In a hurry? The best password manager of 2020 is Dashlane
Dashlane is an advanced password manager with all the functionality you would expect from a market-leading brand: a free VPN, a one-click password importer and changer, dark web monitoring and encrypted storage.View Deal
A great password manager can be a game-changer. This is particularly true during this pandemic where millions are being forced to work for home and explains why so many of us have been looking for "password managers", as a term, over the past few months.
Most of us have scores of online accounts, and it's all too easy to fall into the habit of reusing the same password for multiple different sites. It might be convenient, but it also leaves us in real danger; if just one of those sites is compromised, all your accounts will be at risk.
A good one will not only save you the effort of remembering dozens of different logins for all your online accounts, it will also help keep them secure by generating strong passwords that are impossible to guess, and storing them all safely in an encrypted vault.
We evaluated dozens of password managers but ended testing only a handful of them, which we trusted. Choosing the best one is an important decision, so we've put all the best options to the test, and picked out the ones that we'd trust to secure our own account details. Many of the password managers here offer both free and paid accounts, so you can pick one that suits your needs, and your wallet.
Bear in mind that this buying guide focuses primarily on individual/consumer offerings. Check out our best business password manager buying guide for business and enterprise grade password management platforms. We've also featured the best password generators around.
The free version of Dashlane is a capable password manager for a single device, capable of storing logins for up to 50 accounts in a secure vault with multi-factor authentication, Like LastPass, it can do much more than just fill in passwords for you; it can also store all kinds of information and fill out forms with delivery addresses and contact details automatically.
So far so good, but Dashlane's premium service is even more impressive. Not only does it let you synchronize all your passwords across all your devices (both desktop and mobile), it also monitors the dark web for data breaches and sends you personalized alerts if any of your stored details appear in a batch of stolen data.
There's secure file storage too (ideal for scanned ID documents, insurance policies and receipts) and even a VPN for browsing the web more securely via Wi-Fi hotspots.
Unsurprisingly, all of this comes at a price, and Dashlane's premium plan is one of the most expensive options around, but the extra services (plus remote account access and priority support) do justify the cost.
LastPass is easy to use, super secure, packed with features, and offers both free and premium tiers so you can choose the option that suits you best.
All data is stored using AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to keep them secure - and it's not limited to passwords either. You can also store credit card details and delivery addresses so they can be entered automatically when you're shopping online, plus encrypted notes, details of insurance policies and much more besides.
The free version of LastPass is superb, but premium accounts are very reasonably priced and offer an extremely useful extra feature: the ability to log into apps on your phone. Very few password managers offer this, and it could prove invaluable if you ever lose your phone, preventing people accessing your emails and social media.
One of our favorite LastPass features is its support for multi-factor authentication, which helps protect you from phishing attempts by requiring an additional form of authorization to log into your accounts, such as a code generated by a mobile app or a fingerprint scan. Although it's becoming more widespread, not all sites and services offer this yet, so having all your logins secured in a vault that's protected this way is a real boon.
There's no free version of Keeper Password Manager, but you can try it for 30 days before deciding whether to commit to a subscription.
As you'd expect from a purely premium product, Keeper is one of the most sophisticated password managers around. Not only does it offer plugins for every major browser, plus mobile apps for iOS and Android, it's also available as a desktop app for Windows, macOS and Linux. There's support for biometric authentication on mobile devices too, and syncs your data across an unlimited number of devices.
Like the paid-for version of Dashlane, Keeper will warn you if any of your passwords appear in a data breach. It will also alert you if any of your passwords are particularly weak, or have been re-used, and help you create strong replacements.
There's an excellent family plan as well. This not only protects the login details of everyone in your household, it also lets you share files securely between one another and offers an encrypted messaging tool that's a solid alternative to WhatsApp if you'd prefer to avoid Facebook products.
RoboForm is another versatile password manager, with plugins for all the major browsers and mobile apps for both iOS and Android.
The free version is superb, providing you with a secure vault for your logins (though you also have the option of only storing your data on your device if you prefer), an auditing tool to help you identify weak or duplicated passwords, and a password generator for replacing them with strong, unguessable combinations of numbers, letters and special characters.
Unlike LastPass, the free version of RoboForm doesn't sync your passwords across multiple devices. For that you'll need a premium subscription, but prices are very reasonable. You'll also get a host of other useful features, including the ability to share logins securely, multi-factor authentication, and priority 24/7 support.
