The best password managers should keep you safe from password database hacks. We take a look at four free and paid-for password managers and see how they stack up.
Almost every website and online service we use seems to require a unique password. However, the sheer number we have to come up with encourages bad habits such as reusing passwords, or picking ones that are easy to remember but as a result are easy to crack.
The simplest way to keep track of the seemingly endless number of passwords you’ll accumulate in your online life is to use password management software. A password manager will store all your passwords, either locally or online, in encrypted storage protected by a master password. This means that, instead of having to memorise scores of different passwords, you’ll have to remember only one.
Many browsers, including Chrome and Opera, can save and even sync your passwords, but they typically don’t provide the level of control of a dedicated password manager. They even tend to default to less secure behaviour, such as automatically logging in and making your passwords available to anyone with access to your browser.
Related: Best VPN for Netflix and privacy
How to keep your password safe
The longer your password is, the harder it is to crack – in theory. It’s all about entropy – a measurement of how unpredictable a password is, based on how long it would take an attacker to work out if they were simply making a guess at each character. By this measurement, longer passwords are by definition more secure.
We recommend configuring your password manager to auto-generate 16-character passwords using a random combination of upper- and lower-case letters, numbers and special characters.
When it comes to the master password that you use to unlock your password manager, it will have to be something you can remember and type without too much trouble on either a keyboard or a mobile phone screen. Most mobile password managers let you use a PIN to log in, rather than your full master password, and although this is rather less secure, it makes the apps significantly easier to work with. To add security, most mobile apps protect only their local password database with the PIN, rather than storing the master password used to access your online password management account.
Basing your main passphrase on a sentence is a great idea as far as mnemonics go, but avoid popular sayings and quotations: high entropy is of limited use if your password is easy to predict in other ways. Cracking dictionaries often include popular literary quotes and randomly combine dictionary words, so these techniques are no longer as secure as they used to be, either.
A stronger alternative to making up a gibberish phrase is to use one to create a seemingly random password. This means that your phrase becomes a mnemonic for your password. “When I was thirteen, my first CD was by The Darkest of the Hillside Thickets” could become ‘WIw13,mfCDwbTDotHT”. This clocks in at a strong 18 characters, it isn’t readily crackable using dictionary attacks and is memorable too – assuming your first CD purchase really was a Darkest of the Hillside Thickets album.
Most password management tools also support two-factor authentication of various kinds, most commonly involving an emailed password or a code generated by Google Authenticator or similar tools on your smartphone. While you won’t necessarily want to use these at every login, it’s well worth making multi-factor authentication a requirement to register new devices with your password management account.
How to password managers work?
Most password managers have their own cloud-based storage in which your passwords are kept. Passwords stored on cloud services are typically heavily encrypted, but it’s worth bearing in mind that they aren’t impregnable. Cloud password services are tempting targets for hackers, and many of the major providers have been targeted at some point, with varying degrees of success.
Even though password providers salt passwords (adding random strings to make them more difficult to crack) and hash them (processing them with a cryptographic algorithm that turns them into a different string), some users will always prefer to keep full control of their own data, either on a local PC or storage device, or on a server to which they have full access.
Fortunately for users in this group, some password managers cater to this – we’ve taken a look at KeePass alongside the most popular cloud-based providers.
Turn the page or click on the dropdown above to see our top four picks.