In today’s digital age, hackers are becoming increasingly sophisticated in their efforts to gain access to your accounts and data. Aside from breaching databases and exploiting software vulnerabilities, another attack vector is your weak password.
Basic digital self-defense requires you to be using strong, unique passwords that cannot easily be cracked, for all your accounts. But how can you generate strong passwords while also keeping everything organized and secure across multiple devices? Enter the password manager.
In this guide we’re going to dive deep into various aspects of secure password management as well as examining the best password managers.
Why you need a password manager
You may be wondering if you really need a password manager at all. You might be one of those rare folks who uses one simple password for everything and has never had any of their accounts hacked. If so, congratulations. You are one lucky person.
Unfortunately, what worked for us in the past is just not good enough anymore. Let’s talk about why…
You need stronger passwords
There was a time when you could get away with using one simple password on everything. Your dog’s name, your kid’s birthday, something simple like that used to work. But today’s online crooks have upped their game. Today, the hackers who want to break into your accounts:
- Have vastly more powerful computers and faster Internet connections than they used to. This allows them to attack your accounts far faster and harder than in the past (see Brute Force Attacks).
- They are far smarter about the kinds of passwords people use. It is easy to find dictionaries of the most common passwords people use (see Dictionary Attacks).
- They have far more information to work with. Today you can buy huge amounts of information about people on the Dark Web. There is a good chance that the hacker trying to get into your bank account right now already knows your dog’s name. And your kid’s birthday. And the license plate number of your first car. And any other such information about you that might have somehow found its way into a computer.
In other words, unless you are already using strong passwords, the passwords you are using won’t protect you.
Wondering what a “strong password” looks like? I’ll tell you in the next section.
You shouldn’t trust your memory for passwords
The reason you shouldn’t trust your memory is because you need to use strong passwords. While the exact specification for a strong password varies depending on what source you check, and how long ago they specced it out, to be safe in today’s world I define a strong password as:
“A password containing at least 16 random characters. It must include letters, numbers, punctuation, and special characters.”
Here are some random examples of strong passwords, under 20 characters long:
- _hS6PW8arsgH!WP7t&2
- aM!269-9tThyEU^u>sd
- 7p4N*vMgMP_KGupA*8R
There are techniques that would let you memorize passwords like these, although it isn’t easy to do.
Security experts have shown that you need a different password for every important account (I’ll explain why in a minute). Now it becomes clear that memorization is simply not an option for numerous, strong, unique passwords.
Why you need a unique and strong password for every important account
Using one strong password for everything is a bad idea. Doing so makes things easier for the people who want to get access to all your accounts. Websites and businesses get hacked all the time.
Billions of records get stolen every year, containing all sorts of information about the victims. Many of those records contain passwords in an unencrypted form. Many people have account passwords stolen, not from their own negligence, but from a data breach – and this is becoming increasingly common.
Now, if you used the same password for all your accounts, and a hacker obtains this password in a data breach (or buys it from someone else), they basically have a master key to get access to your accounts.
So be smart and use a unique and strong password for every important account. This is very easy to do with a good password manager.
Best password managers
Here are the best password managers that we’ve used:
1. Bitwarden – Best all-around password manager
Bitwarden has been around since 2016 and it is currently my top pick for the best password manager. It is completely open source, has been audited, and offers some great apps and browser extensions.
Bitwarden stores credentials securely in the cloud, but can also be used offline in a read-only state. This functionality offers great cross-platform compatibility, allowing your passwords to be synced and accessed by simply logging in to your account. Encryption is carried out locally, with data stored securely on Bitwarden servers. And if you don’t want to store anything on Bitwarden servers (cloud), you can host your own Bitwarden instance.
The free version should provide ample features and functionality for most users, but you can also upgrade to different paid plans. While we love Bitwarden, 1Password might be a better choice for enterprise clients.
Whichever plan you choose, it is easy to make the move to Bitwarden. That’s because Bitwarden knows how to import your passwords from over 40 password managers, as well as from most web browsers.
Update: See our Bitwarden review for more details.
2. 1Password – Extra-secure password manager
All the best password managers use strong encryption to keep your data secure. But even the strongest encryption is vulnerable if you choose a weak master password. That’s because your master password is used as the encryption key for your data. And easy to remember master passwords are usually weak master passwords. 1Password solves this problem with an auto-generated Secret Key. The Secret Key is combined with your master password to create an uncrackable encryption key, one much stronger than you could possibly memorize.
1Password securely stores your credentials in the cloud, while maintaining an encrypted copy on your devices for those times when you don’t have an internet connection. Their innovative Travel Mode lets you remove credentials from your device with just a few clicks. This protects your privacy from overly inquisitive border guards or anyone else who might get their hands on your device. It only takes moments to restore the removed credentials once you are somewhere safe.
1Password is not open source, but both the company and the software have gotten good marks in recent independent security audits. 1Password plans has plans for every audience, from individual users to large enterprises.
Update: See our 1Password review for more details.
3. KeePassXC – Locally-hosted password manager
Unlike Bitwarden, which stores passwords securely in the cloud, KeePassXC stores passwords locally and requires no internet connection. Here’s a brief explanation of KeePassXC from their website:
KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bug fixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
KeePassXC is very powerful and flexible, but it is more geared to engineers, computer professionals, and other technically-inclined people than our other favorites.
The KeePassXC project is open source with regular updates and improvements, which you can follow on their blog.
This section on the best password managers will continue to be updated with more information after we test and review other options.
Why you shouldn’t store passwords in your browser
Most web browsers offer to store your passwords for you. This might seem like an ideal way to keep track of your passwords – but it’s actually a bad idea. Here are some reasons why:
- The password security on browsers isn’t that great – even if you are using a secure browser. Usually, these passwords are stored in plaintext. There are also tools available online that can give hackers access to your computer (either physically or remote access schemes) and view/steal passwords stored in the browser.
- Your browser will only record the username and password you enter into a web page. It won’t help you generate a password, or tell you if the password is strong, or remind you that you already used this same password on 10 other pages.
