If you’ve been using the internet since the early years of the world wide web, you might remember a time when there were only a handful of passwords to remember. Now, it’s hard to get much done online without signing up for a multitude of sites, services, and apps, and you’ve probably amassed hundreds of accounts in the process.
For most of us, remembering all those login details is impossible...unless you commit the cardinal sin of using the same password. That’s a huge security issue when passwords are leaked because it only takes one breach to expose all your accounts.
Unfortunately, reusing passwords is far from a rare occurrence. But a password manager is an easy solution to this problem, and they offer a wealth of other benefits.
So what exactly is a password manager, how do they work, and why should you use one?
What is a password manager? What does a password manager do?
A password manager is a tool for securely storing, managing, and accessing usernames and passwords. It remembers passwords for you, keeping them safe in an encrypted database where only you can access them.
That means you can have very strong, unique passwords for every account without worrying about memorising everything. The only password you’ll need to remember is the master password which unlocks the password manager.
Once you’re logged in to the password manager, you’ll have access to all the saved passwords, and the manager can enter them directly into the login form of a web site or application.
Password managers can also perform many other useful functions which make your online life more convenient and more secure, such as:
As well as entering login details for you, password managers can also store and autofill other types of information such as addresses and credit card details. This also means you don’t need to save this info in your web browser or on web sites, where it may be at risk.
There is no need to come up with your own passwords because password managers can generate random passwords when you sign up for a new account.
Most password managers can synchronise the password database across computers, web, and mobile, so any new logins or changes to your data are instantly available on every device.
Security audits and alerts
Password managers can audit the security of your logins by examining the database for duplicated or weak passwords. Many also offer a data leak alert that warns if your details show up in a leaked password list.
Secure password sharing
Safely sharing passwords with other people is tricky because most solutions we may turn to (instant messaging, text, email) are extremely insecure and open to abuse. Password managers are a lot safer. You can securely share the logins through the manager and exercise some control over their usage by removing the share when no longer required and restricting whether they can edit the login or even view the actual password. However, not every password manager offers sharing, so if this feature is important you must check it is supported before signing up.
Secure note and file storage
Most password managers can store other kinds of data, like text notes or files, protected by the same security that safeguards your usernames and passwords.
Why should I use a password manager?
First and foremost, a password manager removes any justification you may have for not entering a unique password each time you create a new login. Having unique passwords will protect your other accounts from breaches in the event data is leaked from one site, helping to protect your private data.
They’re also a very secure method of storing login information. Any password manager worth using will employ robust encryption and multiple layers of authentication.
And if nothing else, password managers make your life easier. You don’t have to memorise anything, you don’t need to come up with new passwords, and you don’t even have to bother typing in your username and password for most sites. Even if you aren’t fussed about the security side of things, they’re worth using purely for convenience.
The drawbacks of password managers
Nothing is perfect, and password managers do have some drawbacks and potential problems. It’s not anything you can’t overcome by taking sensible precautions and choosing the right password manager, but these are things to consider when getting everything set up.
It’s a single point of failure
The biggest issue with any password manager is that you are putting all your eggs in one basket. If someone manages to break into the password manager they'll get their hands on all your login details, making them a tempting target for hackers. It's essential to make sure your password manager is as secure as possible.
Your data could be stored on the cloud
The database containing your logins will be kept on a remote server if you use the synchronisation feature offered by most password managers. That means trusting someone else to keep them safe. There have been attacks on password managers where password vaults were exposed, though as far as we know the encryption has not yet been breached. You will either need to choose a password manager you trust or get one that offers self-hosting so the database is always under your control.
You can’t forget the master password
If you forget the master password and cannot use any of the available account recovery options, you may lose access to all the data stored in your password vault.
Autofill doesn’t always work perfectly, especially on mobile
This is an annoyance more than a drawback, but be prepared to copy and paste passwords regularly because auto-filling is not 100% reliable. Mobile apps can be particularly finicky in this regard.
You’ll probably have to pay to get the best features
Most password managers have a free tier, but they come with restrictions to encourage paid upgrades. To use some of the more desirable features - such as synchronisation, file storage, and mobile apps - you will often have to pay a subscription fee.
How to safely use a password manager
Choose a strong master password
Your master password must be very strong. Make it at least 12 characters (but more is better), and don’t use individual words, names, or well-known phrases (but you can string together words into a nonsense phrase that’s easy to remember). And it obviously must be unique!
Always use multi-factor authentication
Multi-factor authentication (MFA, or 2FA - two-factor authentication) adds an additional authentication method (usually a code generated by an app or sent in a text message). It means that even if someone has your password, they won’t be able to get in without also possessing the authentication method. As well as using MFA on the password manager, you should always enable it on every service possible to protect your accounts if there is a password leak or someone gains access to the password manager database.
Protect your password manager app and browser extensions
Set the password manager web browser extension to timeout after a period of inactivity or after closing the browser. If your computer is stolen or someone jumps on without you noticing, they won’t be able to access the manager without re-entering the master password. Protect mobile apps by enabling biometric ID or locking it with a passcode or pattern.
Prompt for the master password before making changes or accessing data
When possible, tell your password manager to always prompt for the master password to view a password, edit any data, or retrieve credit cards and other payment information. That way, if someone is using your computer or mobile device, and your password manager is unlocked, you can restrict how much mischief they can get up to.
Manage your own password vault
If you don’t want to have your personal data hosted by the password manager operator, choose a manager that supports self-hosting. You can then decide how to manage the password database and set up synchronisation using your choice of server.
What is the best password manager in 2021?
|We like||We don’t like|
1Password is reasonably priced, easy to set up and use, and has useful extras. But it does not offer a free version (though there is a free trial).
|We like||We don’t like|
Bitwarden is the best of the free password managers. All the basics you’ll need and nothing essential cut to force you onto the premium tier (which is very cheap anyway).
|We like||We don’t like|
KeePass is entirely free and open-source, and as it does use any cloud hosting, it’s a great pick for anyone that wants total control over their data. But it’s not especially user friendly, so beginners will want to look elsewhere.
|We like||We don’t like|
Lastpass is powerful and packed with features, supports a wide range of operating systems, and has an affordable premium price plan. But the free version is so heavily restricted it's not really worth considering unless you’re willing to pay.