In today’s digital age, hackers are becoming increasingly sophisticated in their efforts to gain access to your accounts and data. Aside from breaching databases and exploiting software vulnerabilities, another attack vector is your weak password.
Basic digital self-defense requires you to be using strong, unique passwords that cannot easily be cracked, for all your accounts. But how can you generate strong passwords while also keeping everything organized and secure across multiple devices? Enter the password manager.
In this guide we’re going to dive deep into various aspects of secure password management as well as examining the best password managers.
Why you need a password manager
You may be wondering if you really need a password manager at all. You might be one of those rare folks who uses one simple password for everything and has never had any of their accounts hacked. If so, congratulations. You are one lucky person.
Unfortunately, what worked for us in the past is just not good enough anymore. Let’s talk about why…
You need stronger passwords
There was a time when you could get away with using one simple password on everything. Your dog’s name, your kid’s birthday, something simple like that used to work. But today’s online crooks have upped their game. Today, the hackers who want to break into your accounts:
- Have vastly more powerful computers and faster Internet connections than they used to. This allows them to attack your accounts far faster and harder than in the past (see Brute Force Attacks).
- They are far smarter about the kinds of passwords people use. It is easy to find dictionaries of the most common passwords people use (see Dictionary Attacks).
- They have far more information to work with. Today you can buy huge amounts of information about people on the Dark Web. There is a good chance that the hacker trying to get into your bank account right now already knows your dog’s name. And your kid’s birthday. And the license plate number of your first car. And any other such information about you that might have somehow found its way into a computer.
In other words, unless you are already using strong passwords, the passwords you are using won’t protect you.
Wondering what a strong password looks like? I’ll tell you in the next section.
You shouldn’t trust your memory for passwords
The reason you shouldn’t trust your memory is because you need to use strong passwords. While the exact specification for a strong password varies depending on what source you check, and how long ago they specced it out, to be safe in today’s world I define a strong password as:
“A password containing at least 16 random characters. It must include letters, numbers, punctuation, and special characters.”
Here are some random examples of strong passwords, under 20 characters long:
- _hS6PW8arsgH!WP7t&2
- aM!269-9tThyEU^u>sd
- 7p4N*vMgMP_KGupA*8R
There are techniques that would let you memorize passwords like these, although it isn’t easy to do.
Security experts have shown that you need a different password for every important account (I’ll explain why in a minute). Now it becomes clear that memorization is simply not an option for numerous, strong, unique passwords.
Why you need a unique and strong password for every important account
Using one strong password for everything is a bad idea. Doing so makes things easier for the people who want to get access to all your accounts. Websites and businesses get hacked all the time.
Billions of records get stolen every year, containing all sorts of information about the victims. Many of those records contain passwords in an unencrypted form. Many people have account passwords stolen, not from their own negligence, but from a data breach – and this is becoming increasingly common.
Now, if you used the same password for all your accounts, and a hacker obtains this password in a data breach (or buys it from someone else), they basically have a master key to get access to your accounts.
So be smart and use a unique and strong password for every important account. This is very easy to do with a good password manager.
Why you shouldn’t store passwords in your browser
Most web browsers offer to store your passwords for you. This might seem like an ideal way to keep track of your passwords – but it’s actually a bad idea. Here are some reasons why:
- The password security on browsers isn’t that great – even if you are using a secure browser. Usually, these passwords are stored in plaintext. There are also tools available online that can give hackers access to your computer (either physically or remote access schemes) and view/steal passwords stored in the browser.
- Your browser will only record the username and password you enter into a web page. It won’t help you generate a password, or tell you if the password is strong, or remind you that you already used this same password on 10 other pages.
Here’s how to stop your browser from saving passwords:
- Chrome: Click Settings. In the Autofill section of the window that appears, click Passwords. Turn off the Offer to save passwords and Auto Sign-In options. If you have any entries in the Saved Passwords section of this page, remove them.
- Firefox: Click Preferences. In the menu on the left side of the browser window, select Privacy & Security. Clear the Ask to save logins and passwords for websites option. Click the Saved Logins button. In the dialog box that appears, click the Remove All button.
- Brave: Click Settings. On the page that appears, select Additional Settings. In the menu that appears, select Privacy and security. In the Autofill section, click Passwords. Turn off the Offer to save passwords and Auto Sign-In options. If you have any entries in the Saved Passwords section of this page, remove them.
