Your choices are many, and that’s a good thing.
I hear ya. I have hundreds of accounts and passwords, and managing them without a password manager would be impossible.
There are many options, as I’m sure you’ve seen.
That’s good news, because many of those options do quite nicely. Pick one of those, and it’d be hard to go wrong.
Become a Patron of Ask Leo! and go ad-free!
The best password manager for you
There are several good password management alternatives available today. I happen to use and recommend 1Password, but tools like BitWarden, KeePass, Dashlane, and RoboForm are all worthy alternatives. Which is “best” becomes a matter of personal preference based on the platforms supported, ease of use, and cost. More important than which you pick is that you pick and use a password manager to enable the highest level of security with strong, unique passwords you don’t need to remember yourself.
What I use
I’ll cut to the chase and mention 1Password. It’s what I switched to after the 2022 LastPass breach.
It works on all the platforms I care about, including all my browsers, Windows, Mac, Android, and iPad. To quote the old credit card commercial: it’s everywhere I want to be.
Besides passwords, I use it to automatically fill in credit card information when I make online purchases, and I use the secure notes feature to keep additional free-form information.
While there is no free version, the paid version is quite worth it.
What I would use
If, for some reason, I could not use 1Password, I would investigate and probably switch to one of these alternatives.
- BitWarden – It’s probably the alternative I see most commonly recommended by my readers, and looks to be a very worthy equivalent.
- KeePass – A free, open-source alternative that uses a different storage model than most others.
That last item — the different storage model — is worth discussing, since some folks find it an important distinction.
Where is your data kept?
Most password vaults store your information encrypted online. That means you can fire up their tool anywhere, and a copy of your vault is downloaded and made available to you once you’ve submitted your master password.
Even though the information is securely encrypted, and thus completely useless to hackers if they could get a copy of it, this makes some people uncomfortable.
KeePass is an example of a tool that does not use server-based storage. You specify where the data is stored. There are an assortment of approaches that make your information available in many places, including placing your database on your own server, in cloud storage services like Dropbox or OneDrive, or keeping it on a thumb drive.
If this matters to you, then it’s probably the first decision I would make when choosing a password vault.
Others with good reputation
Alternativeto.net lists over 200 alternatives to 1Password for password management. I’m sure many are just fine, while others are too new to have developed a track record. It’s a popular category.
In reviewing that list, a couple of additional entries also feel reasonable.
- Dashlane
- RoboForm
While they’re not on the list of password managers I’d immediately jump to myself, these have good reputations.
(If you have a password manager you love that I haven’t mentioned, don’t take it as a slight. As I said, there are over 200 alternatives — too many to list or even form an opinion on.)
But which one is best?
Much like exercise and my advice on backing up, the best password manager is the password manager you’ll actually use.
Within limits, of course.
The good news is that I don’t believe you can go far wrong by choosing one of the password managers I’ve mentioned above. Among those, it’s a matter of personal choice.
Do this
Use a password manger.
When deciding which one to use, consider:
- Where it keeps your data.
- Which platforms it supports.
- How they make your password information available across the platforms you use.
- How complicated it feels to set up and use.
- Cost. Password security is important, and worth payment, in my opinion, but I realize that’s not an option for everyone.
You have lots of options, all good.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
The thing that keeps me from LastPass is their corporate ownership: GoTo Inc. (formerly known as LogMeIn, but now named after their most profitable line, including GoTo Meeting).
I don’t like their track record: they acquired the Hamachi VPN, which was free, and shut out the free users in favor of selling it for exorbitant prices, and there haven’t even been updates to it in the past 3-1/2 years.
When the company acquired LogMeIn, a nifty remote access tool that people used to help provide computer support to family members, they announced they were shutting down free access and gave people a WEEK to transition to the paid service or they were cut off. Then they bought out Meldium …and shut it down.
Then they bought LastPass and severely restricted the free tiers, and jacked up the prices on the paid tier.
