There are numerous reviews of password managers on the web, mostly from consumer-software or consumer-gadgets sites, and many of them tend to favor flashy features and lower prices. Here at Loose Leaf Security, we don't think the best password manager is necessarily the one with the most features or the one you can get for free: it's the one that keeps your passwords secure and also easily available, so you actually use it. That can be different things for different people, so this guide to password managers covers key features and advantages/disadvantages so you can choose the one that works best for you. (If you'd like to check out some other reviews, Lifehacker and Wirecutter have reasonably up-to-date guides, although they're both still written from a features-and-pricing standpoint.)
This is a companion page to our episodes on password managers:
- "Securing your online account passwords" (May 29, 2018)
- "Using a password manager effectively" (March 20, 2019)
- "Password managers: how they should work and when they didn't" (June 27, 2019)
What features should you look for?
As we discuss in "Using a password manager effectively," for most people, it's worth using a password manager that has a browser extension for all the browsers you use. Browser extensions are a little bit less secure than desktop apps, because they're more exposed to attacks from the web. However, desktop apps often want you to copy/paste passwords, which is risky and makes you vulnerable to phishing attacks, and they're also also less convenient than an extension, which means you're less likely to actually use your password manager consistently.
Most password managers have browser extensions for all the major browsers as well as apps for the major mobile platforms. Recent versions of both Android and iOS allow you to configure a password manager app for use throughout the OS, so you can use the password manager inside your mobile browser as well as for other apps (banking, travel, etc.) you need to log into.
Some password managers support automatic password changes, where they know how to log into popular websites and change your password for you (and automatically store the new, auto-generated password). It's a little gimmicky, but convenient. Some also support an emergency access feature, where you can designate someone you trust to request access to your passwords. Once they make a request, you'll get a notification and have some time (e.g., a day or two) to object. This ensures they can get access to your accounts if you're incapacitated, but if you're able to respond, you aren't giving them (or anyone who breaks into their device) access.
A few claim to offer two-factor authentication. Since a password manager isn't really an online service, the definition of "two-factor" is a little fuzzy. Usually it means that their cloud sync service requires the "second" factor to give you access to the encrypted file, which is protected by your master password. Sometimes it means that the encryption for the file depends both on your master password and on a key on a thumbdrive or hardware token. This model is stronger, but losing your second factor means permanently losing access to all your passwords, same as with forgetting your master password. As a reminder, this is one of the good reasons to keep your email password outside of your password manager - you would still be able to recover your online accounts via email password resets if this happened.
Just about all password managers offer offline access - if you're disconnected from the internet, or if the password manager's service is down or the company goes out of business, you'll still have access to your passwords where the app was previously installed. In some cases, two-factor authentication or emergency access requires the password manager's cloud service to be operational, so watch out for that.
Many password managers allow you to add custom tags or notes to passwords, which is useful for keeping track of whether you have two-factor auth enabled for the website, whether it's an account you're sharing with others (and so you need to manually coordinate changes to the password), etc.
Many password managers allow for shared password stores, so if you and your friend / family member / coworker use the same password manager, you can keep accounts in sync automatically. (We use this for the credentials backing the Loose Leaf Security website, our shared social media accounts, etc.) Sometimes this is a premium feature. A few password managers claim to support a limited sharing mode, where you can avoid revealing the password itself to the person you're sharing with: as discussed in the episode "Using a password manager effectively," this isn't a meaningful feature, and so it's not a point in favor.
It's important that your password manager's browser extension not offer auto-filling every possible password into a web page, and only offer passwords that you've associated with the web page's origin. Other passwords need to pop out a separate window for access. Otherwise, malicious code within one web page can access other sites' passwords. We'll discuss this in more detail in our upcoming episode on password manager security.
Comparison of password managers
The top five contenders these days (in alphabetical order) are 1Password, Dashlane, KeePass / KeePassXC, Keeper, and LastPass. We have not tried all of these ourselves. (In the interest of disclosure, both of us currently use 1Password, because it works the best with our devices. We are not affiliated with and have not received payment from any password manager company, and we specifically don't endorse 1Password for everyone - it's just what works for us.) Our episode "Password managers: how they should work and when they didn't" includes a hard look into the security records of these popular password managers.
1Password has no free offering; their basic account is $36/year. Sharing requires the "Teams" plan, $48/year, or the Families plan, which is 5 licenses for $60/year. They have a web interface for your passwords, which is a little less secure than an app (even though decryption still happens on your computer), but they also have desktop apps for Windows and macOS. Linux users can get a command-line tool but not a full app.
1Password is currently unique in supporting a "travel mode" that removes all your passwords except the ones marked "safe for travel," primarily to protect you when searched at international borders. You can turn this on and off from the website only.
