We can all agree that our digital existence requires way too many passwords. We've all encountered the dreaded message "Want to read this article? Please signup by creating your free account!" Again and again you need to choose a secure password and remember it. This has become all too common as more and more content is being locked away in digital walled gardens. While this step goes against the philosophy of a free and open internet, this is the current state of the online ecosystem. So, how can we make this a more bearable and dare I say pleasant activity?
This answer is by employing a best password manager so that you no longer need to juggle multiple login credentials in your memory, saved in a browser, or written down on a super secret stick-note hidden under your keyboard. By using a free password manager you will only need to remember your single master password to unlock your password vault and the manager will take care of the rest.
Password managers are pieces of software which generate strong, random, and most importantly unique passwords based upon user set parameters (upper & lowercase, no special symbols, etc) and store them in a cryptographically secure database called a vault. To decrypt and view the encrypted passwords users will need a strong master password and possibly also some form of multifactor authentication like a yubikey or an OTP code. If someone were to stumble across an encrypted password vault and doesn't have the required login data your passwords remain secure and unusable by the attacker.
In short: A password manager can generate and save all your passwords securely, so you don't have to worry about forgetting them. With a password manager you can easily use unique and strong password for all important online accounts – without using the same password twice (which is an absolute no go).
Because of their ease-of-use and outstanding security, everyone should use a password manager.
Despite having the same general function, the market for password managers has exploded leading to a wide variety of features available when choosing a best password manager. Ultimately, using ANY password manager increases your security posture and adds an additional layer of protection to your accounts. There are some key differences between some of the mainstream password managers which are available and we would like to clarify and explain their use, pros, and possible cons. That way you can choose the best password manager for your personal or business needs.But let’s start with a more general question:
If your new to the world of password managers, you might ask yourself whether password managers are truly secure. The answer is, yes. Password managers are known for their security and all cybersecurity experts agree that using password managers is the best way to boost your security online. Password managers use strong encryption to protect your passwords, which is a solid defense against cybercriminals. Many password managers use post-quantum secure encryption like AES 256 or higher, recommended by the U.S. government to protect sensitive data in a post-quantum world.
The required features of a password manager can vary from person to person based upon preference or security needs, but there are a few features that should be a no-compromise. The first of these must-have features would be that the ability to generate random passwords. This may seem like a no-brainer, but there are also alternative practices used by some password managers which involve simply saving a mentally chosen password in an encrypted file. A password manager should be able to create random passwords of varying length and character choice. By avoiding using the most common passwords your accounts are much more secure. A nice example can be found in KeyPassXC, a local password manager with a nice set of options for generating secure passwords. You can generate strong, unique, and random passwords with a single click. When generating these random passwords it is good practice to make sure that they are at least 20 characters long, but if you don't need to remember them why not go big! It's so easy when using a password manager.
Support for multifactor authentication
Beyond the ability to generate and save secure passwords, it is a major quality of life perk if your single management window can also include your multifactor authentication options. A secure password alone is not enough to maintain the security of your online accounts. Nearly, all online platforms offer the option to add a second authentication factor and their configuration is not too difficult. An advantage of using a password manager that supports TOTP authentication is that you can move away from SMS authentication codes which are not secure and can be easily intercepted by a SIM swap attack. This feature will allow for the generation of TOTP codes which are used to confirm your login after your correct username and password are entered. If you wish to take your security up a notch, we recommend using a U2F device like a Yubikey which is fully supported in Tuta.
Support for Passkeys or Passphrases
Passkeys are the latest step in trying to beat the rising password fatigue facing internet users without compromising their account security. Passkeys work based upon paired key cryptography, which creates a private and public key on your device. The public key is shared with the server while the private key remains securely stored on your local device. When trying to login, the website in question will require this device specific key or else the login will fail. Support for passkeys comes installed on that latest versions of iOS, Google, and Microsoft devices, but are also supported in some of the best password managers like Keeper or Bitwarden. Passwords are not going away any time soon, but we can keep our fingers crossed that they are eventually phased out.
A passphrase generator is built directly into Tuta and can be used when signing up for a new account. Of course, make sure that you save this phrase and your recovery code in your freshly installed password manager.
Data Breach Checking
Some products will offer to check your password vault against data breach information and will alert you if one of your login credentials has been exposed in a breach incident. This feature can give you a nice tipoff in the event that your accounts may be vulnerable without requiring you to constantly stay up-to-date on data breach of the day. If you are not interested in purchasing one of the services which offer this feature, you can also visit HaveIBeenPwned to check if your email address, username, or password was included in a breach. (In general it is not the best practice to go pasting your password around, but if you are using unique usernames and passwords you can determine if a compromise has a occurred.)
It has become common place and good practice to release software projects as open source. There is a guarantee of security through transparency in that if all eyes can review the code then bugs can be found and fixed faster. This practice is especially important for those projects which are involved in the encryption and secure storage of customer data. If companies are developing their own encryption scheme and do not release this code for open and honest review, you should be wary because we don't know what is going on under the hood and have no proof that our data is truly safe.