Here’s how to stop your browser from saving passwords:
- Chrome: Click Settings. In the Autofill section of the window that appears, click Passwords. Turn off the Offer to save passwords and Auto Sign-In options. If you have any entries in the Saved Passwords section of this page, remove them.
- Firefox: Click Preferences. In the menu on the left side of the browser window, select Privacy & Security. Clear the Ask to save logins and passwords for websites option. Click the Saved Logins button. In the dialog box that appears, click the Remove All button.
- Brave: Click Settings. On the page that appears, select Additional Settings. In the menu that appears, select Privacy and security. In the Autofill section, click Passwords. Turn off the Offer to save passwords and Auto Sign-In options. If you have any entries in the Saved Passwords section of this page, remove them.
How password managers work
At their most basic, password managers take the form of a browser plug-in, extension, or dedicated app on your operating system. Whenever you fill in a username and password, they offer to record that information, along with the page you entered them on. From then on, whenever you visit that webpage, the password manager will offer to fill in the username and password for you.
Any good password manager will store this information secured away in an encrypted archive, using strong encryption that isn’t vulnerable to the kinds of attacks that browsers suffer. Beyond this, there are a range of additional feats your password manager might perform for you. Here are the core features/characteristics you should look for in any password manager.
Ease of use
If your password manager isn’t easy to use, you aren’t going to use it. Here are some key usability features to look for:
1. Auto capture
Auto capture is the ability of a password manager to record the login information you enter into a page. Most any password manager can do this, since most login pages are designed with Username and Password fields that the manager can recognize.
But some pages use non-standard data entry fields, or otherwise make it difficult for a password manager to record the data properly. For example, one of my banks does something weird that results in password managers failing to properly record my password. Once a manager fills in the login form, I need to manually edit the Password field with the correct data.
Once the information is captured, the app should be able to Autofill the information the next time you visit that page.
2. Autofill
Autofill is the ability to fill in the user information on a login screen or other security-type page. If you have more than one user account associated with the page, instead of Autofilling the page, the password manager should give you some way to choose which user account you want it to use when filling in the data.
3. Auto-login
This is the ability to enter user information and actually log into a site automatically. As with Autofill, Auto-Login should give you some way to select between user accounts when there is more than one associated with a particular page.
4. Password generation
While the point of a password manager is to remember the strong passwords you create for online use, humans usually aren’t good at generating strong passwords. That means for the best security, you need some way to create really strong passwords.
There are sites online that can help you do this (see: How to Create a Really Strong Password) – but your password generator can also help. In the image below, I’m using Bitwarden to generate a strong, unique password that includes characters, numbers, and upper and lowercase letters.
But you can also create your own.
How to create a really strong password
Creating a really secure password isn’t hard.
One of the most widely recommended techniques is to use a passphrase instead of a password. A passphrase is a long string of random words, instead of a long string of random characters. For example, like this: portfolio owned confident some
Optionally, you could eliminate the spaces between the words, add numbers or special characters, and so on. Because they are composed of random words instead of random characters, you can memorize a long passphrase much easier than an equivalent-length password.
It might look like using passphrases would eliminate the need to use a password manager. But the situation is similar to that for passwords. Memorizing one secure password is doable. Memorizing the 5, 10, 20 or more secure passphrases you are going to need is a whole different project. Letting a password manager create and manage secure passwords for you is a lot easier.
But don’t rule out passphrases entirely. As you’ll see shortly, there is one place where using a passphrase is a perfect choice.
It makes a lot more sense to let your password manager create strong passwords for you. You are already going to have to trust the manager, and doing it this way means that the password gets generated on your device, and doesn’t have to get shipped to you across the Internet.
Letting your password manager generates strong passwords for you right on your device is the safest way to go.
Importing passwords from your browser
While it isn’t a great idea, storing the passwords for sites in your browser is better than nothing. But now that you are going to start using a password manager, you’ll need a way to move all those passwords from your browser into the manager. That could be a real headache if you had to do it manually.
It helps if you choose a password manager that can import passwords from your browser. You may need to do some cleanup work once you import the passwords (deleting accounts you don’t use anymore, or giving accounts stronger passwords). Regardless, your data will be more secure if you import it from the browser to your password manager, then delete all the saved passwords from the browser.
Security and privacy with password managers
Using a password manager is definitely the way to go. Of course, with all your passwords and other data stored in it, you had better be sure that your password manager is secure and private. While it is impossible to guarantee any software is 100% secure and private, here are some characteristics to look for.
1. Secure access to the password manager
You should be required to log into your password manager before you can use it. That’s a given. And considering that all your secrets (or at least your passwords) will be accessible to anyone who can log in to your password manager, you will want to use a really secure password.
Tip: Create a long passphrase to use to log into your password manager for extra protection.
2. Two-factor authentication
Two-factor authentication (2FA) may be a good feature for some users. And for those new to the term, here’s a quick definition:
Two-factor authentication (2FA) is a second layer of security to protect an account or system. Users must go through two layers of security before being granted access to an account or system. 2FA increases the safety of online accounts by requiring two types of information from the user, such as a password or PIN, an email account, an ATM card or fingerprint, before the user can log in. The first factor is the password; the second factor is the additional item.
As you saw, there are various things that can be used to provide the second factor. In general, the strongest second factors are physical devices like YubiKeys or FIDO U2F security keys. While having to connect a physical device to your smartphone or laptop in order to access your passwords is a hassle, it forces someone who wants to steal your data to physically get their hands on that security key to do so. While this is more secure than using a phone number or email address as a second factor, it can create problems if you lose access to the physical device (breaks, gets lost, etc. and is not backed up properly).
3. Strong encryption
Your password manager will eventually hold a vast amount of important personal information in a database that resides on your device, in the cloud, or more likely, in both places. That means it should use secure, end-to-end encryption.
Here’s one example with Bitwarden:
Bitwarden uses AES 256 bit encryption as well as PBKDF2 to secure your data.
