Your online accounts are prone to attacks by hackers and other adversaries, from database breaches, software exploits, social engineering, etc. Most people tend to use the same weak password for their accounts due to Password fatigue, which makes them vulnerable to Brute force and Dictionary attacks.
Strong, unique passwords are the key to keeping your online accounts secure — this is where a Password Manager comes to save the day, they generate and save unique passwords for your online accounts, and make them available on all your devices.
In this password management guide, I’ll be covering all the aspects of secure password management, along with some great password managers that you can use:
There are many-many ways to store and organize your passwords, some of the most popular ones are:
- Sticky Notes
- Password Book aka Paper
- Text File (encrypted?)
They all come with their own pros and cons, ultimately, it’s all about your threat model and how paranoid you are. For most people, I recommend using a password manager as they can do a lot more than storing your passwords securely:
- Unique & strong password / passphrase generation
- Encrypted vault for storage of important documents
- Syncing of passwords on all your devices
- Other perks like password breach reports, built-in VPN, etc
- Better security by salting, hashing and encryption
Then, there are other ways where you don’t even have to remember your passwords like Single Sign-on (SSO), Privileged Access Management (PAM), etc, that are being used by enterprises. But for consumers, there is only two mainstream options: Passwords & Single Sing-on.
SSO vs Passwords
The idea behind Single Sign-on is that companies like Google, Apple, Microsoft, Facebook, etc already have all of your information like your name, email address, date of birth, etc — things that are required to create an account.
So, instead of asking the user to create an account and fill in all the details, websites just ask these companies about your data to create and login to your account — rather than using a username and a password.
Here’s a super cool explanation of SSO I found by Techquickie:
Here’s how Wikipedia defines Single Sign-on:
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. It is often accomplished by using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers. A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain.Single Sing-On Wikipedia
Single Sign-on are definitely better than using the same password on all accounts, but they also come with their own privacy issues, as companies like Google and Facebook gets to keep information about what websites you use.
There is also the issue of revealing more information than you wanted, as some of credential providers do not allow users to configure what information is passed on to the credential consumer.
I love single sign-on as you would have to remember one password to rule all your accounts but for them to become the future of passwords — they would have to solve the privacy issues that come with it, then there is the issue of availability, there are lots of websites that you may be using that don’t let users use single sign-on.
You may still want to stick with your passwords for a while for important stuff like your bank, and other places where you don’t want to reveal your personal information.
How to choose a Secure Password Manager?
Alright, now that you know you need to have some sort of password manager, here are a few things that you should look for before choosing a password manager:
- Open sourceness: Every security software should be open source period. Look for the password managers that are not only open source but are also being actively developed.
- Strong encryption: Choose the one that uses secure and open encryption standards like AES and PBKDF2 for encryption and generation of passwords. Check if the password manager implements salting and hashing.
- Security Audits & Vulnerability Disclosure Programs: While having the source code open source does add a few points, you should always look for the ones that have been independently audited and have vulnerability disclosure programs.
- 2FA support: Two-factor authentication adds an additional layer of protection to your password manager even if your master password falls into the wrong hands.
- Privacy and security practices: Check the history of privacy and security breaches of the password manager, this does not necessarily reflect their future and no piece of software is completely foolproof. You may still want to consider previous issues.
- Supported platforms: Ultimately, what good a password manager is if it doesn’t work on your devices. Make sure your browsers, devices are supported, you may want to also check if they let you host it yourself on Docker or something.
There are a few other things like digital legacy support, built-in two-factor authenticator, travel mode, password sharing, ease of switching, and encrypted file storage. While these functionalities are great but are not necessary in a password manager.