Predatory Pricing Models
Depending on the pricing and subscription models available some companies may push to try and to lock you into a subscription to "unlock" basic security features. One example of this might be BitWarden, while they are a great choice as a cloud based password manager, denying free users access to their authenticator does seem a bit misguided as it leaves these users at a security risk if they are not willing to take the step towards paying for the service. Security should be available by default and multifactor authentication is not a luxury, it's a necessity.
Free but at what cost?
Many services do offer a free version of their product, but these may come with missing features. Certain needs like cloud sync may not be something you are looking for, but support for 2FA either as TOTP entries or as an additional authentication step to open your password manager should not be locked behind a paywall. Where some companies lock features away there are a number of great open source projects which are completely free and offer great features, but may require some technical know-how or a bit of tinkering to get working exactly as you would like.
This is very dependent upon your threat model, but I get nervous when syncing passwords to any externally hosted cloud servers. One example of why this is concerning is the breach incident at LastPass in August of 2022. A malicious actor was able to compromise a server hosting customer data and was able to download personal information along with encrypted password vaults. This data could be used for spearphishing attacks using the compromised customer data. Or worse, if customers of LastPass did not use strong master passwords for their vault, all password information stored within their password manager could be decrypted. Incidents such as these are a threat to all password managers that host your vault(s) in a cloud server environment and this should be considered.
Services which only operate locally completely avoid this type of threat and would require a direct attack on your machine in order to compromise your password vault.
To me the risk isn't worth the added convenience, but I might be one of those "paranoid" types. I much prefer using a local password manager, with a damn strong password and multiple encrypted backups. This type of breach is also not possible if you were to keep a physically written password list in a secure safe. If this safe is compromised you likely have a larger issue than a data breach alone.
For financial login information like cryptocurrency, this is worth considering. Following the LastPass breach one report claims that the breach directly led to the loss of over $35 million USD.
1. Bitwarden: Bitwarden combines all of the features you need with a monthly low price of $1, or even for free. Their software is released open source which allows community review of their code so you can trust there is nothing shady going on which might impact your security.
2. 1Password: 1Password combines all of the features you may be looking for at low subscription cost. At $2.99 for individuals or $5 for a 5-user family plan, you can rest assured that your data is secure and that it can be conveniently shared with your loved ones when and if necessary.
3. Keeper: Keeper combines secure password management and sharing with the option to share files between your user profiles. If you need to share a scan of a sensitive document, you don't need to rely on WhatsApp, you can quickly send it without compromising your privacy and security. Currently $2.92 per month, Keeper also offers a 30-day free trial which will allow you to test out their service before committing.
1. Pass: Pass is a free and open source password manager which began as an option for Linux/Unix users. The baseline pass software is a commandline interface which stores each password as its own unique encrypted file. Built with a commitment to simplicity, Pass is a no-frills approach to password management. There are multiple add-ons which can be used if you would prefer a GUI and you can also enable cloud syncing if you wish to host your own cloud-based password manager. This is the perfect fit for the more technically inclined or those looking to learn.
2. KeePassXC: KeePassXC is a on open source password manager available for Mac, Windows, and Linux. There are also third-party ports available so that you can keep your passwords secure on Android and iOS. KeyPassXC comes with all of the features you need in a password manager and is available completely free of charge. Cloud syncing is possible, but this will require you to host this yourself.
3. Bitwarden: Bitwarden is listed again here because they are committed to the security of open source software. By keeping their code in public view, users can rest assured that their data is truly secure.
2. Bitwarden (Free version)
Hopefully, by this point we have answered your question -- "Do I need a password manager?" Password managers have become a non-negotiable point in building a strong online security posture. Not only do they save your brain, but they can also create mathematically strong and unique passwords. This combination, regardless of if you choose to stay local or make the jump to a cloud provider already removes your accounts from the low hanging fruit of potential targets. When choosing between services it is important to take an honest look at what your threat model looks like. Are you interesting to advanced persistent threats like the intelligence service of an industrialized nation? Then you will have far different requirements than if you are the average Joe just looking to create a strong password for an Instagram account. Security is not one-size-fits-all and it is not a sprint. You will need to carefully decide where your weak spots may be, balance convenience and security, and realize that this single step will not be the last in your privacy journey.
If you want to take your security to the next level combining your password manager with a secure end-to-end encrypted email provider like Tuta is a great first step. Not only will your passwords be more secure from hackers, but your data is also secure when at rest and over the wire. One important factor to keep in mind when choosing an email service is also that most services offer the option to reset your password via email. Password resets via email are a severe threat to your online identity – if your email account gets hacked, almost all your accounts like PayPal, Amazon, Facebook and Twitter can be taken over easily by the attacker via simple password resets. That’s why choosing a secure email service – in combination with using one of the best password managers reviewed in this article – is the best way to achieve top security online.
And don't forget to start using a password manager today!
Stay secure. 🔒