AES is a standard in cryptography and used by the US government and other government agencies around the world for protecting top-secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
PBKDF2 SHA-256 is used to derive the encryption key from your master password. This key is then salted and hashed. The default iteration count used with PBKDF2 is 100,001 iterations on the client (this client-side iteration count is configurable from your account settings), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default).
Verify that your password manager is using strong encryption standards.
4. Open source code
Open source code is code that can be viewed and used by anyone. The advantage of open source code is that people can and do examine the code, looking for hidden backdoors or other problems that could compromise the security of the product (the password manager in this case).
While open source does not necessarily mean secure, it is considered to be more secure than proprietary software, where outsiders are prevented from seeing what’s going on behind the scenes.
5. Security audits
Seeing all the security and encryption that a software developer puts into their password manager is reassuring. But to really know if a password manager is secure, you will want to see a security audit of that product.
A security audit entails an outside company doing things like trying to hack into a product, auditing the source code for problems, and analyzing how encryption protocols are used in the product.
If a company conducts regular security audits of their password manager, it will likely be more secure than a product that isn’t constantly being tested in this manner. Here’s a security audit from Bitwarden, for example.
6. History of security or privacy issues
One more thing to check is whether a password manager has a history of security or privacy issues. While virtually no piece of software is immune to attacks, you may want to consider previous issues. For example, a recent report found a vulnerability that affected several major password managers (1Password, Dashlane, KeePass and LastPass), potentially leaving your master password exposed in clear text in computer memory.
While under certain circumstances, this kind of problem could give a hacker complete access to all the data stored in your password manager, using a password manager is still a safer approach than storing your passwords in your browser or using insecure passwords.
Supported platforms and browsers
A password manager is of little use if you can’t use it across all your devices (mobile, desktop, tablets, etc.). When looking for a password manager, make sure it supports all the devices, operating systems, and web browsers you use.
The best password managers generally offer:
- Native desktop applications for Windows, Mac OS, and Linux
- Mobile apps for Android and iOS
- Web browser extensions (for the most popular browsers)
Pricing (free vs paid)
As with most things, price matters. You’ll want to choose one that is priced so that you can use it everywhere you need it without going broke. Beyond that, you will probably want to choose one that offers a free or trial version.
Since you will be interacting with your new password manager constantly, it makes sense to give it a test drive before you make a permanent commitment. If possible, test drive a free or trial version of any password manager you are interested in.
Additional features you may want with your password manager
Beyond their core features, password managers try to stand out from the crowd by adding additional features. This is a place to take care, because some products offer free or low-priced versions with all the basic features, and premium versions with cool features that you might never use.
Here are several additional features you might want to look for. Since only you can know their relative importance for your particular situation, I’ve listed them in alphabetical order:
1. Application password filling
While most password managers only fill in passwords and other user information on web pages, some of them take it one step further. These products can actually enter your login data into an application running on your device. For example, while most any password manager can enter your user data on, say, the Gmail sign-in page, some can enter your credentials into desktop apps, like GoToMeeting, or your favorite game.
2. Authenticator app functionality
Here is a twist on 2FA. Some password managers, once you are logged in to them, can function as the second factor in the 2FA of other products. I’m not sure how practical this would be in regular use, particularly if you are already using a physical 2FA key on this device.
3. Digital legacy support
What happens if you die and you have important information stored in your password manager? How would your heirs get access to this information? It turns out that many of the current generation password managers have some sort of digital legacy features built into them to make it easier for your heirs to get access to your stuff.
3. Ease of switching from a different password manager
It is possible that you will want to switch password managers someday. If this seems like a good possibility to you, you may want to investigate whether your password manager can export data in a form that other password managers can import.
Look at the export option in your password manager. The more file formats it can use to export data, the better.
4. Encrypted file storage
Many password managers have added some form of encrypted file storage to their product. This allows you to store entire documents in the manager’s database, not just user credentials. In some cases, this feature is built-in to the product, while in others, it is an optional addon.
5. Password strength analysis and updating
Being able to generate strong secure passwords is great. But once you shift over to a new password manager, you will likely find that you have a lot of not-so-strong, not-so-secure passwords mixed in with the good ones.
Bitwarden has a cool feature that will check your password against a database of exposed passwords from data breaches. You’ll be alerted if you are using one of these passwords:
Some products can analyze the strength of all the passwords in the database and automatically generate better passwords for them. Some will even help you with the update process.
6. Shared access
In general, it is not a good idea to share your password manager with anyone. However, there are situations where you may want to share access to part or all of your password database, such as in a business or team setting.
Some password managers offer a structured capability to do this (instead of simply telling someone your master password). You can find everything from family plans with a limited number of users, up to corporate scale plans with lots of flexibility, and a sharing dashboard that allows you to control everyone’s access easily and efficiently.
7. Travel mode
As an international traveler, I find managing the passwords on the devices I travel with to be tricky. I don’t want some border guard to have access to all my passwords, but getting the passwords I want safe from this off my travel devices (and back on later) is a real headache.
Some products have a travel mode, which allows you to designate which passwords remain on your devices when you travel, and which should be automatically removed before the trip and restored after.
Taking advantage of Travel Mode takes some setting up, but if you travel a lot, this could turn out to be a real time saving, privacy enhancing option.
8. Web form filling
Many password managers go one step beyond filling in your username and password to filling out entire web forms. They may be able to automatically enter your mailing address, phone number, credit card number, etc. into the proper field on a form.
While the most secure approach to entering this kind of information is to do so by hand whenever necessary, this can be slow and mistake-prone.
Many sites and services offer to store the data they require in their own database and pre-fill fields for you. That is surely the fastest and easiest way to go. But when you look at the number of personal data records that get stolen or leaked or otherwise exposed every year (billions of such records every year), it becomes clear that this isn’t such a great idea.
The best balance of speed, accuracy, convenience, and security could well be to feed all this data into your password manager and let it fill out the web forms for you.
Conclusion
This wraps up the Restore Privacy password manager guide. We’ll do our best to keep this guide updated with new and relevant information, along with the best password managers as we review all the options.
A password manager is one of many critical privacy tools you should be using in the digital age – but it’s not everything. Also important is a secure browser to block tracking and a good VPN service to hide your IP address and location.