I’d rather work with a company that’s more about service than greed. I dumped LastPass for BitWarden, which allowed a direct import of the data, and still has a free tier that not only works great, but also allows sharing between devices. For personal use the next tier up for more functions is $10/year, or get access for SIX family members for just $40/year. (I do the $10 to support them and to get the extra features.)
i would also comment, even though i never comment, since comments can be taken with a grain of salt. i used lastpass for years, but as soon as lastpass was, as best i can tell “taken over” by microsoft, is only available from the microsoft store now, it became like all other products microsoft “takes over” – skype, sysinternals suite and other reliable and useful apps, it became awkward, slow, bloated, clumsy, and more difficult to use. so i switched to applications just as powerful, but using less resources and far less cumbersome. BitWarden works nearly the same, and is far easier. KeePass has a higher learning curve but is more extensible and powerful. so, i use bitwarden, with export to backup of keepass.
Microsoft has nothing to do with LastPass. LastPass was bought by GoTo which also 0wns LogMeIn. There are many non-Microsoft apps offered in the Microsoft store.
Lastpass remains available from lastpass.com as well. You don’t need to use the Microsoft store.
The one thing I would fear and dread, is some malware author writing & uploading a nifty password vault app… complete with backdoor and sereptitious “phone home” capability.
If you’re into horror stories, no need to read Lovecraft — ’cause there’s a nightmare for you!
Then make sure you choose only a legitimate, reputable solution.
Leo, you wrote:
“Then make sure you choose only a legitimate, reputable solution.”
It’s not like you to be so naive, Leo: Given that there are dozens of password managers “Out There,” exactly how does one determine which ones are “legitimate” and “reputable,” and thus safe to choose? (Which, by the bye, was my real point.)
Easy. Use sites you already trust (like Ask Leo!, perhaps), and the information they provide (like the list of alternatives I’ve provided above) as a starting point. Not naive at all.
Stick with the ones in this article and enjoy a hack free sleep. Leave the horror stories to HP Lovecraft and Stephen King.
+1 for Bitwarden. Better than Lastpass, not equivalent to…..the $10/yr. tier gives you everything users would ever need, and every time I’ve submitted a support question I get a quick response (within 48 hrs), and follow ups. They are open source, and their interface is straight-forward and simple, the way a good password manager should be. 1Password is a decent second in my book, but their fondness for silly imagery all over their website and PrivCo status are negatives.
Roboform is way past its prime (early 2000’s), crappy support, clunky interface. RF looks and feels and operates like a distant relic from the past. People using it probably have aol.com email address. Not a serious contender anymore Leo – you should remove it from your list.
I have used Norton Password Manager (which includes an excellent password generator) for several years. I have never had any trouble with it. No, it isn’t free. It is part of the Norton 360 subscription (last November renewal was $94 – this year it will probably be a little more), but It is convenient, reliable and has an extension available in chrome for ease of use.
Why don’t you ever mention or recommend Norton 360, Leo? Norton is 100% safe and has NEVER been hacked. Also, their support is quick with a polite agent that will resolve any issue.
I recently had a problem with the chrome extension refusing to open the Norton Password Manager. They resolved it quickly. It was caused by a factory reinstall of Windows 10 I was forced to do because my computer crashed irritrievably due to it trying to restart twice in the middle of, not one, but two power failures. I did have my files backed up, but no image. so it was a real chore to get back up to speed. It took me three days (groan).
I can’t mention or list absolutely every possible solution. That you have had a good experience with it is great.
I will say this: Norton has had a long history of annoying me. From difficulty uninstalling to constant upsells (common in this industry), to other things, it’s just left a bad taste in my mouth.
I also don’t believe that an additional security suite is needed in Windows any more. The built-in tools are sufficient. So even without a password manager I wouldn’t be looking at Norton’s other tools anyway.
Finally, I prefer to get my password manager from companies whose #1 job is their password manager. Norton isn’t alone in adding a password manager to their product line, but in all these cases it always feels like “oh, we should have a password manager too, so we can check the checkbox”. I may be cynical (ok, no “maybe” about it), but I remain concerned that the password managers promoted by these companies may not always get the attention they deserve as the company’s priorities inevitably change over time.
But as I said, you’ve had a good experience, and that’s great. I’m also certain you’re not alone.
I absolutely know that using a password manager is essential these days. I started using a password manager years ago (maybe Dashlane) but upon initial setup it listed EVERY password I had ever used for a site. There were what appeared to be the “main” passwords and then others for what I assumed were other “levels?” of the site. When I tried to login to a site, I got error messages because the password was old. I found it confusing and so I just stopped using it. Have they improved in ease of use in the last 8 years? I have been told that Google’s password manager is all I need, but I do everything online and I worry that my info is just there for the taking.