How password managers work
At their most basic, password managers take the form of a browser plug-in, extension, or dedicated app on your operating system. Whenever you fill in a username and password, they offer to record that information, along with the page you entered them on. From then on, whenever you visit that webpage, the password manager will offer to fill in the username and password for you.
Any good password manager will store this information secured away in an encrypted archive, using strong encryption that isn’t vulnerable to the kinds of attacks that browsers suffer. Beyond this, there are a range of additional feats your password manager might perform for you. Here are the core features/characteristics you should look for in any password manager.
Ease of use
If your password manager isn’t easy to use, you aren’t going to use it. Here are some key usability features to look for:
1. Auto capture
Auto capture is the ability of a password manager to record the login information you enter into a page. Most any password manager can do this, since most login pages are designed with Username and Password fields that the manager can recognize.
But some pages use non-standard data entry fields, or otherwise make it difficult for a password manager to record the data properly. For example, one of my banks does something weird that results in password managers failing to properly record my password. Once a manager fills in the login form, I need to manually edit the Password field with the correct data.
Once the information is captured, the app should be able to Autofill the information the next time you visit that page.
2. Autofill
Autofill is the ability to fill in the user information on a login screen or other security-type page. If you have more than one user account associated with the page, instead of Autofilling the page, the password manager should give you some way to choose which user account you want it to use when filling in the data.
3. Auto-login
This is the ability to enter user information and actually log into a site automatically. As with Autofill, Auto-Login should give you some way to select between user accounts when there is more than one associated with a particular page.
4. Password generation
While the point of a password manager is to remember the strong passwords you create for online use, humans usually aren’t good at generating strong passwords. That means for the best security, you need some way to create really strong passwords.
There are sites online that can help you do this (see: How to Create a Really Strong Password) – but your password generator can also help. In the image below, I’m using Bitwarden to generate a strong, unique password that includes characters, numbers, and upper and lowercase letters.
But you can also create your own.
How to create a really strong password
Creating a really secure password isn’t hard.
One of the most widely recommended techniques is to use a passphrase instead of a password. A passphrase is a long string of random words, instead of a long string of random characters. For example, like this: portfolio owned confident some
Optionally, you could eliminate the spaces between the words, add numbers or special characters, and so on. Because they are composed of random words instead of random characters, you can memorize a long passphrase much easier than an equivalent-length password.
It might look like using passphrases would eliminate the need to use a password manager. But the situation is similar to that for passwords. Memorizing one secure password is doable. Memorizing the 5, 10, 20 or more secure passphrases you are going to need is a whole different project. Letting a password manager create and manage secure passwords for you is a lot easier.
But don’t rule out passphrases entirely. As you’ll see shortly, there is one place where using a passphrase is a perfect choice.
It makes a lot more sense to let your password manager create strong passwords for you. You are already going to have to trust the manager, and doing it this way means that the password gets generated on your device, and doesn’t have to get shipped to you across the Internet.
Letting your password manager generates strong passwords for you right on your device is the safest way to go.
Importing passwords from your browser
While it isn’t a great idea, storing the passwords for sites in your browser is better than nothing. But now that you are going to start using a password manager, you’ll need a way to move all those passwords from your browser into the manager. That could be a real headache if you had to do it manually.
It helps if you choose a password manager that can import passwords from your browser. You may need to do some cleanup work once you import the passwords (deleting accounts you don’t use anymore, or giving accounts stronger passwords). Regardless, your data will be more secure if you import it from the browser to your password manager, then delete all the saved passwords from the browser.
Security and privacy with password managers
Using a password manager is definitely the way to go. Of course, with all your passwords and other data stored in it, you had better be sure that your password manager is secure and private. While it is impossible to guarantee any software is 100% secure and private, here are some characteristics to look for.
1. Secure access to the password manager
You should be required to log into your password manager before you can use it. That’s a given. And considering that all your secrets (or at least your passwords) will be accessible to anyone who can log in to your password manager, you will want to use a really secure password.
Tip: Create a long passphrase to use to log into your password manager for extra protection.
