Forgetting the password for an important website can send you down the rabbit hole of figuring out the password reset procedure. It’s really tempting to use something so simple you won’t forget it or to memorize just one tricky password and use it everywhere. However, both strategies set you up for failure. For instance, a hacker can easily guess or brute-force a simple password. A data breach can expose whatever complex password you create, too, thus compromising each account that uses it.
The only solution is to use a different password for every account, and make them both long and random, such as [email protected] There’s no way you can remember dozens of strong passwords like that, so that’s why you absolutely need a password manager.
What’s that you say? You can’t afford to buy yet another security tool? In truth, you can’t afford not to. The potential hit, financial and otherwise, that could result from using weak passwords could cost you plenty. Never fear. Quite a few password managers cost precisely nothing, and some offer feature sets that rival the best paid password managers.
However, when you put all of your passwords into one repository, you’d better be extremely careful to protect that repository. That’s where your master password comes in. This password is used to encrypt the contents of your password vault, so it needs to be as strong as possible. On the flip side, it is unlikely that you can recover it. Store your master password in a secure place or risk permanently losing access to your password manager.
Setting up two-factor authentication is another way to mitigate the risk of possible attacks. Two-factor authentication could be biometric, requiring a fingerprint, facial recognition, or even voice recognition. Some password managers rely on mobile authenticator apps such as Google Authenticator or Microsoft Authenticator; others use SMS-based authentication methods. Allowing access only from registered, trusted devices is yet another form of two-factor authentication.
For most people, getting started means installing a password manager’s extension on your browser of choice. The best password managers need only the extension, so they can operate on any platform that supports the browser, but you will find some that require a desktop component.
When you log in to a secure site, the password manager captures the username and password and saves it to your vault. Some services don’t automate password capture and replay, but these may have other virtues, such as unusually strong security or the ability to fill credentials in secure desktop applications. For the sake of convenience, we strongly recommend that you avoid password managers that cannot capture and replay passwords.
The best password managers capture your credentials during account creation; when you change your password online, they offer to update the stored password for that site. Of course, password capture only works if the password manager recognizes that you’re logging in to a secure site, so non-standard login pages can cause trouble. Some products cleverly solve this problem by letting you manually capture all data fields on a page. Others actively analyze popular secure sites whose login pages don’t fit the norm, creating scripts to handle each site’s oddball login process.
When you revisit a site for which you’ve saved credentials, most password managers can automatically (or with a click or two) fill the saved data. If you have more than one set of credentials, you can choose which one to fill. Another handy (and common) feature of most of these browser extensions is that you can directly navigate to a site and log in by clicking the entry.
Many of us are just as likely to log into a secure site from a mobile device as from a desktop computer, so it’s vital to find a password manager that syncs your credentials between all your devices. Most password managers use encrypted cloud storage to sync between devices. A few keep your data entirely local, syncing between databases on different devices without keeping anything in the cloud. The real benefit of having your password manager on your phone is that you can use it to autofill credentials for any mobile apps you use.
One great thing about free password managers is that you can try several and find out which one you like best. If you’re thinking of making such a survey, look for products that can import from other password managers. Otherwise, you have to go through the password capture process over and over for each candidate.
The point of adding a password manager to your security arsenal is to replace your weak and duplicate passwords with strong, unguessable passwords. But where do you get those strong passwords? Most password managers can generate strong passwords for you; many let you take control of things like password length, and which character sets to use. The very best ones offer a password strength report that eases the process of identifying and fixing poor passwords.
Filling in usernames and passwords automatically isn’t so different from filling other sorts of data in web forms. Many commercial password managers take advantage of this similarity and thereby streamline the process of filling forms with personal data, such as addresses or payment card details. Some password managers also give you some storage space for secure documents, though the allotted storage is typically not sufficient enough to replace a dedicated cloud storage service.
In addition to using your passwords on multiple devices, you may find you want to share certain logins with other users. Most free password managers do not support secure sharing. Very few let you define an inheritor for your passwords, someone who will receive them in the event of your demise.
If you’re willing to give up a little something, you can use many for-pay password managers for free. If you see a paid password manager with features you like, check out its conditions. You may be able to get it without paying. For example, some companies let you use all the features of their product for free if you give up syncing across multiple devices. RoboForm is one that’s free for use on a single device, no syncing. Dashlane, too; but it also imposes a limit of 50 passwords for free users.
LastPass is the latest service to implement such a limitation. Soon, free LastPass users will have to choose between syncing passwords across computers (web browsers, desktops, and laptops) and mobile devices (phones, tablets, and smartwatches).
Another common tactic is to let you use the product for free but limit the number of passwords you can store. The limit for free usage tends to range between about five and 15 passwords. Kaspersky Password Manager imposes a limit of 15 total vault entries.
If you fully commit to using a password manager, you will quickly run up against these limitations. We don’t include any free password managers in this list that limit the number of passwords you can create or that can’t sync passwords across devices.
Myki Password Manager & Authenticator is our Editors’ Choice pick for free password management because it boasts a wealth of features and stores your passwords locally—a huge plus for those worried about password security. If you’re concerned about security, you should also read our best antivirus and best VPN roundups.