The password manager is vegetables of the internet. We know they’re good for us, but most of us feel happier when we snack password is equivalent to junk food. For seven years of operation, that is “123456” and “password” — two most commonly used password on the web. The problem is, most of us don’t know what makes a good password and can’t remember hundreds of passwords.
Now there are so many people work from home, outside of your office’s intranet, the number of passwords you need may have increased dramatically. The safest (if craziest) way to store them is to memorize them all. (Make sure they are long, strong and sure) Just kidding. That might work for Master of Memory Ed Cooke, but most of us are not capable of such amazing feats. We need to offload that work to password managers, who provide secure vaults that can live in our memory.
A password manager offers convenience and, more importantly, helps you create better passwords, making your online existence less vulnerable to password-based attacks. Read Our guide to VPN providers for more ideas on how you can upgrade your security, as well as Our guide to backing up your data to make sure you don’t lose anything if the unexpected happens.
Update August 2022: We’ve updated pricing and added some notes on the FIDO Alliance’s efforts to phase out passwords and why we’re no longer using LastPass.
Special Offer for Gear Readers: Get One 1 year subscription for WIRED for $5 ($25 off). This includes unlimited access to WIRED.com and our print magazine (if you will). Sign up to help fund the work we do every day.
Why not use your browser?
Most web browsers offer at least a rudimentary password manager. (This is where your password is stored when Google Chrome or Mozilla Firefox asks if you want to save it.) This is better than reusing the same password everywhere, but restricted browser-based password manager.
Why security experts recommend using a dedicated password manager. Web browsers with other priorities haven’t had much time to improve their password managers. For example, most of them won’t generate a strong password for you, prompting you to return “123456.” The dedicated password manager has a single goal and has been adding useful features over the years. Ideally this leads to better security.
WIRED readers also asked about Apple’s MacOS password manager, which syncs through iCloud and has some nice integrations with Apple’s Safari web browser. There’s nothing wrong with Apple’s system. Actually, I used Keychain Access on a previous Mac and it worked great. It doesn’t have some of the cool extras you get with dedicated services, but it does take care of securing your passwords and syncing them between Apple devices. The main problem is that if you have any non-Apple devices, you won’t be able to sync your passwords with them, as Apple doesn’t make apps for other platforms. All on Apple? Then here’s a viable, free, built-in option worth considering.
What about “Death of the password?”
There has been a concerted effort to get rid of the password since about two days after the password was invented. Passwords are an issue – there’s no arguing that – but we don’t see them disappearing in the near future. The latest attempt to remove passwords comes from FIDO Alliance, an industry group that aims to standardize methods of online authentication. It has support from many major browser manufacturers, but we have yet to see a working demo. However, this is an attempt we are watching because it has more promise than what has come before. At least for now, you still need a password manager.
How we test
The best and most secure cryptographic algorithms are available through open source programming libraries. On the other hand, this is great because any application can combine these passcodes and keep your data safe. Unfortunately, any encryption is only as strong as its weakest link, and encryption alone won’t keep your password secure.
Here’s what I check: What are the weakest links? Is your master password sent to the server? Any password manager speak it’s not, but if you watch the network traffic while typing in the password, sometimes you find, it is. I also dug into how mobile apps work: Do they, for example, store your password but require a pin to sign in again? Convenience is that, but it has to sacrifice too much security for that convenience.
