you have any non-Apple devices, you won’t be able to sync your passwords to them, since Apple doesn’t make apps for other platforms. All in on Apple? Then this is a viable, free, built-in option worth considering.

How We Test

The best and most secure cryptographic algorithms are all available via open source programming libraries. On one hand, this is great, as any app can incorporate these ciphers and keep your data safe. Unfortunately, any encryption is only as strong as its weakest link, and cryptography alone won’t keep your passwords safe.

This is what I test for: What are the weakest links? Is your master password sent to the server? Every password manager  says  it isn’t, but if you watch network traffic while you enter a password, sometimes you find, well, it is. I also dig into how mobile apps work: Do they, for example, leave your password store unlocked but require a pin to get back in? That’s convenient, but it sacrifices too much security for that convenience.

 

No password manager is perfect, but the ones below represent the very best I’ve tested. They’re as secure as they can be while still remaining convenient and easy to use.

Best Overall

1Password

This image may contain Text Menu and File

What sets 1Password apart from the rest of the options in this list is the number of extras it offers. It’s not the cheapest (see our next pick for that), but in addition to managing passwords, it will alert you when a password is weak or has been compromised (by checking against Troy Hunt’s excellent  Have I Been Pwned  database).

 

Like other password managers, 1Password has apps that work just about everywhere, including MacOS, iOS, Android, Windows, and Chrome OS. There’s even a command-line tool that will work anywhere, and the company recently launched a  client for Linux  in beta. There are plugins for your favorite web browser too, which makes it easy to generate and edit new passwords on the fly.

1Password recently announced a new version of its apps, 1Password 8, and I’ve had a mixed experience. On one hand, it finally works with Windows laptops running on ARM architecture. But on  MacOS Monterey , I’ve had problems with autofill not working, keyboard shortcuts stopping until I relaunch the browser, among other issues. The problems so far are not enough to make me change our top pick, but it’s definitely something I am keeping an eye on. The company also recently reduced its free-trial period from 30 days to 14 days.

If you frequently travel across national borders you’ll appreciate my favorite 1Password feature:  Travel Mode. This mode lets you delete any sensitive data from your devices before you travel and then restore it with a click after you’ve crossed a border. This prevents anyone, even law enforcement at international borders, from accessing your complete password vault.

In addition to being a password manager, 1Password can  act as an authentication app  like Google Authenticator, and for added security, it creates a secret key to the encryption key it uses, meaning no one can decrypt your passwords without that key. (The downside is that if you lose this key, no one, not even 1Password, can decrypt your passwords.)

1Password also offers tight integration with other mobile apps. Rather than needing to copy and paste passwords from your password manager to other apps (which puts your password on the clipboard at least for a moment), 1Password is integrated with many apps and can autofill. This is more noticeable on iOS, where inter-app communication is more restricted.

Best Free Option

Bitwarden

a computer and 2 phones showing a screen of the Bitwarden password dashboard

Bitwarden is secure, open source, and free with no limits. The applications are polished and user-friendly, making it the best choice for anyone who doesn’t need the extra features of 1Password.

Did I mention it’s open source? That means the code that powers Bitwarden is freely available for anyone to inspect, seek out flaws, and fix. In theory, the more eyes on the code, the more airtight it becomes. Bitwarden has also been  audited for 2020 by a third party  to ensure it’s secure. It can be installed on your own server for easy self-hosting if you prefer to run your own cloud.

There are apps for Android, iOS, Windows, MacOS, and Linux, as well as extensions for all major web browsers. Bitwarden also has support for Windows Hello and Touch ID on its desktop apps for Windows and MacOS, giving you the added security of those biometric authentication systems.

Another thing I like is Bitwarden’s semiautomated password fill-in tool. If you visit a site that you’ve saved credentials for, Bitwarden’s browser icon shows the number of saved credentials from that site. Click the icon and it will ask which account you want to use and then automatically fills in the login form. This makes it easy to switch between usernames and avoids the pitfalls of autofill we mention at the bottom of this guide. If you simply must have your fully automated form-filling, Bitwarden supports that as well.