Whatever your password management needs, there is a password manager out there to get the job done.
My recent research brought me down to BitWarden and Keeper, but I don’t see any content on your site about Keeper.
Something I noticed, when I was looking at various reviews between major brands, was that Keeper had the lowest instances of 3-stars to 1-star reviews, and that’s something I have found to be pretty accurate across all kinds of digital purchases.
It’s hard to comment further, without fully vetting these various solutions, but I also don’t wanna take a plunge, or spend a week, vetting the five-or-so major password manager solutions.
I’ve been putting this off for a long time, though, and I think it’s time to find something solid.
I do a lot of reviews on various digital and marketing processes through [], so, I’d like to get this figured-out for business purposes, and also share my findings, as well.
There are over 1000 passwords stored through my chrome browser, and I’d like to setup something a little more secure! (at last!) 😛
I recently switched my 2FA management to Authy, and that kind-of lead me to looking at premium password managers.
If anyone has any thoughts on Keeper, and especially Keeper VS. BitWarden, then please shoot me a reply, and thanks! 🙂
I’ve tried Keeper before I definitely chose Bitwarden. Two reasons. First, while I liked Keeper security options, I didn’t like pretty hard way to delete the account (in case I want that). Second, free Keeper option is just not enough. For what you can get for free, none of the current password managers simply can’t beat Bitwarden.
@Ivan
Browsers that do their own password management are less secure than a proper dedicated installed password manager. I guess you know this.
If you don’t mind me asking would you be wanting something like a full separation of business and personal passwords?
1,000 passwords to import is something to consider then.
[ RoboForm can import passwords from Chrome, Firefox, Internet Explorer, and Opera. The similar features in LastPass, Dashlane, and True Key by Intel Security go even farther, deleting the passwords from the browser and turning off the browsers password capture. You’ll need to perform those cleanup tasks yourself after importing into RoboForm. ]
There’s a lot of leg work to understanding a proper choice being made, I see a site that has reviews of many Password Managers comparing the one in focus to the some others in abilities and features of the many reviews it’s done.
[https://www.pcmag.com/categories/password-managers]
They offer there 30% off the one you seemed interested in your post.
Offering choices in the discount to Unlimited, Family and BreachWatch Bundle!
[https://www.pcmag.com/reviews/keeper-password-manager-digital-vault]
This is interesting from the Subscription Fees, Payment Terms and Refund Policy > Third-party application stores may offer an auto-renewable monthly payment plan for the Software. This option will include a 7-day free trial. After 7 days, you can continue using the premium features for a monthly subscription.
And
Channel Partners, Mobile Operators & Resellers > If you receive special discounts through a Channel Partner or Value Added Reseller of the Software, those discounts may not be available if you cease to continue to be a customer of the Channel Partner or Value Added Reseller, in which case Keeper Security’s standard subscription fees will apply.
[ That’s worth asking pcmag whether the 30% off – is to be reoccurring or just a one time discount through the site. ]
[https://www.keepersecurity.com/termsofuse.html?t=v]
I still run an older Pro version of RoboForm v7 that I updated to as I felt needed for the self only on my one PC device – 19-20 years ago there wasn’t many PWM to choose from. Besides my last update to v7 was before their demise of the one-device, one-time-payment offering as then switching over to subscriptions model, unless you go their limited free offering now.
It’s on v8 that’s offered, and behind what would be consider top contenders in that field now. But I’m happy as it’s all I need… I liked the dedicated browser toolbar not an extension for IE11, and it can capture login credentials for installed programs like a VPN, etc…or when logged in to eBay and you choose PayPal as payment method the little logon window for PP account pops open. With a smaller toolbar of RoboForm appearing under this window with it’s PP login recognized and it’s a one tap operation instead having to copy and paste the two fields in.
[ Not all passwords are for unlocks to websites. There are also programs that require their own passwords. LastPass, AceBIT Password Depot 8, and RoboForm are among the few PWM that handle passwords for Windows applications as well as websites. RoboForm’s handling of this feature is very smooth. ]
I like keeping my passwords locally stored never syncing to the cloud then and on to other devices. In others words I don’t trust the mobile platform to logon from to an online account. Nor really any online usage from a mobile platform – just calls and texts.
Thank you
Ha, interesting – I was reading with multiple windows of keeper open and this came up.
[ https://www.keepersecurity.com/affiliate-50OFF.html?LSNSUBSITE=Omitted_yr7LsPS5ySE# ]
Not sure what triggered it but I had put an email address the order field.
Also still had pcmag’s review open and went to do something here at the house, had these windows open for close to two hours.
So I sent this to their 24/7 support.
“Was offered the 50% discount looking at the family plan and like to know if this price is a reoccurring subscription or just a one time discount. How long is it good for as I’m still reading and haven’t made a concrete decision. “
How about this – I see on the Keeper site –
‘Powered by Rakuten and Our partners at Rakuten ?’
We loved serving you as Ebates, and changing our name felt a bit like saying goodbye to our first car or a favorite pair of jeans. But we’ve been part of the Rakuten family for four and a half years, and taking the Rakuten name most accurately reflects who we are today: a company that gives you all the Cash Back you’re used to, with even more opportunities to save.
Rakuten is one of the world’s leading internet service companies, with businesses that span e-commerce, travel, banking, marketing and media. Founded in 1997, Rakuten is headquartered in Tokyo and employs over 10,000 people worldwide.
[https://www.rakuten.com/new-brand?t=9257724]
Chicago, IL . . . . . . . . . . . El Dorado Hills, CA . . . . Cork, Ireland
Global Headquarters . . Product Development . .Business Sales – EMEA
[https://www.keepersecurity.com/about.html]
Well it looks like there is and going to be a lot of review hype of Keeper PWM on the web and social buss lines.
[As the 50% off I see it’s only for new signups and for your first year.]