Types of Password Managers
Not all password managers are created equal, here are the most common types of password managers:
|Local Password Managers||Cloud Password Managers||Stateless Password Managers|
|Local password managers work locally on your device and don’t have built-in functionality for syncing.||Cloud based password managers lets you securely store your passwords on the cloud and have them available on all your devices.||Stateless password managers are an entirely different breed of password managers that don’t store your passwords – neither locally nor on the cloud.|
|You can sync your encrypted database of passwords using Dropbox or Google Drive, making your passwords available everywhere, provided it has apps for those devices.||No need to sync anything — your passwords are already being stored on the cloud, just log in with your account on the device you want to use.||No need to sync anything — it computes your unique password using data you provide like: site, login and master password.|
|You will need apps to use your password manager as the database storing the passwords need encryption and decryption.||You can either use native apps or online vaults to get access to the passwords.||You will need native or web apps of that particular password manager to correctly compute the passwords.|
|Examples: KeePass, KeePass XC, Password Safe, etc.||Examples: Bitwarden, 1Password, Dashlane, etc.||Examples: Lesspass, MasterPassword, HashPass, etc.|
Pick the one that suits your needs, most of the big name password managers are cloud-based, and that’s the one I recommend for most people due to its sweet spot of security and convenience.
Security and privacy pundits usually either opt for Local password manager or host their own instance of cloud-based password manager, you can safely choose either a secure cloud or local password manager.
Stateless password managers are a fascinating idea, but isn’t recommended for most people as it can create hassles as mentioned here on stackexchange.
Best Password Managers
Alright, with all of that out of the way, here are the best password managers that I use and recommend:
Bitwarden is a freemium and open source cloud-based password manager service that has been around since 2016. It has been audited by independent third-party security experts at Cure53.
The free version is feature-rich and is completely free, unlike other “free trials” — you can easily share your passwords with one of your friends or family members, sync on all of your devices, store unlimited items, and turn on two-factor authentication via authenticator app and email.
Let’s talk security, Bitwarden salts and hashes your master password with your email address on your device before sending it to their servers with one way hashes, and use strong encryption algorithms, AES 256-bit encryption and PBKDF2 to secure your data
However, if for some reason Bitwarden were to get hacked and your data was exposed, your information is still protected. This is because Bitwarden uses strong encryption and one-way salted hashing. As long as you use a strong master password, your data is safe no matter who gets hold of it.Bitwarden Security
All of their code is open source allowing anyone to quickly identify potential issues and to verify the solutions. They also have a public bug bounty aka vulnerability disclosure program on HackerOne.
Bitwarden does not store your passwords — It stores encrypted versions of your passwords that only you can unlock, and are encrypted on your device before sending them to their servers.
Bitwarden has apps for Windows, macOS, Linux as well as Android & iOS along with browser add-ons for Google Chrome, Mozilla Firefox, Brave, Tor Browser, Microsoft Edge among others. You can also access your password manager from any browser using Bitwarden web vault.
Bitwarden also provides powerful, full-featured command-line interface (CLI) tool to access and manage your Bitwarden vault. If you don’t want to use Bitwarden’s managed cloud solution, which is managed by Microsoft Azure — It lets you easily host Bitwarden’s entire infrastructure stack on any platform of your choice using Docker.
Overall, Bitwarden is a great password manager for us normies, developers as well as organizations. The free version is sufficient for most people and their premium versions are reasonably priced. You can easily import your passwords from any password manager, as well as from web browsers.
KeePassXC is a free and open source local-based password manager that started as a community fork of KeePassX, which itself is a cross-platform fork of KeePass.
KeePassXC stores all the passwords on your device, unlike Bitwarden, you can sync your passwords by hosting your encrypted database on to the cloud via Google Drive or Dropbox, and use apps to access your passwords.
It is completely free, and has lots of features, secure storage of passwords and other data with strong encryption algorithms like AES, Twofish or ChaCha20, SSH Agent integration, Auto-fill, command line interface, built-in authenticator, and much more.
The complete database is always encrypted with the industry-standard AES (alias Rijndael) encryption algorithm using a 256-bit key. KeePassXC uses a database format that is compatible with KeePass Password Safe. Your wallet works offline and requires no Internet connection.KeePassXC Security
KeePassXC can generate strong and unique passwords using the built-in password generator, has native apps for Windows, macOS, Linux as well as browser add-ons for Chrome, Firefox, Vivaldi, etc. There are currently no official mobile apps, and KeePassXC recommends open source KeePass2Android and Strongbox for Android and iOS.
All in all, KeePassXC is an awesome password manager for people who want a local password manager, it is recommended by EFF and is first choice of security pundits, and developers.
LessPass is a free and open source stateless password manager that unlike both Bitwarden and KeePassXC doesn’t store passwords anywhere, neither on the cloud nor locally.