Bitwarden offers a paid upgrade account. The cheapest of the bunch, Bitwarden Premium, is $10 per year. That gets you 1 GB of encrypted file storage, two-factor authentication with devices like  YubiKey , FIDO U2F, Duo, and a password hygiene and vault health report. Paying also gets you priority customer support.

Best Full-Featured Manager

Dashlane

dashlane screen

I first encountered Dashlane several years ago. Back then, it was the same as its competitors with no standout attributes. But recent updates have added several helpful features. One of the best is Site Breach Alerts, something other services have since added as well. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data, and then alerts you if your information has been compromised.

Setup and migration from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like 1Password’s setup process. In practice, Dashlane is very similar to the others in this list. The company did discontinue its desktop app earlier this year, moving to a web-based user interface, which is a little different than 1Password and Bitwarden. (The desktop apps will officially shut down on January 10, 2022.) I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, it’s something to be aware of. Dashlane offers a 30-day free trial, so you can test it out before committing.

Best DIY Option (Self-Hosted)

KeePassXC

This image may contain Word Text and Page

Want to retain more control over your data in the cloud? Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both. The difference is that instead of a hosted service like 1Password syncing it for you, you sync that database file yourself using a file-syncing service like  Dropbox  or Edward Snowden’s  recommended serviceSpiderOak. Once your file is in the cloud, you can access it on any device that has a KeePassXC client.

Why do it yourself? In a word: Transparency. Like Bitwarden, KeepassXC is open source, which means its code can be and has been inspected for critical flaws.

 

Password Manager Basics

A good password manager stores, generates, and updates passwords for you with the press of a button. If you’re willing to spend a few dollars a month, a password manager can sync your passwords across all your devices. Here’s how they work.

Only one password to remember:  To access all your passwords, you only have to remember one password. When you type that into the password manager, it unlocks the vault containing all of your actual passwords. Only needing to remember one password is great, but it means there’s a lot riding on that one password. Make sure it’s a good one. If you’re having trouble coming up with that one password to rule them all, check out our guide to  better password security. You might also consider using the  Diceware  method for generating a strong master password.

Apps and extensions:  Most password managers are full systems rather than a single piece of software. They consist of apps or browser extensions for each of your devices (Windows, Mac, Android phones, iPhone, and tablets), which have tools to help you create secure passwords, safely store them, and evaluate the security of your existing passwords. All that information is then sent to a central server where your passwords are encrypted, stored, and shared between devices.

Fixing compromised passwords:  While password managers can help you create more secure passwords and keep them safe from prying eyes, they can’t protect your password if  the website itself is breached. That doesn’t mean they don’t help in this scenario though. All the cloud-based password managers we discuss offer tools to alert you to potentially compromised passwords. Password managers also make it easier to quickly change a compromised password and search through your passwords to ensure you didn’t reuse any compromised codes.

You should disable auto form-filling:  Some password managers will automatically fill in and even submit web forms for you. This is super convenient, but for additional security, we suggest you disable this feature. Automatically filling forms in the browser has made password managers  vulnerable to attacks  in the past. For this reason, our favorite password manager,  1Password , requires you to opt in to this feature. We suggest you do not.

Don’t panic about hacks:  Software has bugs, even your password manager. The question is not what do you do  if  it becomes known that your password manager has a flaw, but what do you do  when  it becomes known that your password manager has a flaw. The answer is, first, don’t panic. Normally bugs are  found , reported, and fixed before they’re exploited in the wild. Even if someone does manage to gain access to your password manager’s servers, you should still be fine. All of the services we list store only encrypted data and none of them store your encryption key, meaning all an attacker gets from compromising their servers is encrypted data.

