Best password managers
If you’re still using your dog’s name to log in to your bank, you are courting disaster.
We are terrible at passwords. We suck at creating them (the top two most popular remain ‘123456’ and ‘password’), we share them way too freely, and we forget them all the time. Indeed, the very thing that can ensure our online security has become our biggest obstacle to it. This is what makes a good password manager essential.
A password manager relieves the burden of thinking up and memorizing unique, complex logins – the hallmark of a secure password. It allows you to safely share those logins with others when necessary. And because these tools encrypt your login info in a virtual vault – either locally or in the cloud – and lock it with a single master password, they protect the passwords themselves. If
you’re looking to up your security game, a password manager is the way to go. Yes, web browsers are starting to offer password management features, but they’re not good enough.
But password managers vary widely in their capabilities and cost. All support Windows macOS, Android and iOS, as well as the major browsers. And all will let you sync your data across multiple devices, though you may have pay extra for the privilege.
WHAT TO LOOK FOR IN A PASSWORD MANAGER
At their most basic, password managers capture your username and password – usually via a browser plug-in – when you log in to a website, and then automatically fill in your credentials when you return to that site. They store all your passwords in an encrypted database, often referred to as a ‘vault’, which you protect with a single master password.
Of course, most password managers do much more than this and many extend protection beyond your login credentials to other types of personal data. We narrowed it down to a few essential features that we looked for and you should too:
Password generation: You’ve been reminded ad nauseam that the strongest passwords are long, random strings of characters, and that you should use a different one for each site you access. That’s a tall order. This is what makes password generation – the ability to create complex passwords out of letters, numbers, and special characters – an indispensable feature of any good password manager. The best password managers will also be able to analyse your existing passwords for weaknesses and upgrade them with a click.
Autofill and auto-login: Most password managers can autofill your login credentials whenever you visit a site and even log you in automatically. Thus, the master password is the only one you ever have to enter. This is controversial, though, as browser autofill has long been a security concern, so the best managers will also let you toggle off this feature if you feel the risk outweighs the convenience.
Secure sharing: Sometimes you need to share a password with a family member or co-worker. A password manager should let you do so without compromising your security.
Two-factor authentication: To an enterprising cybercriminal, your password manager’s master password
is as hackable as any other password. Increasingly, password managers support multi-factor authentication – using a second method such as a PIN, a fingerprint, or another ‘trusted device’ for additional verification – to mitigate this risk. Choose one that does.
Protection for other personal data: Because of how frequently we use them online, credit card and bank account numbers, our addresses, and other personal data can be securely stored in many password managers and automatically filled into web forms when we’re shopping or registering an account.
No online security measure is 100 per cent foolproof, though, as we were reminded when LastPass, one of the most reputable password managers, recently scrambled to fix a pair of vulnerabilities that could have compromised users’ passwords and their computers. And in 2017, OneLogin was victim of a breach that compromised customer data, including the ability to decrypt data.
Still, most security experts agree that password managers are still the safest way for people to manage their myriad logins, and we agree that the benefits far outweigh the risks.
BEST OVERALL PASSWORD MANAGER LastPass
Price: £31.20 from fave.co/2M4PqGW LastPass remains something of a gold standard for password managers. One of the first full-featured tools of its kind, this combination vault, form-filler, and password generator ticks off all the boxes in our password manager checklist.
After you sign up and install the LastPass browser plug-in, it captures your login credentials when you visit
a website for the first time. When you return to a site, a small icon appears in its login fields showing how many accounts you have stored. Clicking it opens a drop-down menu revealing each account so you can select the appropriate one. You can also select an auto-login option for each account to have LastPass sign you in automatically whenever you visit that site.
All the website accounts are managed from your ‘vault’. Websites associated with your passwords are displayed as tiles, or if you choose, in a list. On each tile are buttons for accessing your login details, securely sharing them with someone else, or deleting them. And to be honest, those are the only reasons to visit your vault; you can access individual accounts as well as LastPass’ main features right from the plug-in.
Coming up with unique, complex passwords is one of the biggest obstacles to practicing good security. LastPass dramatically eases this burden with a powerful password generator that auto-creates up to 12-character passwords using upper- and lower-case letters, numerals, and special characters. There’s also an option to make the password pronounceable for easier recall. The password generator icon appears in the login fields whenever you’re creating a new account or you can access it anytime from your vault or the browse plug-in.