LessPass doesn’t store your passwords — it computes it instead:
LessPass computes a unique password using a site, login and a master password. You don’t need to sync a password vault across every device because LessPass works offline!LessPass Password
It works offline, doesn’t need any syncing because there is nothing to sync, just put in the Site, Login, and your Master password and it will generate your unique password.
Here’s how it works as explained by LessPass:
The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will return a unique password.
No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login).LessPass
LessPass is open source, letting anyone audit the source code for vulnerabilities, and uses PBKDF2 with 100,000 iterations and a hash function sha-256:
To raise the cost of breaking your master password, the generation of the password must be time-consuming, especially by brute force. So LessPass uses PBKDF2 with 100,000 iterations and a hash function sha-256.
The hash generated by the first function is derived and processed in order to respect the requested options (i.e. length, lowercase, uppercase, numbers, special characters):LessPass Security
LessPass is available on the web via their website, Android, and has browser add-ons for Chrome and Firefox, and has command line interface. You can also host your own LessPass database via Docker.
Overall, LessPass is a fascinating idea that seems like it’s gonna solve all your password problem, it doesn’t require any syncing, there is no database but it has its downsides as there is no database of your data!
More Password Managers
Bitwarden, KeepassXC, and LessPass are the best in their categories, here are some other great password managers you may be interested in:
Psono is a freemium and open source password manager for teams with multi level encryption starting with client side encryption. There is a community version that is completely free, and has two Enterprise editions for bigger organizations that need more features.
It uses Curve25519 and Salsa20 in form of NaCl, instead of RSA, AES, and PBKDF2. There is a built-in password generator, and comes with great features like secure notes, password and file sharing, autofill, etc.
Password Safe is a free and open source local password manager, designed by renowned security technologist Bruce Schneier. It allows you to safely and easily create a secured and encrypted username / password list that is secured by your master password.
Master Password is another free and open source stateless password manager just like LessPass, with native apps for Android, iOS, macOS, Windows, Web and a command line interface. Your passwords aren’t stored: they are generated on-demand from your name, the site, and your master password. No syncing, backups, or internet access needed.
Pass is a bare-bones free and open source password manager, inspired by Unix philosophy:
pass, each password lives inside of a
gpgencrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.
1Password is another cloud-based password manager that often gets recommended, but it is closed source and starts at $2.99/month for personal use.
It is based in Canada, and has been in operation since 2005. 1Password has apps for all your devices and browsers add-ons for most browsers. It comes with lots of features like sign-in attempts report, travel mode, firewall rules, breach reports, and much more.
Why Passwords Managers?
You must be wondering why you need a password manager at all, you already must have some sort password management technique. You may be storing your passwords on sticky notes, on a password book, or on a text file on your device.
All of them have their advantage, but when it comes to convenience and security, password managers are your best bet:
Unique Strong Passwords
A password manager can create unique strong passwords and passphrases for you instantly, and store them safely in an encrypted vault.
Using unique passwords will protect your other online accounts even if one of them is breached — Hackers love to steal passwords from weaker websites and then use bots to see what other accounts you used that password on.
Billions of records get stolen every year, containing all sorts of personal data, including username, passwords. You can check if you have an account that has been compromised in a data breach on websites like haveibeenpwned.com.
I’ll be explaining how to create a “Strong Password” in the later section.
All Your Accounts in One Place
Another great reason why I recommend using a password manager is that it provides you with a list of all of my accounts — you may have multiple accounts on the same website.
Having multiple accounts with the same service can be a real hassle — things like your Google, Spotify, Amazon or Apple account can be a huge pain, especially when you remember buying or subscribing to something and you don’t see it because you’re in the wrong account.
Password Managers will also help you keep track your Email Addresses and Usernames — this will save the day if you have multiple email accounts, and don’t remember what account used what email as I don’t always tend to give my real email address.
Now, some of you may be thinking isn’t this like putting all your eggs in one basket? — it isn’t. I will be explaining it in the later section when.
Store Useful Information
A lot of password managers also give you the ability to write a note along with your passwords, which can come really handy if you that you signed up only for because there was a sale or a giveaway, and you may not need it after that.
Passwords Managers will also come handy if you need to know when you created an account — a very common security question if you lost access to your accounts.
