Best password managers
If you’re still using your dog’s name to log in to your bank, you are courting disaster. MICHAEL ANSALDO reports
We are terrible at passwords. We suck at creating them (the top two most popular remain ‘123456’ and ‘password’), we share them way too freely, and we forget them all the time. Indeed, the very thing that can ensure our online security has become our biggest obstacle to it. This is what makes a good password manager essential.
A password manager relieves the burden of thinking up and memorizing unique, complex logins – the hallmark of a secure password. It allows you to safely share those logins with others when necessary. And because these tools encrypt your login info in a virtual vault – either locally or in the cloud – and lock it with a single master password, they protect the passwords themselves. If you’re looking to up your security game, a password manager is the way to go.
But password managers vary widely in their capabilities and cost, so we compared the most popular. All support Windows, macOS, Android, and iOS, as well as the major browsers. And all will let you sync your data across multiple devices, though you may have pay extra for the privilege.
What to look for
At their most basic, password managers capture your username and password – usually via a browser plugin – when you log in to a website, and then automatically fill in your credentials when you return to that site. They store all your passwords in an encrypted database, often referred to as a ‘vault’, which you protect with a single master password.
Of course, most password managers do much more than this and many extend protection beyond your login credentials to other types of personal data. We narrowed it down to a few essential features that we looked for and you should too:
Password generation: You’ve been reminded ad nauseam that the strongest passwords are long,
random strings of characters, and that you should use a different one for each site you access. That’s a tall order. This is what makes password generation – the ability to create complex passwords out of letters, numbers, and special characters – an indispensable feature of any good password manager. The best password managers will also be able to analyse your existing passwords for weaknesses and upgrade them with a click.
Autofill and auto-login: Most password managers can autofill your login credentials whenever you visit a site and even log you in automatically. Thus, the master password is the only one you ever have to enter. This is controversial, though, as browser autofill has long been a security concern, so the best managers will also let you toggle off this feature if you feel the risk outweighs the convenience.
Secure sharing: Sometimes you need to share a password with a family member or coworker. A password manager should let you do so without compromising your security.
Two-factor authentication: To an enterprising cybercriminal, your password manager’s master password is as hackable as any other password. Increasingly, password managers support multifactor authentication – using a second method such as a PIN, a fingerprint, or another ‘trusted device’ for additional verification – to mitigate this risk. Choose one that does.
Protection for other personal data: Because of how frequently we use them online, credit card and bank account numbers, our addresses, and other personal data can be securely stored in many password
managers and automatically filled into web forms when we’re shopping or registering an account.
No online security measure is 100 percent foolproof, though, as we were reminded when LastPass, one of the most reputable password managers, recently scrambled to fix a pair of vulnerabilities that could have compromised users’ passwords and their computers. And just last month, OneLogin was victim of a breach that compromised customer data, including the ability to decrypt data.
Still, most security experts agree that password managers are still the safest way for people to manage their myriad logins, and we agree that the benefits far outweigh the risks.
Best overall password manager LastPass
Price: Free from fave.co/2M4PqGW
LastPass remains something of a gold standard for password managers. One of the first full-featured
tools of its kind, this combination vault, form-filler, and password generator ticks off all the boxes in our password manager checklist.
After you sign up and install the LastPass browser plugin, it captures your login credentials when you visit a website for the first time. When you return to a site, a small icon appears in its login fields showing how many accounts you have stored. Clicking it opens a dropdown menu revealing each account so you can select the appropriate one. You can also select an auto-login option for each account to have LastPass sign you in automatically whenever you visit that site.
All the website accounts are managed from your ‘vault’. Websites associated with your passwords are displayed as tiles, or if you choose, in a list. On each tile are buttons for accessing your login details, securely sharing them with someone else, or deleting them. And to be honest, those are the only reasons to visit your vault; you can access individual accounts as well as LastPass’ main features right from the plugin.
Coming up with unique, complex passwords is one of the biggest obstacles to practicing good security. LastPass dramatically eases this burden with a powerful password generator that auto-creates up to 12-character passwords using upper- and lower-case letters, numerals, and special characters. There’s also an option to make the password pronounceable for easier recall. The password generator icon appears in the login fields whenever you’re creating a new account or you can access it anytime from your vault or the browse plugin.
But passwords are not a set-it-and-forget-it deal. Changing your passwords every so often as a precautionary measure can strengthen your security. LastPass offers two tools to simplify this. The first is auto password change. Instead of manually logging in to an account and changing the password manually, LastPass will do it with the click of a button for 80 popular sites including Facebook and Amazon. The second, Security Challenge, will audit your vault for weak, old, and duplicate passwords as well as any for sites known to have been compromised.
These features alone make LastPass indispensable, but it protects more than your passwords. You can create and securely store form-fill profiles that include personal data to more easily complete online purchases, reservations, and site registrations. And its Secure Notes feature lets you safely store bank account and social security numbers, safe combinations, and other sensitive info.
LastPass also recently added an Emergency Access feature that lets you designate trusted people to
access your vault when you can’t. LastPass’ robust free version gives you access to all these features plus two-factor authentication across all your desktop and mobile devices. For £2.30 per month a year, an upgrade to LastPass Premium adds features including desktop fingerprint identification, YubiKey and Sesame multifactor authentication options, and LastPass for your applications.
Verdict
Given the rich features you get, LastPass should the first password manager you try. And don’t be surprised if it’s the last. You can get plenty of mileage out of the free version, but given the added security an ultraaffordable upgrade brings, you shouldn’t be shy to open your wallet. Michael Ansaldo
Runner up Dashlane
Price: Free from fave.co/35vY7l9
Of all the password managers we’ve reviewed, Dashlane has come closest to stealing LastPass’s crown. Easy to use and rich with features, it meets all our requirements for a top-tier password manager. But Dashlane goes beyond just managing your login credentials, providing insights for how to think smarter about security.
Dashlane’s strength has long been its elegant interface, which displays your accounts as tiles – indeed, LastPass recently adopted this style – but version 4 adds the option of showing them as a list
as well. Each tile has its own fly-out menu from which you can edit your account info, securely share your login credentials, and view your password history.
As with LastPass, Dashlane includes a password changer, which you can open from the top of the password list. Unlike LastPass, which requires you to open a specific website entry to auto-change its password, Dashlane’s tool lists all of your saved websites and you can change as many passwords as you want at once by selecting the checkbox next to each entry. Dashlane’s password changer also supports 500 sites, soundly trumping LastPass’s 80.
One of Dashlane’s most attractive features is its security dashboard. At the top, it gives you an overall security rating based on the cumulative strength of your
passwords, and offers suggestions for improving it by upgrading specific passwords. For example, I could get a total 6 percent rating bump by updating my Skype and LinkedIn passwords. A Detailed Password Analysis panel provides a closer look at each of your passwords, which you can sort by website, password, strength, or safety level. Clicking an info button reveals the reasons behind its rating so you can take action to improve it.
Dashlane also supports auto-login, form autofill, secure notes, and secure sharing with emergency contacts. The desktop client is free to use on any single device, but to sync your password you’ll need Dashlane Premium for $3.33 (around £2.50) per month. (You’ll first need to download the standard version and then upgrade.) The paid plan also gives you two-factor authentication and unlimited password sharing, among other perks.
Verdict
At this point Dashlane’s capabilities have caught up with LastPass, so the only major differentiator is how much you have to spend to unlock each tool’s full capabilities. Dashlane is a top-shelf password manager. Michael Ansaldo