LogMeOnce is a password management solution that offers cross-platform support, so it doesn't matter what device you use, whether desktop of mobile, your passwords and logins are still accessible as required.
Unusually, LogMeOnce gets rid of the need for a master password by putting in place additional security settings, so that you can't get locked out of your account simply by forgetting your master password.
It's also a service that offers additional security features, which includes the ability to encrypt and store your logins online to help with accessibility.
However, rather than just rely on passwords, LogMeOnce also offers biometric options, such as a selfie, fingerprint, face ID, as well as a PIN or password. The increased number of options means you can apply different levels of security to different logins.
As with other password managers, LogMeOnce is built to provide Single Sign On functionality, so once you're logged in with a service you shouldn't expect to need to keep signing into the self-same service.
NordPass offers a very capable password manager with browser plugins for Chrome, Firefox, Edge, and Opera, as well as desktop apps for Windows, macOS, and Linux, plus iOs and Android mobile devices.
As well as storing encrypted passwords, NordPass can also suggest strong passwords as well as offer to safely and securely store credit card and banking details for faster checkouts on ecommerce websites.
With the premium edition, you can then sync this information across up to 6 devices per licence. The free version only allows one, but you get to try out other premium features for a week.
Another positive is that there is no limitation to the number of passwords you can save, unlike some others that have restrictions. However, one limitation is that it won't autofill forms such as for your name and address and email, like some other password managers offer.
Overall, though, Nordpass is a very capable password manager that does a little more than would be expected, and though the missing autofill is annoying, apparently it's currently in development for a future release.
mSecure covers all the essentials you need from a password manager. There’s no limit on how many entries you can keep and the built-in categories enable you to store much more than passwords. All entries support custom fields and you can also separate entries into groups in lieu of simple tags.
The password generator included in mSecure works well, but it wasn’t our favorite. There’s no option to force it to produce human-readable words. As a result, every password is a truly random string that’s hard to type if you don’t have auto-fill enabled. Notably, you also can’t access the password generator without creating a new record in mSecure.
mSecure is a quality password manager for individuals, with customizable templates and syncing across devices. It's also an affordable password manager that’s capable enough for most individual users. The only major thing missing is secure password sharing for families and teams.
If you need to share passwords between members of a team, Zoho Vault offers the granular control you need. Zoho Vault’s user management, permissions, and password policy features set it apart from personal password managers and you can make batch changes to passwords with ease.
Zoho Vault can integrate with third-party enterprise apps like Gmail, Dropbox, Microsoft Active Directory, and Microsoft 365. Enterprise users can use Single Sign On (SSO) with cloud apps like Salesforce and Slack, and as Zoho Vault has an API, it’s possible to integrate it with any of your own apps.
Zoho Vault has excellent security, fine control over users and passwords, and superb third-party integrations. It’s also inexpensive, and customer support is one of the best we’ve seen in a password manager service.
We don’t particularly recommend it for personal use as most of the features are geared towards teams, making the interface somewhat complex, but it’s an outstanding password manager for organizations and corporates.
1Password is a password manager solution that aims to provide protection not just for individuals or organizations but also provides a shared password protection system for families.
There are two main service provisions, with one being for individuals and their families, allowing either a single use or a family of up to five people to use the 1Password service for protected logins. There's also a business service that offers protection for those working from home, as well as teams and enterprises in general.
As well as providing all of the above, 1Password protects you from breaches and other threats, such as keyloggers and phishing attempts, and will only work in verified browsers.
The result is a very secure and competent password manager that cover both personal use as well as corporate use, such as working from home, without compromising your security.
Bitwarden is open-source software that is user friendly and highly secure, and includes almost everything individuals, teams, and businesses require in a password manager.
Bitwarden’s basic plans focus on the meat of password management, but even the free plans include multi-device sync, optional self-hosting, and unlimited online storage. Premium plans include reports on your passwords that highlight things like weak passwords and unsecured websites.
The pad-for plans include features for managing the passwords of a larger workforce, with password sharing, fine-grained access control, user groups, two-step login, and multi-factor authentication.
Bitwarden is not just one of the best free password managers available, it’s so usable and feature-packed it could put paid password managers out of business.
Moving beyond passwords and 2FA
We caught up with Ben Todd, Head of Worldwide Sales at Nomidio, a biometric MFA provider, to discuss the future of passwords and two-factor authentication.
Since the beginning of IT the humble combination of a username and password have secured our access to information. In today’s digital world this model is still the norm for both consumers and employees logging in to websites, applications, VPNs and cloud services. But it’s time for an urgent rethink because the model is broken.
