Using strong and unique passwords or passphrases are key to keeping your online accounts secure; a password manager will help you generate and save strong unique passwords for your online accounts, and can even have them made available across all your devices.
Types of Password Managers
Not all password managers are created equal, here are the most common types of password managers:
|Local Password Managers||Cloud Password Managers||Stateless Password Managers|
|Local password managers store your passwords locally on your device and don’t have built-in functionality for syncing.||Cloud-based password managers lets you securely store your passwords on the cloud and have them available on all your devices.||Stateless password managers don’t store your passwords, neither locally nor on the cloud; they compute them instead.|
|You’ll need to sync your encrypted database of passwords using Dropbox, Google Drive or other means to have your passwords available across your devices.||The entire database is stored and synced across all your devices automatically; just sign in with your account to access it.||There isn’t a database to sync; they compute your unique password using data you provide like website, username, and master password.|
|Example: KeePassXC||Example: Bitwarden||Example: Lesspass|
I recommend using a cloud-based password manager, as it tends to offer the best of both worlds—security and convenience; you can also use a local password manager and sync your database to access them across devices.
Security pundits usually either opt for a local password manager or host their own cloud-based password manager; however, self-hosting a password manager comes with a lot of risks, I don’t recommend it unless you know what you’re getting into.
Stateless password managers may seem tempting at first as there aren’t any databases to handle, but I don’t recommend them either; this Stack Exchange discussion gives pretty good reasoning behind it.
Single Sign-on is an alternative way of authenticating users without any passwords; the idea behind single sign-on is that companies like Google, Apple, Facebook, etc. already have things like your name, email address, date of birth, and other personal information—things that are required to create an account.
So, instead of asking you to create an account and fill in all the details, websites would just ask these companies about your data to create your account, and also log you in if you are already logged in with your Google, Apple, or Facebook account.
You may have seen them on websites with buttons like Sign in with Google, Sign in with Apple, or Sign in with Facebook; it seems like a pretty cool idea, and some may argue that it is better, at least for people who tend to use the same password across accounts.
But, SSO comes with a whole hosts of privacy and security issues, as now your parent account company (Google, Apple, Facebook) can keep track of all accounts you use; and if you somehow got locked out of the parent account you’ll lose access to all your accounts.
There is also the issue of revealing more information than you actually wanted, as some websites do not allow users to configure what information is passed on. You should stick with your passwords for a while until these issues are resolved.
Secure Password Managers
Alright, with all of that out of the way, here are my password manager recommendations:
Bitwarden is a freemium and open source cloud-based password manager service based in the US that has been around since 2016. It has also been audited by independent third-party security experts at Cure53.
They offer a pretty good free version, premium plans start at $10/year for individuals and $3/user/month for businesses; all data is encrypted locally on your device using AES-CBC 256-bit encryption before it is sent to the cloud.
Bitwarden only stores encrypted data, and provides you with a completely zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your Vault data.
They have native apps for Windows, macOS, Linux as well as Android & iOS along with browser add-ons; you can also access your password manager from any browser using Bitwarden web vault, and even via the Bitwarden CLI.
Bitwarden stores all data on Microsoft Azure in the US; if that’s not something you are comfortable with, our guide on self-hosting Bitwarden using Vaultwarden can help you host your very own Bitwarden instance.
Overall, Bitwarden is a great password manager for most people and organizations alike, the free version is sufficient for most people and their premium versions are reasonably priced and comes with features like Emergency Access, Authenticator, etc; passwords can be easily imported from most password mangers as well as from most web browsers.
KeePassXC is a free and open-source password manager that started as a community fork of KeePassX, which itself is a cross-platform fork of KeePass.
It stores all the encrypted database locally on your device, and you’ll have to host your encrypted database in the cloud via Google Drive, Dropbox, NextCloud or some other means, to access your passwords across devices.
KeePassXC stores all data in KDBX format, encrypted using 256-bit AES, while also providing additional encryption choices using Twofish and ChaCha20, and has built-in functionality for TOTP storage and generation.
There are native apps for Windows, macOS, and Linux as well as browser add-ons, you can also use the keepassxc-cli; there aren’t any official mobile apps for KeePassXC, they recommend using these apps.
All in all, KeePassXC is a great choice for people who want to keep their passwords off the internet; it’s also recommended by the Electronic Frontier Foundation.
LessPass is a free and open-source stateless password manager that unlike both Bitwarden and KeePassXC doesn’t store passwords anywhere, neither on the cloud nor locally.
It works by using a pure function, i.e., a function that given the same parameters will always give the same result; in this case, given a login, a master password, a site, and options it will return a unique password.
LessPass uses PBKDF2 with 100,000 iterations and a hash function sha-256, the password generation is based on pure functions, and although, it can work completely offline without any database whatsoever, LessPass also provides storage for complex password profiles; they don’t store the password, just the profile.
LessPass is available on the web via their website, they also native apps for Android and iOS as well as browser add-ons for Chrome and Firefox, and a command line interface; you can also host your own LessPass instance via Docker.
Overall, LessPass is a pretty fascinating take on password management, and it may very well be the password manager that suits your needs; however, it has its downsides and I don’t really recommend using it.