This is because they are doing both –
Keeper Influencer! – Affiliate commission through our partners at Rakuten. / Free Keeper Unlimited subscription including secure messaging and BreachWatch™ dark web scanning tool /
Exposure of your content to our audience / Pay-to-Post opportunities /
As well –
Keeper Affiliate Program –
Earn a minimum of 10% commission on all sales
Earn $5 CPL on all business leads who sign up for a demo, free trial, or request additional information
Competitive tiers and bonuses based on performance
What about sticky password?
Hey! How about iCloud Keychain? It is very convenient, yet I can’t find any information on the privacy side of it. Yeah it’s AES256 this and end-to-end that, but is it really private and secure as the others, or at least as they should be?
Turning it off and always using Bitwarden on an iPhone is a hassle, so wanted to ask, as to not make myself suffer more than needed 🙂
What about padloc? https://padloc.app/ looks like it’s also open source. Been using it for a while and so far pretty nice to use.
Hey Sven,
Great site! My recommendation is
Keepass 2 for Android! See playstore listing. It’s free, open source, no ads, voluntary donations. Too many features to list here, but stores locally and or, sync to several different clouds if you want. Generates passwords, files are encrypted, super easy to use. I hate subscription services. The developer has a neat way of asking for donations, during Octoberfest! Yes, he’s German! 😁
I wish Sven wouldn’t just recommend a product or service based on security only. The other part of the equation is simplicity, functionality and reliability.
Having used Bitwarden for over a month now on the latest iPhone I will say stay away. It’s very unreliable and crashes too frequently to be able to use. Some report your personal password information still on your device even after you close and delete your bitwarden account.
I say no to thanks to this product. It’s still in it’s beta stage.
I see your smart and at it still, please loose the political ties of your name chosen to this site and your comments made. We seen it all before beings an election year as – Your – then loyal of a office runner and still you are essentially trashing a good place…cause of this off-beat memorandum style.
This is not an arena for political named posts as in your personal views come through. I very much stated this before, and others then as well and must counter your purpose, to the snowballing effect in their troubles on top of work which Sven hasn’t time to censor them out. Use Adam or Eve, Starsky or Huch or even ‘polluted pond lily’ – billykid, heck cactuspussy being better….
Sven, any particular reason why Roboform wasn’t reviewed? I personally dislike 1Password for it’s lack of ability to create a password to use elsewhere. Creating a password based on a website visit is terrible in my experience, at least on an iPhone.
Furthermore, three years ago, former National Institute of Standards and Technology manager Bill Burr admitted that a document he authored on crafting strong passwords was misguided. “Much of what I did I now regret,” says Burr, who is 72 years old and now retired.
His advice steered everyday computer users toward lazy mistakes and easy-to-predict practices. Burr’s eight-page password document, titled “NIST Special Publication 800-63. Appendix A,” advised people to use irregular capitalization, special characters, and at least one numeral. That might result in a password like “P@ssW0rd123!” Much of what you’re suggesting too.
Even worse, Burr suggested people should change passwords regularly, at least every 90 days. This advice, which was then adopted by academic institutions, government bodies, and large corporations, pushed users to make easy-to-crack passwords. Most people can probably point to a password they’ve created that was deemed strong simply because it had a special character like the “!” or “?” symbol and a numeric string like “123.” And when prompted to change a password, who hasn’t altered it only slightly to avoid the hassle of coming up with an all-new code.
Burr suggested most recently passwords should be obscure, almost unexplainable phrases full of human randomness that make them easy to commit to memory and yet almost impossible for an automated system to make sense of.
Interesting enough, on that merit only loose the political ties of your name chosen to this site and comments. You are trashing a good place…
As it’s about technology in privacy terms restored. Nothing about political – religions and discrimination of groups/people/places and should NOT be allowed as you have done.
ST ban the whole name and amend it to just allow NotJB if poster wishes to post again.
I am really frustrated with some sites which really have very little to offer and aren’t as in demand and sensitive as banks, but Costco is just one site that comes to mind.
Costco’s website refuses to allow you to copy and past your password from your password manager or from your notepad. They go to elaborate lengths to prevent you from doing this, up to the point where their users are simply giving up or settling for a simple easy to guess password like Password1234.
I’ve witnessed this some too.
All I do is copy and paste all but last or a few of the last characters and manual type them in, as what my PW manger stored / generated. As to I use often a 32 character count or maximum a site allows.
Sonar! what a great idea…use a password manager say, like password safe…have it do tough passwords, and then when you copy and paste a password into a form, you add a couple extra cliks to the end…wow…that would mean you have none of your real passwords on your computer or flashdrives..wow…thanks, Clas
What??? How do you figure? Your passwords are still stored. How else are you able to copy and paste the passwords and then add a few of the characters manually.
at Clas if I may,
I love this site in users questions and to their answers able to be built on. That then, works as you’ve stated as in “add a couple extra clicks to the end”.
Essence then of no true copies of your passwords stored exactly and correctly available anywhere – or be set loose in the wild.
That I’d not thought of and really your good add! But they (pw’s) would need be correct for the site logon to it’s recognizing in your PW as they have it recorded of you-yours as it is with them.
Problems might foster then on what the extra characters would be and the users ability in their own retained memory of them, and their being reused then in and on every password they’d use. Needless say at the beginning or at an ending in the password the Manager hast it’s power to building the main body of a said password itself.
Simply as long example, my PWM used, (RoboForm – before version 8 and not the everywhere account), recognizes a site when I have recorded a password and my other credentials in it, for the site, as to when I visit/revisit it before any of my login actions occurs.
My PWM has a browser based toolbar for the recognition of these sites and allows this function. Otherwise it has asked me to save a new recognized login credentials for a new/old site when I use the site with an account.
Other than that I have a quick list drop-down that my PWM toolbar keeps updated in my frequently visited sites for my fast reference.
I also meant after a fail of-in where a site won’t allow the users the automatic population as way in a password by the PWM. Then I copy and paste from it’s PWM records or vault all but a one part of the last or lastly needed few characters and thus manually typing them in to bypass the site on it’s password restriction.
Sometimes this also requires clearing and cleaning in the browser of the history and cache parts. That a cleaner I run does anyway at a my browser closing. Sorry to be so wordy as I want to help others follow me – and our insights.
I’ve only used RF PWM as I’m not in need to shop for better – it’s worked for my needs very well.
ok, great comments…i made some changes today in passwords. i really didnt want to go to each site i have a password for so i did it differently…i did it in my internal program. i use password safe and its been great. i only save on my computer and not in the cloud or browser. so i opened password safe..edit..added several characters at a certain place in each password and saved. that made all of the passwords on my computer incorrect in the case that anyone would ever take them. then when i go to any of my sign in sites, i paste the password,,,go back or forward the correct number and delete the characters that i put in. i did it this morning and its really easy to sign in to a site…just a couple little steps and done. anyway, i think it added a big, tough change to all of them. and of course my clipboard is deleted as soon as i paste the password so all of this happens without password safe being open.
One comment to people having trouble copying and pasting info into a sign-in….instead of copy + paste, try copy+ control v….it works for me.
That doesn’t work on that website I mentioned. The paste functionality is blocked even when you start typing the password manually. I even disabled java which should’ve worked, but didn’t.
at Tyler
Costco’s customer support then may be needed to a personal contact by you then, as so if they have a users forum, in so much for their public policy of an understanding and to rally others united for possibly changing it – as all you’ve given in previously stated facts. Their COSTCO as a business are competing for your dollars as like so many others in the warehouse games niche in types out there.
As so I never previously named costco, just I’d been unlucky to as an witness in this for some sites.
I use Force Paste to defeat these sites. It coverts the Paste Buffer to a keyboard stream. It is available on github for MacOS. I don’t know if there is a Windows version.
https://github.com/EugeneDae/Force-Paste
What about Kaspersky password manager?
If it’s open source would be one to check on and then the in and out of having KGB ties versed some on the web periodically about the owner. Besides the US state department memo-ed for all departments sometime back to uninstall it’s av security products. No I’m not saying Russia software is bad, as I find AdGuard super. It’s more to the roll in your OS and purpose it plays that counts heavy to make minds up…and this being a restore your privacy site.
Hi, Sven!
Recently gotten more aware of the issue of internet security, started reading and in the process stumbled upon your privacy-focused site which i have been enjoying it very much.
Still only a noob tho. And have a question obviously reflecting my experience level, and here it goes: While you seemed to have promptly ditched US-based services in other categories (email, VPN and the likes), when it came to password managers that didn’t seem to have bothered you, since the first two on this list are US and Canada based, respectively.
Wondering how is that?
Sincerelly,
Guy from Sweden
It’s not as big of a concern, at least to me, with password managers. Bitwarden, my top recommendation, is also open source.
Wow, thank you for a real quick answer, Sven! Really appreciate time and effort you are putting in this page for ppl like me.
A bit curious tho as in how come that is not as big of a concern when it comes to password managers?
Or is the explanation complicated?
I am not Sven, but I will taje a shot at it.
It may be because it is open source. The code and how it works is able to be viewed and modified.
If the company or the gov were to do something, they would have to do the changes to the code. Which anyone can see. The alarm would sound loudly.
Just my guess.
To as being it’s related of (your) info is kept in an encrypted form which any user must set their own passcode to open vault or the starting to the prog/app/website itself.
Would you please consider reviewing Keeper Password Manager. Thanks.
Yep, will do.
Greetings, Sven!
Have read and followed your page for a little while now and I really appreciate all the time you put into giving us mortals vital information. Have corrected a few things in my life thanks to you.
Now, I was wondering what your take is on Mozilla’s new Password Manager model in Firefox Lockwise? I don’t know how much has changed from the regular browser saving that it was before (I mean it looks quite the same) but from how they presented Lockwise when that update came, it seems to be quite the change.
I know there are plenty of Password Managers to test out. But how about Sticky Password, Password Boss and Keeper? I believe Sticky Password gives a lot of importance to privacy and security.
Hi Sven
Maybe an update here could include info about a choice in Cloud vs. local management of your vault that’s generated as a PW Managers database.
Looking for options to store and sync your ‘vault’ of passwords and other sensitive information locally, (only on your own devices) without using ANY of the password manager service’s cloud servers for storing and syncing your sensitive database.
There’s a security advantage to syncing your passwords locally because none of the data will ever need to reach the internet, but it can be a hassle to synchronize all of your devices. Few PWM’s offer a local-sync feature.
Mostly to sidestep the hassle for now, you’ll have to sync your devices using a third-party file-sharing service such as Dropbox, iCloud, Google Drive or OneDrive.)
Far more convenient are cloud-based password managers, which include storage and syncing default modes. These services keep encrypted copies of your vault on their own servers, that ensures all your devices are always synced and should encrypt the transmissions between your devices and their servers.
There’s a risk, though small if your threat mode is the same, where that one of the cloud-based services could be compromised, and your passwords could be released out into the wild.
*Look for cloud-based password managers having any documented security issues, time to be fixed, and has allowed law or gov enforcement to breach a users passwords and data vault(s).
Whether it’s your local or cloud-synced database, a password manager puts all your eggs in one basket, so to speak, unless you were to use more than one password manager. But for most people, the demonstrable security benefits of using a password manager far outweigh their disadvantages.
Then again all password mangers aren’t created equally are they.
Thanks Sven
This is discussed in the respective password manager reviews.
Howdy Sven
Your right – why detach it from a core PWM understanding…
Granted on this topic, though it would add relevancy here to > How password managers work > core features/characteristics you should look for in any password manager.
Where as you’ve mentioned – ‘Any good password manager will store this information secured away in an encrypted archive’.
@ It stops there – to any further knowledge given of this core feature’s aspect to the generated encrypted archive – of WHERE a storage area this is being kept at after an archive has been generated within the PWM.
That’s my point as this topic’s, password-managers in summary and then what’s being conveyed here, lacks giving readers one core understanding/direction in any choice to the users as where the encrypted archive or PWM vault will/should reside.
That all I see is missing here as a general look at password managers.
Hi Sven, there seems to be a new and interesting IM service called BCM Messenger, available for both Android and iOS. Can you do a review for it and let us know if it’s safe for use and provides good privacy?
Question why every one recommend KeepassXC instead of Keepass even Privacytools and eff remove Keepass and replace it with KeepassXC. Is there any security issue with Keepass ?
At least no public issues, but Keepassx / Keepassxc are more portable then Keepass due to using Qt instead of .Net. All of the 3 share the same database format so switching between them ist quite easy.
Now NordVPN release Nordpass password manager (need to check)
+ I feel Keepass better than KeepassXC because of secure desktop feature
Hello Sven-
—
Sven new article suggestion… the implications are scary; Snowden told us time again and again about Mobile cell usage being the most dangerous thing (forget about Desktops, Laptops, and Tablets).
https://techcrunch.com/2019/12/11/aclu-cbp-ice-stingray-surveillance/
—
I’d like to hear your thoughts as always… you are my best resource and advisor!
—
Thank you,
..
Yeah the Stingray issue has been known for years, it’s a valuable tool of the state. There was also a recent case of Google handing over location data:
Google Gives Feds 1,500 Phone Locations In Unprecedented ‘Geofence’ Search
Long story short, don’t expect much privacy from your typical “smart phone”.
Fast reply! 😮
Unfortunately and I’m guilty of this as well… phone’s feel a lot more intimate than laptops and desktops. Tablets as well feel more intimate. They are our “PDA”s in this game called life. We walk around with them all day, rely on them all day, and a majority of people wait in line while staring at them like Zombies all day.
—
Configure some adblocking and a phone “feels” harmless. Popups rarely happen, and all the virus scanning software out there is snake oil that tells you “No Viruses or Malware detected.” I am aware that a mobile phone is a nuclear level threat but even I feel “safer” when browsing adult sites on my mobile phone than my main device for work and paying the bills and it simply is because it “feels” safer. But the reality it’s not.
—
There’s this speech I listened to where a person is causing havoc without any awareness of their actions. To me this speech made me think of how many people use Android and iPhone without knowing what it is they are doing when it “feels” safer than their desktop.
—
The speech:
A guy is asked to guard the nuclear button for six-months in a shift and is asked to sit around and make sure no one pushes the button. They don’t need a genius just someone with a gun to not press it. He doesn’t know what the button does. he only looks at the button and holds a gun all day (talking to himself). One day he sees the cleaning guy, and they introduce themselves, he goes for a drink with the cleaning guy, they hangout and have a few drinks, and one day the cleaning guy asks what do you do, “look at this button all day” “what’s the button do,” “i don’t know. they say it’s a big deal” “you want to press it?!” “yea, why not! Let’s see I think they are lying to me, they just want to waste my time and torture me in this cell for six months” So he presses it and each time he presses it he doesn’t realize he launches a missile. A few hours later a bunch of army men come inside with guns “Who is pressing the button?! Who is destroying the world?” Both of these drunk guys are on the floor laughing and now they have the shock of their life, “what are you talking about destroying the world? We were just pressing the button.” “You FOOL! Each time you launched a missile you killed 150 million people.” You don’t see the damage right away but you are destroying civilization. That’s using an iPhone and iOS smartphone for “privacy & safety” in year 2019. Hopefully I can try to commit this to memory but even I forget how dangerous it is to use (but how damn convenient).
Hope this resonated with someone.
Thanks,
..
@ .. Hey
Ever herd it said keep your friends close, but keep your enemies closer…
That’s exactly what smartphones and laptop are to me the enemy.
Where your keeping them closer than the fam & friends.
I’d never get cozy and imitate with one.
You might want to see this as it’s but more fudge !
DNS-over-HTTPS (DoH), can shield your browsing habits from ISPs such as AT&T, Comcast, and Verizon, who have at times showed a propensity to track users by using super-cookies and other techniques.
But security can be a two-edged sword. This technology for shielding your actions from ISPs, public hotspots, and other institutions has the potential to introduce a new privacy risk, ***the centralization of browsing habits***.
If known existing privacy leaks that DoH doesn’t solve and could exacerbate, why go there.
Unless you use a virtual private network (VPN) connection, someone with access to a public network you use can determine every web site you visit, every email server you contact, and every other kind of online server your mobile device or laptop connects with, even when each connection is encrypted.
This is also true on any shared network in which network traffic isn’t shielded from other users on the same network, or which administrators can monitor.
That’s because of the last truly exposed plumbing fixtures of the old internet as DNS, or domain name service.
DNS is an ancient system developed when the number of computers on the internet outpaced people’s ability to manually update lists of them.
Yes, it’s that old.
Instead, DNS provides a way to map a human-readable and typeable name, such as restoreprivacy.com, to the appropriate machine-oriented address, like EX: 252.101.1.11 or 2607:f8b0:4004:814:200e. (The former number uses the long-running IP version 4 notation; the latter, IPv6, allows for vastly more unique numbers and has rolled out slowly as an eventual replacement for IPv4.)
Not only do you not want to type those numbers in or memorize them.
DNS has grown vastly in complexity since its early days, allowing a single name to map to many different machine identities to allow “round-robin” access that helps balance traffic loads. It’s also used by content-distribution networks (CDNs), such as Akamai and Amazon CloudFront, to offer a server address that’s geographically closest to the device requesting it, reducing the number of internet hops and thereby improving performance.
And DNS is also a way to stash a lot of other additional information related to a domain and its owners. So-called text (TXT) records allow any arbitrary information to be added to a DNS entry. Google allows a TXT record to verify a domain ownership, just like a message is sent to an email address to validate that someone has access to that mailbox.
– – Someday there may be as many private internet portals as we have VPN services today – that is if = it keeps up like it’s going. To where they’re ending up being cloned copies of the real web but, cleaned up and locked down only to paid memberships. TOLL-NET
Password Safe. Originally written by Bruce Schneier and now maintained / updated by Rony Shapiro. Can use YubiKey for two-factor authentication. Excellent program for managing passwords. See it at: pwsafe[dot]org
https://www.reddit.com/r/Windscribe/comments/e6m0te/windscribe_keep_logs_everything/
I would use Bitwarden, especially considering that you can host it by yourself, but I still hesitate due to some privacy paranoia…
I mean it seems safer to me to use KeepassXC, hosting the file either in your Owncloud/Nextcloud (which is safe if you have certificates in place), or keeping it in a VeraCrypt container and storing the latter in Dropbox…
Is using pass (advertised a “the standard unix password manager”) for linux a good idea?