- Mobile apps: Android and iOS
- Browser extensions: The older extension, which requires the desktop app, supports Chrome, Firefox, Safari, Opera, and Edge. Their newer one, "1Password X", requires current versions of Firefox or Chrome and works without the desktop app (so it works on Linux and on Chromebooks) and opens the web interface in a new tab for more involved tasks.
- Sharing: Yes, by creating a shared "vault". Sharing requires a Teams or Families account.
- Automatic password change: no
- Emergency access: no (team/family admins can restore access to an account but it requires them responding to an email instead of having a time delay)
Dashlane's free offering does not support password sync across multiple devices (the encrypted file is only stored locally), but has most other features you'd expect. A Premium account is $40/year. Dashlane works either via desktop apps on Windows and Mac, or via standalone browser extensions that do not require the app installed.
- Mobile apps: Android and iOS.
- Browser extensions: Chrome (including Chromebooks), Firefox, Internet Explorer, Edge, and Safari.
- Sharing: If both users are on the free plan, they can share and synchronize up to 5 items. Premium users have unlimited sharing.
- Automatic password change: Yes, currently only on the Windows, Mac, and iOS apps. You can also bulk-change several passwords.
- Emergency access: yes
KeePass / KeePassXC
KeePass and KeePassXC are both free / open-source software options, which we're generally sympathetic to (especially for security / cryptographic software), but the polish isn't quite as good as with the commercial options. If you're running Linux and/or you're a free-software person yourself, this is probably one of your better options. If not, it will be easier to get sync, browser extensions, mobile apps, etc. working with the other, commercially-supported products.
Notably, keeping passwords in sync between multiple devices is entirely do-it-yourself: you'll need to place the encrypted file in your favorite cloud storage system or otherwise arrange to synchronize it between your devices. Unlike the other options, there's no cloud service that handles it for you. If the thought of entrusting your passwords to a service run by a for-profit company makes you uncomfortable, it might be appealing. (That said, if you end up syncing passwords through a commercial cloud storage service - which is probably the most reliable option - it's not clear there's a meaningful advantage here.)
KeePassXC is the EFF's suggested password manager.
KeePass has been around since 2003, but originally supported Windows only. There was a cross-platform rewrite called KeePassX, which was abandoned in 2016 and is now maintained by another team under the name KeePassXC. It supports all of Windows, macOS, and Linux well (packages are in all major Linux distros). KeePass itself now uses .NET so you could run it with Mono on other OSes, but that's somewhat involved.
- Mobile apps: There are unofficial apps for Android, iOS, Windows Phone, Blackberry, and many others; see KeePass's long list of recommendations and KeePassXC's shorter recommendations
- Browser extensions: KeePassXC-Browser works in Firefox and Chrome, but it requires a desktop app. On a Chromebook, try Tusk, which is read-only. KeePass has an overwhelming number of suggestions on their 2003-era web page, none of which look obviously right.
- Sync: KeePassXC has no built-in sync; they recommend using your favorite cloud storage tool (Dropbox, Google Drive, etc.) to synchronize the encrypted file. KeePass has built-in sync but it looks complicated (and for security software, "complicated" is usually not great).
- Sharing: DIY, you can sync another database with friends/family and share its master password.
- Automatic password change: no
- Emergency access: no (no online service to attempt to contact you and enforce the waiting period)
Keeper doesn't have a free tier; the personal plan is $30/year and the family plan, a bundle of five accounts, is $60/year. Keeper has desktop apps for Windows, macOS, and Linux, as well as a web vault.
- Mobile apps: iOS and Android.
- Browser extensions: Chrome, Firefox, Safari, Internet Explorer, and Edge.
- Sharing:: Unlimited sharing with other Keeper users, either of individual items or folders.
- Automatic password change: no
- Emergency access:A yes
Keeper also has a secure messaging product "KeeperChat" for an additional charge, which is basically unknown in the field of secure messengers, has no detailed information on their website, and requires your conversation partner to also be on KeeperChat. Given the number of free, secure, well-documented and popular messaging apps like Signal, it probably makes little sense to use KeeperChat.
Another paid add-on is "BreachWatch," which monitors for passwords found in breaches "on the Dark Web."
LastPass has a free account and a $24/year premium option with a few more features like better sharing and encrypted file storage. You can also get "LastPass Families" with 6 premium accounts for $48/year.
LastPass primarily works via browser extensions, which are supported on all platforms, but there is also a Mac desktop app.
- Mobile apps: Android, iOS, and Windows Phone.
- Browser extensions: Chrome (including Chromebooks), Firefox, Safari, Opera, and Edge.
- Sharing: The free account lets you securely send individual passwords (but not update them). Premium lets you synchronize shared folders.
- Automatic password change: yes, in beta, one at a time, via the Chrome and Safari browser extensions only.
- Emergency access: yes