So far, both me and my family have pleasant experience using 1Password, we use in our laptops and mobiles, and it seem to detect the services and sites we used to log in well. It’s nice to know too that by paying for the password manager, it may contribute to its other services being publicly free (haveibeenpwned.com).
I would join you Leo with the this comment : if you interested in security, why don’t you read Brian Crebs article on Norton,
published on Jan.6th 2022 .https://krebsonsecurity.com/?s=Norton+360+Now+Comes+With+a+Cryptominer
One question I can’t find in the article is do I have to have a copy of the Password Manager on all my machines? If I do, do I then have to buy a license for each computer? What about 2 people using the same passwords.
I tried figuring this out a while ago and got lost in the “weeds”.
This depends entirely on the specific Password Manager you choose.
Using LastPass as my example: my subscription covers *me*. Meaning all the devices I might choose to install the software on. If I don’t choose to install the software, I can still view my vault in a webpage on any machine.
I use LastPass on 6 computers 2 tablets and 2 phones with one license. There’s no device limit. You can use only one vault with a single license. Family licenses allow six vaults for a dollar more a month.
I’ve been using KeePass under Windows for about 10 years. I like the idea of open source as well as the local storage option.
You can run KeePass under Linux using Mono or Wine or you can install KeePassXC. KeePass and KeePassXC both use the same database format so you can copy your KeePass for Windows database to a Linux PC that is using KeePassXC, or vice versa.
What is wrong with using the password managers on the Edge or Firefox?
I use LassPass, so I’ll use that as an example. It works on multiple browsers and all my devices. The online vault keeps all my passwords synced on all my computers, browsers, and devices. LastPass also fills in passwords on Android apps.
Those work ONLY on Edge and Firefox, and syncronize across other devices only if you have that set up. More here: https://askleo.com/browser-remember-passwords/
I could use a reality check on the one thing that has kept me from using a password manager:
although I use a solid anti-virus program, because I must type my master password, isn’t it possible/probable that a “keylogger” can be downloaded without my knowledge and learn my master password? Of course, two factor may help, but isn’t this is potential fatal flaw?
Paul
A keylogger would get your LastPass password, but it would also get all of the passwords you type, so I don’t see that as a problem.
It is possible, yes, but with good security HIGHLY UNLIKELY. There’s no such thing as perfect security. The benefits of using a password manager far outweigh the risk of this scenario. Besides, if you have a keylogger on your machine, it’ll log whatever regardless of how you type it in.
I use Keepass (have for years and years). It allows one to enter the master password via “Secure Desktop”. While that is not foolproof against a keylogger it is some protection. In addition, Keepass also allows one to use a key file with the master password so one has to have the file “in hand” . A 2FA protection. Keepass also allows one to tie the use of the password database ONLY with one specific Windows account but obviously this limits its cross-machine/device capabilities. Keepass uses auto-type when signing into one of your accounts which is vulnerable to a keylogger but Keepass allows the use of Two-Channel Auto-Type Obfuscation (TCATO) which interjects or simulates randomly split characters between parts of the passwords. Very powerful and easy to set up with just a click of an option in each password entry. There are just so many features in Keepass but it does have a learning curve.
I use the password manager on my iPhone that is associated with my Apple ID. Any comments on the integrity of this password manager would be appreciated. Please let’s not start an Apple vs Windows discussion.
My understanding is that the Apple password manager is good, but naturally restricted only to Apple platforms. To those of us who use multiple platforms, that’s a non-starter.
Suppose I get and set up a password manager. Then suppose I lose the master password and can’t remember it. In that situation, would the passwords that I used before having a password manager still be operable on the websites that I frequent?
If you lose your master password, you lose only your password vault. All of your passwords will still work. Back up your password vault, print it out and keep it in a safe place. And you can write your master password on that hard copy.
Your current password for a service is your current password for that service, regardless of how you remember it. So if you never changed the password, then yes, the old password would still be the same password. If you changed it after you start using a password manager, then, no, the old password isn’t your password any more. You can recover account access with “I forgot my password” or equivalent when you attempt to sign in.
