Using a password manager is one of the best steps you can take to protect your security online. A good password manager makes it easy to generate unique, strong passwords, and it will then securely save them so they’re available wherever you need them, whether that’s on your phone, laptop, tablet, or desktop computer. Basically, they take 90 percent of the work out of being safe online.
Hopefully, at this point everyone knows why it’s important to use a unique password for all of your accounts online. But the short version is that using one password everywhere means that if just one site you use gets hacked, an attacker potentially has the password that unlocks your entire online life. Breaches still matter if you use a password manager, but at that point it’s a case of resetting just one password rather than dozens.
Although different password managers have different selling points, most offer the same core set of features. They generate passwords which they securely store, and they’ll prompt you to save passwords when you use them on websites. They’ll also sync your passwords across devices and autofill them into websites and apps when required.
There are many good password managers available that charge a monthly fee, but for this guide we’re going to be focusing on free services. All of them have paid subscription tiers, but for most, the free tier offers the essential core features of a password manager.
Our pick for the best for most people is Bitwarden.
The best for most people: Bitwarden
Bitwarden has basically everything you could want out of a password manager. It’s available across iOS and Android; it has native desktop applications on Windows, macOS, and Linux; and it also integrates with every major browser including Chrome, Safari, Firefox, and Edge.
Bitwarden’s security has also been audited by a third-party security company, and although it uses the cloud to sync your passwords between devices, it says it stores them in an encrypted form that only you can unlock. You also have the option of protecting your Bitwarden account with two-factor authentication to provide an extra layer of security.
Importing our passwords was easy, and Bitwarden has guides for many popular password managers in its support pages. It supports biometric security on iOS and Android, and all of its software is nicely designed and easy to use.
Bitwarden does have paid tiers, but we think most people will be able to do without most of the features they offer. Paying gets you access to encrypted file attachments, more second-factor security options, and reports on the overall security of the passwords you have in use. But even on the free tier, you can perform checks to see if individual passwords have been leaked in a password breach. Paying also gets you access to a built-in one-time code generator for two-factor authentication, but it’s easy and arguably more secure to use a separate app for this.
As part of our research, we also tried a variety of other password managers. Of these, Zoho Vault is another feature-packed free option, but its interface isn’t as good as Bitwarden’s.
Zoho Vault’s iOS and Android apps are nice enough, but its browser extension is a little clunky and buries useful features like its password generator behind one too many sub menus. It’s also unclear if the software has gone through a third-party security audit; the company didn’t respond to our query in time for publication.
There were two other free password managers we felt weren’t up to Bitwarden and Zoho Vault’s standards. Norton Password Manager has the advantage of coming from a well-known cybersecurity company. But we found the way it attempts to simplify its setup process actually makes things more confusing, and Norton’s support pages didn’t do a great job at helping us work out where we’d gone wrong. Norton tells us it regularly has third-party companies do penetration testing for its software.
We also gave LogMeOnce a try, but we weren’t reassured by the presence of ads in its smartphone app. It also asked for many more permissions than the other password managers we tried. The company says this is necessary to enable its Mugshot feature, which attempts to give you information about unauthorized attempts to access your account, which is an optional feature. The company says it regularly hires third-party security researchers to test its products.
Until recently, LastPass would have been included as a free password manager, but it’s making some changes to its free tier on March 16th that mean it will be much less usable as a free password manager. After that date, free users will be able to view and manage passwords on just a single category of devices: mobile or computer. “Mobile” subscribers will have access to phones, tablets, and smartwatches, while “Computer” subscribers will be able to use the service across PCs, Macs, and browser extensions. Given how most people switch between these two classes of devices on a daily basis, we think this will severely limit how useful LastPass’ free tier will be for most people.
Our focus on simplicity also means we’ve excluded KeePass, an open-source password manager that mostly relies on third-party apps on non-Windows platforms. (There is a separate page that links all the various downloads available, depending on your OS.) Forks of the software include KeePassX and KeePassXC, which offer official apps for more platforms. However, if you want to sync your passwords between devices, you have to use a third-party storage service such as Dropbox or Google Drive, which adds complexity.
Beyond the free options, there’s a huge array of paid password managers out there. Some of these have free tiers, but they’re so restrictive that they’re effectively not usable as a day-to-day password manager. 1Password is perhaps the most well-known paid option, but others include NordPass, RememBear, Passwarden, Dashlane, RoboForm, and Enpass, all of which limit their free versions in ways that we think make them unsuitable for long-term use.
Finally, most modern internet browsers offer built-in password management features, but we think it’s worth taking the time to store your passwords in a standalone service. It gives you more flexibility to switch platforms and browsers in the future, and password managers also generally have interfaces that are better suited to the task of storing passwords. To make things simpler for yourself, you might want to turn off the built-in password manager in your browser once you’ve picked a standalone version to use, so you don’t run the risk of having passwords stored in two places at once.
Update March 9th, 11:57AM ET: Updated with Norton’s confirmation of third-party pen testing and to add more details about KeePass.