2. Two-factor authentication
Two-factor authentication (2FA) may be a good feature for some users. And for those new to the term, here’s a quick definition:
Two-factor authentication (2FA) is a second layer of security to protect an account or system. Users must go through two layers of security before being granted access to an account or system. 2FA increases the safety of online accounts by requiring two types of information from the user, such as a password or PIN, an email account, an ATM card or fingerprint, before the user can log in. The first factor is the password; the second factor is the additional item.
As you saw, there are various things that can be used to provide the second factor. In general, the strongest second factors are physical devices like YubiKeys or FIDO U2F security keys. While having to connect a physical device to your smartphone or laptop in order to access your passwords is a hassle, it forces someone who wants to steal your data to physically get their hands on that security key to do so. While this is more secure than using a phone number or email address as a second factor, it can create problems if you lose access to the physical device (breaks, gets lost, etc. and is not backed up properly).
3. Strong encryption
Your password manager will eventually hold a vast amount of important personal information in a database that resides on your device, in the cloud, or more likely, in both places. That means it should use secure, end-to-end encryption.
Here’s one example with Bitwarden:
Bitwarden uses AES 256 bit encryption as well as PBKDF2 to secure your data.
AES is a standard in cryptography and used by the US government and other government agencies around the world for protecting top-secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
PBKDF2 SHA-256 is used to derive the encryption key from your master password. This key is then salted and hashed. The default iteration count used with PBKDF2 is 100,001 iterations on the client (this client-side iteration count is configurable from your account settings), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default).
Verify that your password manager is using strong encryption standards.
4. Open source code
Open source code is code that can be viewed and used by anyone. The advantage of open source code is that people can and do examine the code, looking for hidden backdoors or other problems that could compromise the security of the product (the password manager in this case).
While open source does not necessarily mean secure, it is considered to be more secure than proprietary software, where outsiders are prevented from seeing what’s going on behind the scenes.
5. Security audits
Seeing all the security and encryption that a software developer puts into their password manager is reassuring. But to really know if a password manager is secure, you will want to see a security audit of that product.
A security audit entails an outside company doing things like trying to hack into a product, auditing the source code for problems, and analyzing how encryption protocols are used in the product.
If a company conducts regular security audits of their password manager, it will likely be more secure than a product that isn’t constantly being tested in this manner. Here’s a security audit from Bitwarden, for example.
6. History of security or privacy issues
One more thing to check is whether a password manager has a history of security or privacy issues. While virtually no piece of software is immune to attacks, you may want to consider previous issues. For example, a recent report found a vulnerability that affected several major password managers (1Password, Dashlane, KeePass and LastPass), potentially leaving your master password exposed in clear text in computer memory.
While under certain circumstances, this kind of problem could give a hacker complete access to all the data stored in your password manager, using a password manager is still a safer approach than storing your passwords in your browser or using insecure passwords.
Supported platforms and browsers
A password manager is of little use if you can’t use it across all your devices (mobile, desktop, tablets, etc.). When looking for a password manager, make sure it supports all the devices, operating systems, and web browsers you use.
The best password managers generally offer:
- Native desktop applications for Windows, Mac OS, and Linux
- Mobile apps for Android and iOS
- Web browser extensions (for the most popular browsers)

Pricing (free vs paid)
As with most things, price matters. You’ll want to choose one that is priced so that you can use it everywhere you need it without going broke. Beyond that, you will probably want to choose one that offers a free or trial version.
Since you will be interacting with your new password manager constantly, it makes sense to give it a test drive before you make a permanent commitment. If possible, test drive a free or trial version of any password manager you are interested in.
Additional features you may want with your password manager
Beyond their core features, password managers try to stand out from the crowd by adding additional features. This is a place to take care, because some products offer free or low-priced versions with all the basic features, and premium versions with cool features that you might never use.
Here are several additional features you might want to look for. Since only you can know their relative importance for your particular situation, I’ve listed them in alphabetical order:
1. Application password filling
While most password managers only fill in passwords and other user information on web pages, some of them take it one step further. These products can actually enter your login data into an application running on your device. For example, while most any password manager can enter your user data on, say, the Gmail sign-in page, some can enter your credentials into desktop apps, like GoToMeeting, or your favorite game.
2. Authenticator app functionality
Here is a twist on 2FA. Some password managers, once you are logged in to them, can function as the second factor in the 2FA of other products. I’m not sure how practical this would be in regular use, particularly if you are already using a physical 2FA key on this device.