Security Questions are stupid and most of the time may not add any security at all, but they are not going anywhere, so you better use a made-up security question and store them securely on your password manager.
You can also keep track of other information like weird requirements for passwords, past accounts, websites you don’t use, etc.
Store Important Documents
Most of the Password Managers come with secure encrypted vault where you can store your important documents and have access to them from anywhere.
It comes real handy when you need them on the go — you can easily get hold your documents via the mobile app, or the web version of password managers.
More Secure and Convenient
Even if for some reason your password manager were to get hacked and your data was exposed, your information is still protected.
All of your data is encrypted until you need it. Even after that you can always just go ahead and salt your passwords by adding a salt on top of the password generated by the password manager. Here’s a video by Password Bits explaining it:
Do make sure that you remember and note down what your salt is somewhere safe. I also recommend turning on two-factor authentication on your password manager as this will add another layer of security on the top.
Password Managers can also fill out your name, email, address, credit card numbers and other details automatically when you are signing up an account — the can help you prevent phishing attacks if you are using the browser extension or the mobile app as they won’t fill in the password unless it’s the correct URL.
Most of the password manager also let you store 2FA along with your passwords, which is a big no-no as this defeats the whole point of two-factor authentication.
But, hear me out, if you’re already using unique passwords for all your accounts, it’s the password that is doing the heavy stuff — 2FA is just the icing on the cake.
You can always choose to salt your passwords that require 2FA so that real password is safe and you have true 2FA. Whether to store your 2FA on the password manager or not depends totally on your situation, whatever route you choose to go, make sure you do a backup.
Lots of Password Managers come with additional perks like:
- Auto capture and Autofill: Password managers like Bitwarden, come with browser extensions and native mobile apps — that record your login information when you create an account and then autofill them whenever you are trying to log in the next time.
- Password Strength Analysis: All the password managers also provide analysis of how strong your passwords are, when you try to create a password yourself instead of using the built-in password generator.
- Password Sharing: Lots of password managers let you share passwords with your friends or family members securely and easily. This may be a premium feature on some password managers and it is generally not available on local password managers.
- Encrypted File Storage: Most of the password managers let you securely store your important files and access them easily on all of your devices.
- Built-in Two-Factor Authentication: Most of the password managers also have a built-in two-factor authenticator like Aegis that can store your 2FA codes. I don’t recommend using the built-in 2FA as this puts all your eggs in one basket and defeats the whole purpose of 2FA, but hey it’s a great feature if you are looking for a little more convenience — at least store your important 2FA in a separate authenticator app.
- Travel Mode: Travel mode is a very nifty feature on cloud-based password managers, that can come really handy when you are travelling and don’t have reliable internet connection — it can also protect your passwords when you are required to hand over your device(s) and unlock them by authorities.
- Ease of Export & Backup: You can easily switch to a different password manager by exporting the database and moving it to the other one. This also helps in backing up your passwords, which I recommend you do from time to time.
- Digital Will / Legacy: Many password managers have emergency access that can help someone from your family access your account in case you die or get into some serious medical condition, helping them manage your stuff.
- Password Breach Reports: Some password managers also report you with any breaches of passwords, just like haveibeenpwned or Firefox monitor. They can also remind you to change your passwords on a regular basis.
- Multi-Factor Security: Access to your password manager account can also be secured by multi-factor authentications via an authenticator app, email codes, Duo security, YubiKey, FIDO U2F, etc.
Some password managers go above and beyond to access services like built-in VPNs, which I don’t personally recommend using, but hey that’s a neat feature to have. All of this makes password managers a security bargain that is almost always a positive.
Why Not Browser Password Managers?
Alright, let’s address the elephant in the room — what’s the point of using a dedicated password manager when browsers already have one built-in?
Well, for starters, Web browsers are in the business of making the websites run smoothly not securing your passwords — when there’s a whole company whose entire job is to make sure your passwords are safe, why go anywhere else?
Here are a few reasons why I don’t recommend built-in password managers:
- Not Beyond One Browser: The built-in password manager won’t work in any other browser, this may not be the issue if you just use one browser say Firefox both on PC and phone, but it’s just better to have your passwords in a separate central entity just in case.