But passwords are not a set-it-andforget-it deal. Changing your passwords every so often as a precautionary measure can strengthen your security. LastPass offers two tools to simplify this. The first is auto password change. Instead of manually logging in to an account and changing the password manually, LastPass will do it with the click of a button for 80 popular sites, including Facebook and Amazon. The second, Security Challenge, will audit your vault for weak, old, and duplicate passwords as well as any for sites known to have been compromised.
These features alone make LastPass indispensable, but it protects more than your passwords. You can create and securely store form-fill profiles that
include personal data to more easily complete online purchases, reservations, and site registrations. And its Secure Notes feature lets you safely store bank account and social security numbers, safe combinations, and other sensitive info.
LastPass also recently added an Emergency Access feature that lets you designate trusted people to access your vault when you can’t.
The robust free version gives you access to most of these features plus two-factor authentication across all your desktop and mobile devices. For £31.20 a year, an upgrade to LastPass Premium adds features including Emergency Access, desktop fingerprint identification, YubiKey and Sesame multifactor authentication options, the ability to share a single item with multiple people, and LastPass for your applications. A families plan includes these premium features for up to six users for £40.80 per year.
Verdict
Given the rich features you get, LastPass should the first password manager you try. And don’t be surprised if it’s the last. You can get plenty of mileage out of the free version, but given the added security an ultra-affordable upgrade brings, you shouldn’t be shy to open your wallet.
RUNNER UP Dashland
Price: $48 (around £35) from fave.co/35vY7l9 Of all the password managers we’ve reviewed, Dashlane has come closest to stealing LastPass’s crown. Easy to use and rich with features, it meets all our requirements for a top-tier password manager. But Dashlane goes beyond just managing your login credentials, providing insights for how to think smarter about security.
Dashlane’s strength has long been its elegant interface, which displays your accounts as tiles or a list. Each tile has its own fly-out menu from which you can edit your account info, securely share your login credentials, and view your password history.
As with LastPass, Dashlane includes a password changer, which you can open from the top of the password list. Unlike LastPass, which requires you to open a specific website entry to auto-change its password, Dashlane’s tool lists all of your saved websites and you can change as many passwords as you want at once by selecting the checkbox next to each entry. Dashlane’s password changer also supports 500 sites, soundly trumping LastPass’s 80.
One of Dashlane’s most attractive features in previous versions was
its security dashboard, which rated the security of each password with a safety percentage as well as on of a half-dozen colour-coded descriptions ranging from ‘super safe’ to ‘Very unsafe’. That’s been replaced by a Password Health report that provides an aggregate security percentage and shows you only weak, compromised, and reused passwords. For each of these, you can click on a Replace Now button to change them.
Also new is an Identity Dashboard. You’ll get a security alert here, as well as a pop-up notification, if any of the credentials in Dashlane is breached. Premium users will also get Dark Web Monitoring, which scans and alerts you to stolen personal data found on the dark web whether the credentials have been used or not. You can associate up to five emails for scanning.
Dashlane has also added a simple VPN for secure Wi-Fi hotspot connections. After an initial set-up, you just click VPN from the menu, choose a server location from more than 20 countries and select Connect. Though any VPN can impact the speed of your internet connection, I didn’t notice any slow down in my usage. VPN protection is only available with paid premium accounts.
Dashlane also supports auto-login, form autofill, secure notes, and secure sharing with emergency contacts. The desktop client is free to use on any single device, but to sync your password you’ll need Dashlane Premium for about $60 (around £43.50) per year. The paid plan also gives you multi-factor authentication secure file storage, remote access, and priority support, along with the VPN and dark web
monitoring. A Premium Plus plan adds credit monitoring and up to $1 million in Identity Theft Insurance for about $120 (around £87) a year.
Verdict
At this point Dashlane’s capabilities have caught up with LastPass, so the only significant differentiator is how much you have to spend to unlock each tool’s full capabilities. Dashlane’s slightly higher premium may be the deciding factor for many. But if the extra expense isn’t a concern, Dashlane is a top-shelf password manager.