Security Lapse by Microsoft Employees Exposes Internal Passwords

26 Apr, 2024
In continuation of Microsoft’s series of data security incidents, employees accidentally exposed internal data to the public. The leak exposed an unprotected Azure storage server containing code, scripts, and configuration files. Microsoft has announced that it has fixed a security breach that exposed internal company credentials and files to the open internet. The breach was first discovered by security researchers from cybersecurity firm SOC Radar. According to their report, an internal error resulted in an Azure storage server without password protection being given public access. The exposed data was primarily related to Microsoft’s Bing search engine, including configuration files, code, and scripts that employees used to access a range of internal systems and databases. Consequently, bad actors could identify and access locations for Microsoft's internal data. So far, it has not been made clear how long the data has been exposed. Anuj Mudaliar Assistant Editor - Tech, SWZD opens a new window opens a new window Anuj Mudaliar is a content development professional with a keen interest in emerging technologies, particularly advances in AI. As a tech editor for Spiceworks, Anuj covers many topics, including cloud, cybersecurity, emerging tech innovation, AI, and hardware. When not at work, he spends his time outdoors - trekking, camping, and stargazing. He is also interested in cooking and experiencing cuisine from around the world.

AT&T experienced data breach that impacted 51 million customers (No one is immune)

26 Apr, 2024
AT&T is notifying 51 million former and current customers, warning them of a data breach that exposed their personal information on a hacking forum. However, the company has still not disclosed how the data was obtained. These notifications are related to the recent leak of a massive amount of AT&T customer data on the Breach hacking forums that was offered for sale for $1 million in 2021. When threat actor ShinyHunters first listed the AT&T data for sale in 2021, the company told BleepingComputer that the collection did not belong to them and that their systems had not been breached. Last month, when another threat actor known as 'MajorNelson' leaked the entire dataset on the hacking forum, AT&T once again told BleepingComputer that the data did not originate from them and their systems were not breached. After BleepingComputer confirmed that the data belonged to AT&T and DirectTV accounts, and TechCrunch reported AT&T passcodes were in the data dump, AT&T finally confirmed that the data belonged to them. While the leak contained information for more than 70 million people, AT&T is now saying that it impacted a total of 51,226,382 customers. "The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," reads the notification. "To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier." BleepingComputer contacted AT&T as to why there is such a large difference in impacted customers and was told that some of the people had multiple accounts in the dataset. "We are sending a communication to each person whose sensitive personal information was included. Some people had more than one account in the dataset, and others did not have sensitive personal information," AT&T told BleepingComputer. The company has still not disclosed how the data was stolen and why it took them almost five years to confirm that it belonged to them and to alert customers. Furthermore, the company told the Maine Attorney General's Office that they first learned of the breach on March 26, 2024, yet BleepingComputer first contacted AT&T about it on March 17th and the information was for sale first in 2021. While it is likely too late, as the data has been privately circulating for years, AT&T is offering one year of identity theft protection and credit monitoring services through Experian, with instructions enclosed in the notices. The enrollment deadline was set to August 30, 2024, but exposed people should move much faster to protect themselves. Recipients are urged to stay vigilant, monitor their accounts and credit reports for suspicious activity, and treat unsolicited communications with elevated caution. For the admitted security lapse and the massive delay in verifying the data breach claims and informing affected customers accordingly, AT&T is facing multiple class-action lawsuits in the U.S. Considering that the data was stolen in 2021, cybercriminals have had ample opportunity to exploit the dataset and launch targeted attacks against exposed AT&T customers. However, the dataset has now been leaked to the broader cybercrime community, exponentially increasing the risk for former and current AT&T customers. Update 4/10/24: Added statement from AT&T about discrepancy in numbers. BILL TOULAS Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Home Depot Data Compromised Through Third-Party SaaS Misconfiguration

26 Apr, 2024
Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party SaaS vendor inadvertently exposing a subset of employee data. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. A Home Depot software vendor suffered a data breach leading to the compromise of an undisclosed number of employees. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party software vendor inadvertently exposing a subset of employee data. Reportedly, the breach was caused by a misconfigured software-as-a-service (SaaS) application.
More Posts
Share by: