LastPass, Dashlane, 1Password and the free edition from Bitwarden all provide great ways to juggle hundreds of safe, unique passwords. But which one is right for you?
By Nicole Nguyen
Dealing with passwords is about as pleasant as cleaning gutters or filing taxes. But it is just as important.
I hate telling people to eat their vegetables—even virtual ones. Still, if you don’t have strong, unique passwords for every online account, it’s time to dig in. Don’t wait until someone’s stolen your identity or wiped your bank account.
You’ve probably heard of password managers. They might sound complicated, but setting up your password fortress doesn’t have to be painful. These services remember all of your passwords and can generate secure new ones. When you go to a login page on a web browser and even in many apps, the manager will automatically fill in what you need to access your account. Some even comb the web to alert you if any of your information shows up in a security breach.
A significant change to one of the most popular managers, LastPass, is why I have passwords on the brain again. On March 16, LastPass Free users will need to upgrade to the service’s premium plan—typically $36 a year but currently offered to them for $27 a year—if they want to continue syncing passwords across their devices. While I’m a fan of LastPass, its free plan is no longer a good choice.
The best password managers work on as many platforms as possible—which is why we generally recommend independent services over the password savers built into browsers and operating systems. I tested the most popular ones, in a quest for high security, broad options and ease of use. Here’s what I found:
Easiest to use:1Password ($35.88 a year for individuals, $59.88 for families of up to five) has a user-friendly design and multiple layers of security baked in for a good price. 1Password doesn’t have a free tier—security is something we believe is worth paying for. “Free software almost always involves compromises,” a 1Password spokesman said. “We can focus our efforts on developing new ways to defend your data instead of collecting or exploiting it.”
Like other password managers, you can organize passwords into different collections: one for personal accounts, one for work, one for shared family logins. Travel Mode is unique to the service—it’s for people who need to hide sensitive information when traveling to countries where they fear their phone might be searched.
Dashlane ($59.99 a year for individuals, $89.99 for families of up to five) is also easy to use, and is a good choice if you’re interested in additional features such as a built-in VPN (aka virtual private network) for accessing the internet more securely, and a dark-web monitoring service that keeps an eye out for hackers who might have your credentials.
I ultimately opted for 1Password, because of the price. (I also thought Dashlane’s Mac Safari browser extension, now in beta, was buggy. A Dashlane spokeswoman said the team is working on a fix.)
Best service with emergency access: It’s a tie between Dashlane and LastPass Premium ($36 a year for individuals, $48 for families of up to six). Both let you grant a trusted contact access to your vault if you’re dead or incapacitated. Features like this are important because our lives are so tied up in our digital accounts, as my colleague Joanna recently covered. If something happens to you, your designee can request access to your vault. You can set a specified delay period between three hours and 30 days, during which you can deny that access if you’re able.
LastPass Premium isn’t as sleek as Dashlane, but it’s a very capable password manager, also with dark-web monitoring, plus a gigabyte of encrypted file storage (and a good Safari browser extension). If you use Safari, and don’t need the VPN, go with LastPass.
1Password views this kind of emergency access as a security threat. In a forum post, a company employee explained that a domestic abuser, to get into a password vault, could hold a victim against his or her will. He suggests storing a printout of your secret key code and your master password in a safe-deposit box or with your attorney.
Best free option:Bitwarden has a full-featured free plan for individuals and two-person businesses that syncs an unlimited number of passwords across devices. The service has many key basics: end-to-end encryption, secure password generator, two-factor login and apps for every desktop platform, browser and mobile operating system, plus access via the web.
A premium membership ($10 a year for individuals, $40 for families of up to six) is required for bells and whistles, such as an exposed-passwords report and enhanced login protection.
“We are a for-profit company, but we find it completely harmonious and compatible to offer a basic manager for free,” said Michael Crandell, Bitwarden’s CEO. Many users who start with the free plan eventually decide to upgrade, he added.
Once you’ve picked a password manager, you can manually add in all of your old passwords. If you store passwords in your computer’s Chrome browser, you can export them and then import them into your new password manager. (Apple doesn’t have a similar password export option.) If you are switching from one password manager to another, exporting passwords is usually an option, too.
Password managers will improve your digital life. But whether you get one or not, there are four simple rules of password protection you need to know.
Rule #1—Don’t rely on passwords alone.
Use two-factor authentication, also known as 2FA, wherever possible. This requires an additional code or validation sent to another device.
In general, turning on 2FA is better than not having it at all. But if you have the choice, use an app authenticator (I like Authy) over a plain text message. It works when you don’t have cellular reception, and isn’t susceptible to SIM hijacking—where a hacker, targeting someone with a valuable account, cons that person’s phone number from the wireless carrier. You can call your carrier and add a passcode to your wireless account for added security.
Rule #2—Make long passwords.
The term “password” should be retired. The new hotness is passphrase. “Password length is a more important factor than complexity, because a longer password is harder to decrypt,” said Jameeka Green Aaron, chief information security officer at customer-authentication company Auth0.
For example, the passphrase “Raccoon Doorknob Spacecraft” would take centuries to crack, according to Bitwarden’s free password-strength testing tool. Meanwhile, according to the checker, a 12-character string, with uppercase and lowercase letters, symbols and numbers, could take an attacker just three years to crack. Most password managers let you set the length of automatically generated passwords.
Rule #3—Make it unique.
Whatever you do, don’t reuse passwords. It’s the most common way accounts get hacked, Ms. Aaron said. If hackers discover your password used in one place, they try it in other places. This is where password managers come in. Use them to create strong unique passwords and store them for all your accounts.
Rule #4—Have a backup plan for your backup plan.
The key to your password manager is a master password, along with a device to authenticate your login. A good password manager doesn’t know what your master password is—and can’t help you recover your account.
So, to be a good password parent, you need to think of the worst-case scenario: What if you lose the device your two-factor authentication codes are sent to? What if you forget your master password?
Authy syncs authenticator codes across several devices (say, your phone and your iPad), which helps if you lose one. Setting up a physical security key, such as YubiKey, as an additional authenticator is another protective measure. As for remembering your master password, the best solution is low tech: Write it down on a piece of paper and stow it away with the rest of your most important documents. It’s safer in the physical world than it is in the digital one.