Password managers are the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For seven years running that’s been “123456” and “password”—the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.
Now that so many people are working from home, outside the office intranet, the number of passwords you need may have significantly increased. The safest (if craziest) way to store them is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our faulty, overworked memories.
A password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. Be sure to also have a look at our guide to VPN providers for some more ideas on how you can upgrade your security, as well as our guide to backing up your data to make sure you don’t lose anything if the unexpected happens.
Updated March 2021: We’ve stopped recommending Lastpass as it effectively isn’t free anymore, and doesn’t offer much of a reason to use it. We added a section on how we test.
Special offer for Gear readers: Get a 1-Year Subscription to WIRED for $5 ($25 off). This includes unlimited access to WIRED.com and our print magazine (if you’d like). Subscriptions help fund the work we do every day.
Why Not Use Your Browser?
Most web browsers offer at least a rudimentary password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox ask if you’d like to save a password.) This is better than reusing the same password everywhere, but browser-based password managers are limited.
The reason security experts recommend you use a dedicated password manager comes down to focus. Web browsers have other priorities that haven’t left much time for improving their password manager. For instance, most of them won’t generate strong passwords for you, leaving you right back at “123456.” Dedicated password managers have a singular goal and have been adding helpful features for years now. Ideally, this leads to better security.
How We Test
The best and most secure cryptographic algorithms are all available via open source programming libraries. On one hand, this is great, as any app can incorporate these ciphers and keep your data safe. Unfortunately, any encryption is only as strong as its weakest link, and cryptography alone won’t keep your passwords safe.
This is what I test for: What are the weakest links? Is your master password sent to the server? Every password manager says it isn’t, but if you watch network traffic while you enter a password, sometimes you find, well, it is. I also dig into how mobile apps work: Do they, for example, leave your password store unlocked, but require a pin to get back in? That’s convenient, but it sacrifices too much security for that convenience.