- Password Generation: Most of the built-in password managers don’t generate passwords, and the ones that do aren’t that much secure, they also lack functionalities like changing password length or generating passphrases instead of passwords.
- Beyond Passwords: As already discussed above, password managers don’t just generate and store passwords — they can store your important documents, notes, 2FA codes, etc and have them available on any device.
- No Password Sharing: No built-in password manager has secure and easy password sharing capability. You can back up your passwords, but they can’t be shared with your friends and family.
- No Perks: Built-in password managers don’t have all the bells and whistles of a dedicated password manager like password breach reports, travel mode, multi-factor authentication, etc.
This doesn’t mean built-in passwords are plain awful — there was a time when built-in password managers were crappy, but now at least Firefox and Chrome have stepped up their game.
Chrome has Google Password Manager and Firefox comes with Firefox Lockwise, both of them are adequate and can easily do basic password management, Lockwise even has apps for both android and iOS. But, they lack features of a dedicated password manager.
How to Create a Strong Master Password?
Your master password is the key to the password manager, you should select a strong, unique yet something that you can remember as your master password. Here are a few of my personal tips:
A passphrase is a sentence with a combination of letters, numbers, and symbols that is long, easier to remember, and way more secure than your 8-15 digit passwords. Here are a few tips on choosing passphrases:
- Four to five words long
- Better if contains special characters, numbers, and capitalization.
- Don’t choose quotes or sayings, be as random as possible
- Should be easy to remember and type
- Don’t reuse (please!)
Here’s why Edward Snowden recommends passphrases over passwords:
You can go ahead and write down your passphrase and store it somewhere safe in your house if you can’t remember it, you can salt it by adding some characters before, after or in between.
Backup Your Password Manager
I recommend backing up your password manager no matter you use a local, cloud-based or stateless password manager as they aren’t flawless.
Things can go wrong, and you can lose access to your passwords and important documents at once. Your backup can also come handy when you are trying to move from one password manager to another.
When to Backup?
I recommend you back up your passwords once every six months or whenever you change any of your important accounts like emails or banks.
How to Backup?
Most of the password managers give you the ability to export your entire password database vault to CSV aka comma-separated value, a text file that uses a comma to separate values.
These CSV files can be opened by any text editors or spreadsheets apps like Notepad, MS Excel, Google Sheets, etc.
You can find the option to export your password vault either on the online versions or the native apps, here are the links to do that for the common ones:
- Bitwarden: Export your Bitwarden Vault
- KeePassXC: Export your KeePass Vault
- 1Password: Export your 1Password Vault
Exported database vaults are Not Encrypted. They are stored in plain text. Delete them once you have backed it up.
You can backup your exported password vault to flash drive and store it in a safe place, I don’t recommend backing it up to the cloud. You can encrypt it with VeraCrypt, 7-Zip or Hat.sh if you wanted to.
How to Keep Your Online Accounts Safe?
Alright, you now know some of the best tips to have a secure password management and some great password managers to go along with. Here are some tips that you can use to make your online accounts just a bit more secure from hackers:
Use Password Generator
Now that you probably have equipped yourself with the password manager of your choice, start with using the built-in password generator to generate strong and unique passwords or passphrases for your online accounts.
Turn on two-factor authentication on your online accounts, and store your 2FA codes in a separate authenticator app. At the very least, turn on 2FA on important ones like banks, emails, etc. And, don’t use 2FA via SMS.
Sign up for Breach Alerts
Sign up on websites like Have I Been Pwned or Firefox Monitor to get breach alerts when any of your online accounts gets compromised so that you can get on top of it in time.
- Password Strength Discussion on XKCD: It is a great discussion on how to choose a strong password, whether you should choose passphrase or passwords. I recommend using passphrases as they can be long, complex yet easy to remember.
- How Password Managers Work?: Password managers are complex piece of software that are designed to secure your passwords, here’s a great video I found on How Password
Using strong and unique passwords is the key to having your data secure from preying eyes, and password managers are designed to help you do just that. I hope you enjoyed reading about these password managers and techniques.
That’s all Folks!
I will be updating this page frequently with more password managers and information. You can check out how you use Mozilla Firefox for better privacy and security online.
Do let me know of any feedback, tips, or suggestions based on privacy and security tools you are using, feel free to drop a comment below!