Psono is a free and open-source password manager for teams with client-side encryption and secure sharing of passwords, files, bookmarks, emails. It uses NACL Crypto, a combination of Curve25519, Salsa20 and Poly1305 to encrypt the database.
Password Safe is another free and open-source password manager, designed by renowned security technologist Bruce Schneier. It uses the Twofish algorithm with a 256-bit key to encrypt the database.
Pass is a bare-bones password store that keeps passwords using gpg2 encrypted files inside a simple directory tree residing at ~/.password-store. It has a simple terminal interface where you can perform the usual actions, and its functionality can be extended by plugins.
Set-up Multi-factor Authentication
Two-factor authentication (2fa), two-step login, or more broadly multifactor authentication is the method of confirming a user’s identity, and giving them access only after they’re successfully presenting two or more pieces of evidence or factors:
- Knowledge: something they know (password, pin, passphrase)
- Possession: something they have (SMS, push notifications, software or hardware tokens)
- Inherence: something they are (iris, fingerprint, voice)
- Location: somewhere they are (GPS coordinates)
We recommend using a second factor of authentication wherever possible, there are multiple ways of going about implementing 2FA:
- A one-time verification code sent to you via SMS text message or voice call
- A time-based one-time password (TOTP/HOTP) generated by an authenticator app
- A download-able, print-able, hard-copy backup code
- A hardware token, like a Yubikey
Each method has its pros and cons, some more than the others; SMS itself offers little protection in transit, and the text containing your log-in code can be intercepted by your telecom and others.
We recommend using either authenticator apps or hardware tokens:
Aegis Authenticator (Android)
Aegis Authenticator is a free, secure and open-source app for Android to manage your 2-step verification tokens for your online services. Compared to other 2FA apps, Aegis stands out in terms of its simplicity and security; it encrypts all of your tokens at rest and requires a password or the touch of a finger to decrypt them.
Another nifty feature is the ability to export your tokens and import them into another device, there are also options to do automatic backups locally and to the cloud.
Ravio OTP (iOS & macOS)
Ravio OTP is a free and open-source app for iOS and macOS to manage your 2-step verification codes for your online sevices. It has FaceID or TouchID unlock functionality as well as automatic backup/syncing to iCloud, there’s an option to even export database as encrypted ZIP archives.
Hardware Tokens or FIDO U2F typically uses a small USB, NFC or Bluetooth Low Energy (BTLE) devices often called “security keys” that recognized the site you are on and responds with a code (a signed challenge) that is specific to that site. We recommend using Nitrokey, Yubikey or SoloKeys.
Why not use the browser’s built-in password manager?
Okay, let’s address the elephant in the room: what’s the point of using a dedicated password manager when browsers already have one built-in?
Well, for starters, Web browsers are in the business of making the websites run smoothly, not securing your passwords; when there’s an entire app with the sole purpose of securing your passwords, why use anything else?
Here are a few reasons why I don’t recommend built-in password managers:
- Beyond Browsers: The built-in password manager won’t work in any other browser; this may not be the issue if you just use one browser, say Firefox both on PC and phone, but it’s just better to have your passwords in a separate central entity just in case.
- Password Generation: Most of the built-in password managers don’t generate passwords, and the ones that do aren’t that much secure and flexible, they lack functionalities like changing password length or generating passphrases instead of passwords.
- Beyond Passwords: Password managers don’t just generate and store passwords; they can store your important documents, notes, 2FA codes, etc. and have them available on any device.
- Password Sharing: Built-in password managers tend to lack a secure and easy password sharing capability, they do provide an option to back up your passwords.
- Additional Functionality: Built-in password managers don’t have all the bells and whistles of a dedicated password manager like password breach reports, travel mode, multifactor authentication support, etc.
How to create a strong Master Password?
Your master password is the key to the password manager, you should select a strong, unique yet something that you can remember as your master password.
I recommend using a passphrase, which is basically a combination of letters, numbers, and symbols that is long, easier to remember, and way more secure than your 8-15 digit passwords, here are a few tips on choosing passphrases:
- Four to five words long
- Use special characters, numbers, and capitalization.
- Don’t choose quotes or sayings, be as random as possible
- Don’t reuse
Here’s a cool video of Edward Snowden recommending passphrases over passwords:
You can go ahead and write down your passphrase and store it somewhere safe in your house if you can’t remember it, you can salt it by adding some characters before, after or in between.
Back up your Password Manager database
I recommend backing up your password manager on regular intervals so that if things go sideways like if the servers are down or your local password manger’s database is corrupted, you won’t lose all of your passwords at once.
Most of the password managers give you the ability to export your entire password database vault to CSV or JSON; you can find the option to export your password vault either on the online versions or the native apps, here are the links export Bitwarden & KeePassXC database.
Note: Exported database tend to be unencrypted, meaning all data is stored in plaintext, safely back it up to somewhere safe or better encrypt it via one of these encryption tools.
- Password Strength by XKCD
- How Password Managers Work by Dr. Mike Pound
- Have I Been Pwned by Troy Hunt
- How does “Sign in With Apple” Work? by Techquickie
That’s all folks!
I will be updating this page frequently with more password managers and information.