Password managers are vegetables from the Internet. We know they are good for us, but most of us are happier to snack password equivalent to junk food. For seven consecutive years this has been “123456” and “password” – both most commonly used passwords on the Web. The problem is, most of us don’t know what makes a good password and can’t remember hundreds of them anyway.
Now that so many people are working from home, outside of the office intranet, the number of passwords you need may have increased dramatically. The safest (albeit craziest) way to store them is to memorize them all. (Make sure they are long, strong, and secured!) I laugh. It could work for Grand Master Thesis Ed Cooke, but most of us are not capable of such fantastic feats. We need to leave this job to password managers, who offer secure vaults that can replace our faulty and overloaded memories.
A password manager is handy and, more importantly, helps you create better passwords, making your online existence less vulnerable to password attacks. Also be sure to take a look at our guide to VPN providers for other ideas on how you can upgrade your security, as well as our guide to backing up your data to make sure you don’t lose anything in the event of the unexpected.
Update March 2021: We stopped recommending Lastpass because it’s no longer free and doesn’t offer much reason to use it. We’ve added a section on how we test.
Special offer for Gear readers: get a One year subscription to WIRED for $ 5 ($ 25 off). This includes unlimited access to WIRED.com and our print magazine (if you wish). Subscriptions help fund the work we do every day.
Why not use your browser?
Most web browsers offer at least a basic password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox asks if you want to save a password.) It’s better than reusing the same password everywhere, but browser-based password managers are limited.
The reason security experts recommend that you use a dedicated password manager is to focus. Web browsers have other priorities that haven’t left much time to improve their password manager. For example, most of them won’t generate strong passwords for you, leaving you at “123456.” Dedicated password managers serve a single purpose and have been adding useful features for years. Ideally, this leads to better security.
How we test
The best and most secure cryptographic algorithms are all available through open source programming libraries. On the one hand, this is great, because any application can integrate these ciphers and protect your data. Unfortunately, all encryption is only as strong as its weakest link, and cryptography alone won’t protect your passwords.
Here’s what I’m testing: what are the weakest links? Is your master password sent to the server? Each password manager said it is not, but if you watch the network traffic while entering a password, sometimes you find it is. I’m also looking at how mobile apps work – for example, do they leave your password store unlocked, but need a PIN to get back to it? It’s convenient, but it sacrifices too much security for that convenience.