Have used Dashlane for some time with no complaints. I am not that great with this computer thing and am too much “over the hill” to adjust to any other PW manager.
That very thing happened to me. I couldn’t remember the master password, no how, no way.
My son couldn’t help me. I spent weeks and weeks trying to remember it. Then one day I saw it. On my cellphone. Boom, I was in and I have now recovered from a nasty mess. I now keep it on a secured device should I experience a similar event. Plus on my sons computer… just in case of loss of phone.
@Jerry Chrome, Edge and Firefox all have password managers. The passwords are not encrypted and can be easily copied by malware, hackers that get to your device or even folks you let use your device.
Even worse, if you create a google, firefox or microsoft account those passwords get stored to your account (so they can be used on other devices) you own. Many folks create those accounts to share their bookmarks and favorites — but saved passwords are part of the deal.
I assume the data in your account at Google or Microsoft or Firefox is encrypted, I just can’t say for sure how safe that is. Most password managers encrypt the data on your device before sending it to your cloud account (and vice versa). Also most password managers cannot help you if you forget your master password — there are no back doors. I can’t say the same is true for the browser accounts. Might be something Leo may be interested in checking out.
I have Lastpass but very rarely use it. Seems easier to let Google save my passwords so I can log in pretty easy. I would rather use Lastpass but the setup of each site I go to is time consuming and then if I go back to that site I have to go thru Lastpass. I am probably using it wrong and have watched a few Youtube vids which helped some but not to where it made sense to me. I may look at another p/w manager for ease of use. Recommendations please!
So, Leo, how about a Youtube vid from you showing how to set up and use Lastpass?? Would that be possible? I’m sure it would be appreciated!
Thanks!
Dan
See this article:
Installing Edge and LastPass – Ask Leo! Live
There’s an alternative that isn’t included here, but I want to mention because it’s so good. I’ve been using a program called Safe in Cloud (https://safe-in-cloud.com/) for nearly 10 years now. It started as a mobile app and now is available in Windows and iOS with integration across devices (as well as extension for Edge, Chrome, and Firefox browsers). I find Safe in Cloud to be the most useful of all password managers I’ve tried, because it has so many customizable templates, so I can create a “card” to suit every need. I use Safe in Cloud app to store any information that I need to remember but don’t want any other eyes to see, including photos of things like Driver’s License and insurance cards (so I have access to this info even when I don’t have my wallet with me). Everything is encrypted and can only be unlocked with the master password.
I’m convinced, in no short measure due to you, Leo, that I should get a password manager. In reading up on a number of them, it seemed there was a lot of upside to Last Pass. However, as one of the commentators on this article pointed out, he needed help in how to navigate the program. One of the downsides was the lack of or at least inadequacy of support. Apparently, even with a premium account, you can’t get on the phone and speak with a live person. I’d be interested in your thoughts on this, Leo.
Thanks.
Dashlane for me, I used Lastpass some years ago, it was OK, but something I don’t remember what annoyed me, so I tried a highly rated Roboform, a disaster. It kept trying to take control of my logins, entering irrelevant passwords, plus other stuff that wasn’t intuitive so I binned it. Then Dashlane came on the scene, it was simple, intuitive & customisable. The free version was limited to 1 machine, but as an early adopter I was offered a free upgrade to multiple machines, etc. And I’ve used it ever since. It’s currently generating 16 character alpha/num/special passwords on new sites, looks out for hacked sites compromising my passwords, and I can access my passwords on any of my 5 devices. Can’t ask for more.
I’ve been using Google Password Manager and I’ve been happy with it – easy to use and free. It doesn’t seem to be mentioned here so I wondered why it doesn’t get even close to the favorites list? Your article does make me think I should find out more about it (storage, etc) but again, simply using any password manager is better than not.
Everything I do is tied to Google right now, it seems, so it made sense in that way. If I am convinced to switch, I wonder if all that password info is transferred or do I start over? Hmm, that sounds risky. If it isn’t obvious, I’m not an expert, just a casual user.
I enjoy your newsletters even if I don’t understand everything!
The Google password manager isn’t cross-browser compatible. It only works across Google Chrome browsers and Android devices. If that’s all you use, it might be sufficient. Most browsers save passwords. We are mainly concerned about cross-browser password managers.