Contrary to popular belief, the problem isn’t really about hackers brute force attacks to crack passwords, although this does happen. The real issue is the number and frequency of data breaches where user credentials are leaked and then made available for sale on the dark-web. In fact, according to Verizon’s latest breach report, 80% of hacks today aren’t really hacks but bad actors simply logging-in with valid user credentials they’ve obtained elsewhere.
There’s the rub for the cyber security world. It doesn’t matter how well we secure the pipes with strong encryption or how effective a Security Operations Centre is, if someone can easily obtain credentials and log-in ‘legitimately’ our best efforts have gone to waste. Passwords are also the root cause of a terrible and stressful user experience, which might go some way to explaining why younger generations appear to have given up on applying them properly.
Password habits are getting worse, not better
You might imagine that digital natives, those younger generations born into a connected world, are more able to protect themselves online. Unfortunately, new research we commissioned confirms that younger generations have significantly riskier password habits than their parents, with 24% of those aged between 24 and 38 (Millennials) using the same password for all their accounts, compared to just 2% of baby boomers.
With 14% of younger generations reporting they have never changed their password it’s easy to see how the bad guys can use credentials stolen from one place to log-in somewhere else. Perhaps worse still it is now common for young people (62%) to voluntarily share credentials for services like Netflix with friends and family, perhaps sending them using unencrypted email or messaging accounts.
The purpose of this research isn’t to bash the young but rather to highlight that the way we ask people to authenticate today is too cumbersome for users and is in fact the root cause of the booming identity theft industry. It is telling that analysts from Gartner said in a recent report “Data breaches of personally identifiable information (PII) are rendering checking of static identity data (usernames and passwords) obsolete”.
2FA to the rescue?
The logical response over the last few years has been to layer additional ‘factors’ on top of the password. By asking people to validate their identity based on ‘something they have’, by entering a one-time passcode sent to their mobile phone or email, we can make life much harder for hackers.
Two-factor authentication or ‘2FA’ has grown in popularity and is now an integral aspect of the Strong Customer Authentication requirements for e-Commerce payments. The majority of large companies also ask employees to use 2FA when logging-in.
Unfortunately this makes a poor experience even worse as it really doesn’t make sense for someone’s identity to be tied to their device. What happens if you’re trying to log-in to a work application to make a deadline while you’re out on the road and your phone runs out of battery? Or you use an authenticator app and then you lose your phone? Perhaps this is why only 25% of respondents to our survey said they regularly enable 2FA when it’s an option.
There are also question marks about how much longer 2FA will hamper the bad guys with a number of recent phishing attacks evolving to trick users into voluntarily disabling their 2FA protection. The problems with identity require root and branch reform, 2FA is a nice try but we need to be far more ambitious.
Is Multi Factor biometrics the answer?
A multi-factor authentication approach based on biometrics has the potential to deliver a step-change in security and the user’s experience. In a world where employees are logging on across public networks, from anywhere, we can no longer offer them a ‘perimeter’. Instead we must invest in modern authentication that helps users to securely and easily access services whenever and wherever they want.
Rather than asking users to remember a password we store their biometric identifiers, a voice and face print, so we can authenticate against those across any device they’re logging in from. We combine the biometric check with additional ‘silent’ factors that increase security still further. So from a user’s perspective all they need to do is present their face and they’re in.
With underlying protocols like OpenID Connect, website, application or cloud service providers can easily allow an identity provider such as Nomidio to add biometric authentication on top of their systems. For the user this makes their biometric identity widely interoperable and behind the scenes it works in exactly the same way as logging-in with Facebook or Google.
With a well-engineered biometric authentication service we can also decouple someone’s identity from their device. We often describe this as ‘the Netflix effect’, because the biometric checking happens in the cloud rather than locally on a device a user can move between their laptop, phone or a third-party device and still log-on using their face.
People have understood biometrics hold the answer to more secure authentication for a number of years but it’s been hard for all but the largest companies to deploy the technology. But the economics and complexity are improving and we believe we’re a great example. Any company, large or small, can implement Nomidio for passwordless biometric authentication quickly and simply by consuming our cloud service from AWS.
If we’re serious about tackling identity theft and data breaches then we must transition away from usernames and passwords because they’re the reason that people need to store their personally identifiable information with lots of organisations. It’s that personal information that’s lost and which is then used to perpetrate more hacks.
- Take a look at our full guide to the best antivirus software