3. Digital legacy support
What happens if you die and you have important information stored in your password manager? How would your heirs get access to this information? It turns out that many of the current generation password managers have some sort of digital legacy features built into them to make it easier for your heirs to get access to your stuff.
4. Ease of switching from a different password manager
It is possible that you will want to switch password managers someday. If this seems like a good possibility to you, you may want to investigate whether your password manager can export data in a form that other password managers can import.
Look at the export option in your password manager. The more file formats it can use to export data, the better.
5. Encrypted file storage
Many password managers have added some form of encrypted file storage to their product. This allows you to store entire documents in the manager’s database, not just user credentials. In some cases, this feature is built-in to the product, while in others, it is an optional addon.
6. Password strength analysis and updating
Being able to generate strong secure passwords is great. But once you shift over to a new password manager, you will likely find that you have a lot of not-so-strong, not-so-secure passwords mixed in with the good ones.
Bitwarden has a cool feature that will check your password against a database of exposed passwords from data breaches. You’ll be alerted if you are using one of these passwords:
Some products can analyze the strength of all the passwords in the database and automatically generate better passwords for them. Some will even help you with the update process.
7. Shared access
In general, it is not a good idea to share your password manager with anyone. However, there are situations where you may want to share access to part or all of your password database, such as in a business or team setting.
Some password managers offer a structured capability to do this (instead of simply telling someone your master password). You can find everything from family plans with a limited number of users, up to corporate scale plans with lots of flexibility, and a sharing dashboard that allows you to control everyone’s access easily and efficiently.
8. Travel mode
As an international traveler, I find managing the passwords on the devices I travel with to be tricky. I don’t want some border guard to have access to all my passwords, but getting the passwords I want safe from this off my travel devices (and back on later) is a real headache.
Some products have a travel mode, which allows you to designate which passwords remain on your devices when you travel, and which should be automatically removed before the trip and restored after.
Taking advantage of Travel Mode takes some setting up, but if you travel a lot, this could turn out to be a real time saving, privacy enhancing option.
9. Web form filling
Many password managers go one step beyond filling in your username and password to filling out entire web forms. They may be able to automatically enter your mailing address, phone number, credit card number, etc. into the proper field on a form.
While the most secure approach to entering this kind of information is to do so by hand whenever necessary, this can be slow and mistake-prone.
Many sites and services offer to store the data they require in their own database and pre-fill fields for you. That is surely the fastest and easiest way to go. But when you look at the number of personal data records that get stolen or leaked or otherwise exposed every year (billions of such records every year), it becomes clear that this isn’t such a great idea.
The best balance of speed, accuracy, convenience, and security could well be to feed all this data into your password manager and let it fill out the web forms for you.
What are the best password managers?
Rather than trying to answer this question in this article, we’ll simply refer you to our in-depth guide on this topic: Best Password Managers.
Our top recommendations are as follows:
Conclusion
This wraps up the Restore Privacy password manager guide. We’ll do our best to keep this guide updated with new and relevant information, along with the best password managers as we review all the options.
A password manager is one of many critical privacy tools you should be using in the digital age – but it’s not everything. Also important is a secure browser to block tracking and a good VPN service to hide your IP address and location.
Whatever your password management needs, there is a password manager out there to get the job done.
Since I am using SecureSafe as cloud storage provider, I use happily its integrated password manager. Possibly, there are more comfortable and more advanced solutions. In the end, the best password manager is the solution of the most trusted provider of the app or service, respectively.
Sven,
Do you have any thoughts on Codebook? Have you looked at it’s security? I’ve been reading through your site for the last week and have found it very enlightening. I appreciate your efforts to educate us!
Thank you,
Greg
PasswordSafe should be reviewed-
https://www.cs.ox.ac.uk/files/6487/pwvault.pdf
Hi Sven,
what’s your opinion on Enpass? That’s my choice for now.
Thanx
Hey there,
Do you know if the bitdefender password manager is a good one ?
Thanks for the reply
We have not tested it out.
Firefox does generate secure passwords. Though I agree storing passwords in browser isn’t safe. Even if the operating system device is encrypted, I think a malicious browser extension might access the password vault or intercept the login forms.
What do you think about Firefox master password + device encryption and no extensions? What do you think about sticking to only extensions recommended by Mozilla?
Sven, return the list of last posts to the main page please. Without it, I cannot know new posts on your site.