How many VPN’s work their DNS requests as vpn.ac ?
DNS SECURITY & PRIVACY DONE RIGHT
We use our own – private DNS resolvers for all DNS queries by our customers
All DNS queries are encrypted (AES 128-bit) to protect customers against 3rd party DNS monitoring and hijacking
DNS resolvers do not log DNS queries
We generate millions of DNS queries per day, and these are mixed with legitimate queries from VPN users to make sure that potential monitoring of our DNS resolvers will be ineffective
https://vpn.ac/features
Exactly. That’s superior to using a third-party DNS.
This is interesting
https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/
The parts of – DNS & Metadata Privacy
Metadata leaks, DNS is one of four ways in which such meta-data gets transmitted in plaintext.
Thank you Sven
Yep, that’s a very good article for all the people foolishly recommending Cloudflare DNS Over HTTPS (DOH).
What does this have to do with Password Managers? =)
Well if your storing passwords in an account online someone could man in the middle attack.
I’m guessing by spoofing a site by DNS somehow. ; )
But it was actually my reply to Jon Nov 27th request for DNS services review.
– a time like now where the replies box doesn’t work correctly on all platforms.
I had to use androids to reply directly here, desktop browser wouldn’t open the reply box fields. Otherwise the new comments worked, ~and go to the top not connecting the like thoughts of the conversations together. Ok
If you store your data online, you must have a very strong password. But then you have to memorize a long … and difficult to memorize password. It is the interest of a password manager to do this work for you.
But if your password manager is online, you still have to remember an extra long password. And encode this extra long password every time you want to access other passwords.
It is therefore preferable to have a password manager locally. This reduces the need for an extra long password.
Hi Sven
Great article.
I see you mention a vulnerability in 1Password.
Could you offer overall insight into if using 1Password is a viable choice, or perhaps review them?
Best regards
Hi Sven
Great article.
I see you mention a vulnerability in 1Password.
Could you offer overall insight into if using 1Password is a viable choice, or perhaps review them?
Best regards
Yes it was named in this report. We’ll keep it in mind for a review.
Hello Sven,
When this topic-guide grows please add an image of the UI for a visual to the researched password managers.
.
I’m a desktop user (win 8.1) more so than a mobile user (android 7) and prefer my security’s end purpose from it’s platform in my web use over the mobiles platform roll.
I’m using what’s got me here in the best way I know how – so it’s not perfect as some will strongly agree. But, you can take steps to lock it’s OS down though as I’ve tried to do.
The keeping of my passwords and other crucially related credentials information locally in a password managers protected vault area, and never in the cloud – however the strong assurances to it’s (security – access) are given.
Is the route I have choose to use.
As by cloud storage it’s in their control most of all, and after all in the purpose for your multi-device syncing purposes.
I don’t need that ability of syncing my passwords to other devices, and if I did I’d find another work-a-round besides the use of cloud sync.
On the order of, installing the same password manager to the device I’d want the PW info on and coping the file structure / files info over to/from the prior (default) device.
Turning off any sync settings on a password manager especially if you don’t need a copy of your passwords it will cause to be stored to the cloud.
I have kept the same password manager as I’ve started with, as updated when it was to a versions new features or a security update over the last that made the cost worth while to update.
Not the model of “Subscriptions” as everything offering services/software has migrated over to in the past few years.
I am using a v7 versions in Desktop mode no sync (Windows/Mac only) of RoboForm Password Manager.
My desktop Win 8.1, I run in desktop mode as well without the Modern UI tiles crapola of the system as I’m just old school in nature.
Off the bat we have a US company in Fairfax, Virginia. https://www.roboform.com/about
Then is any part of it open source ? I say not as it bills itself as the original password manager back to 2000 I think.
Those two points are irreverent to me as RoboForm is blocked from syncing and to sync you’d need an account to sync anything to/from.
RoboForm uses AES-256 bit encryption with PBKDF2 SHA-256.
Offers live phone support, live chat, and 24/7 email.
My v7 version has departments of the following:
Logins
Bookmarks
Applications
Identities
Contacts
Safenotes
Besides a cool feature of the logins UI for a site login – is it does offers a note box.
– I find this helpful for a secure site that requires 4-8 security questions and answers to verify it’s you and allow further access.
This is a great place to keep the accounts Q-A as it’s related to the site your logging on to.
It’s a needed Manual effort I’ll admit, that is not captured by RoboForm as a part of the sites initial accounts startup for RF login capturing process to work.
One review site summed up the RoboForm User experience as this-
RoboForm (the program itself and its browser extensions) is so well designed that once you have the necessary usernames and passwords saved in the database, it blends into the background and feel like a natural part of your system that should have been there from the beginning.
Any thoughts are certainly welcome about RoboForm, I just haven’t found the need to change my PWM with the way that I’m actually using it – it’s rewarding and convenient with the right departments offered.
https://www.roboform.com/everywhere
I’ve seen that you made an updated review of VPN services. Great work.
Could you please review DNS services? Like CloudlareDNS, adguardDNS, keweonDNS, etc. I think this will be a great topic for your future posts.
Hey Jon, yes, we’re planning on getting something on that out, but if you are using one of the VPNs on this page, all DNS requests will be handled by the VPN, fully encrypted in the tunnel, and not visible to your ISP.
What about Lastpass? Do you recommend it? I’m paying for it right now.
Here is the LastPass review.
I use Bitwarden for more than a year, it really works good and has everything. For exp, Secure notes are inside it, so you get 2 in 1.
Along with Keepass, some recommend another open source: Lesspass, which is built on kind of unique concept… Looking forward to updates. Thanks, Sven.