Ok, point taken. The main focus right now is on updating all our old content. But when we get some new stuff up, we can bring back the latest posts grid.
KeepassXC is best. It’s not for tech enthusiast. Its for everyone.
EFF recommended it too.
Sven, can Bitwarden be trusted with our data. I sent them several emails over a month and I didn’t so much get an auto reply. I even used another email account and still nothing. I’m becoming paranoid.
That’s a darn good question. I sent them emails as well. Their auto-fill feature on the iPhone no longer updates and reflects any changes of your Bitwarden userids and passwords despite the changes showing in the app itself. I uninstalled and reinstalled Bitwarden, but the bug remains. Bitwarden isn’t responding to me either. I think I might just delete my account, but they already have all my data. Hmm.
Hi Sven,
Appreciate the reviews and what you are doing with this site.
I wanted to see if you have heard of Blur by Abine: https://www.abine.com/index.html
I would love to hear your thoughts. In addition to being a password manager they allow you to mask your CC, make a virtual burner card, and mask email for online ordering.
Would also like your thoughts on their other product DeleteMe.
@Sven,
Quick question,
I am using FreeOTP+ for 2fa.
Would you say to tue that with a password management as well, or is that good by itself?
Correction. I just changed to Aegis. Open Source, Encrypted, and off F-Droid so no trackers. Really good so far.
Nice list! Can you take a look at Strongbox for IOS and OSX?
https://strongboxsafe.com/
Thank you!
Keep up the good work!
Hello Sven!
I was wondering about Firefox Lockwise. I heard they use AES-256 Encryption, There I suppose it would be better then the average browser based PM. Still, I would love to get a second opinion.
Yep, it looks like a good option.
Hello Sven!
Just so you know you listed both “Ease of switching from a different password manager” and “Digital legacy support” in the third place.
Great article! I have switched from Avast PWs to Bitwarden.
Hey Sam, thanks for the heads up. Typo fixed.
Hi,
Have you ever approached SafeInCloud (https://safe-in-cloud.com/en/)?
Any chance to review it too?
Thx & all the best,
Miko
Which one you recommend and go free or paid doesn’t matter with me and have you heard dashlane?
It’s really boils down to how you’d use it and that means thoughts given to syncing in the linking of the different devices in your web chain to your being online. That makes it a personal matter of choice.
My advice is take a couple of tries with the free versions offered, to only of a few accounts in non-importance to you – ex: not your bank. Testing them few by honing in on what makes a difference to you. If the free version cuts it right, stay there. If not try paying a month for the one’s that hits the most points of why you’d want it over others you’ve considered to try… Toss up and weeding out this is better to run a couple of paid options by the month at first.
Settling on one to migrate over to and go a distance with.
Thanks
Hi @ Dennis – again,
Correction : ‘I’ve been a very happy RoboForm’
Meant it as – I’ve been a very happy RoboFormer
Hope the prior was helpful if not brings you insights… ; )
Hi @Dennis,
I agree with Sven, as “integrated” – is a much better user friendly way to go! Then how far that integrations ability would go to study of your needs. Especially across different devices you’d use and then any privacy browser as well – you’d want to switch between of your choice and a devices OS platform allows.
‘keeping passwords in a file and then copy pasting it’ – it’s doable but more PassWords you have or generate to use, means sorting through many up on many sometimes. That is a Local storage concept and benefit of no syncing > to clouds > devices owned – – which I prefer anyways. You could look for a folder encryption software and protect your passwords in a text file with, but keeping it updated and useful tolls the user.
I’ve been a very happy RoboForm and it’s dedicated browser PW toolbar not an extension, and it can overall capture login credentials for installed programs like a VPN, etc…or when logged in to eBay and you choose PayPal as payment method the little logon window for your PP account pops open. With a smaller version toolbar of RoboForm appearing under this pop up window with it’s PP login recognized and it’s a one tap operation instead having to copy and paste the two fields in.
Though, a few years short and it’s almost a decade now since the (last FULL uncrippled freeware version) for windows machines was offered out.
[http://www.321download.com/LastFreeware/page7.html#AI RoboForm]
Try this to keep your users involvement impact toll low to those demands in a password text file storage locally method.
I’m not so sure in how much RoboForm has crippled the currant free version but that’s still an option.
Thank you.