Skip to content   Skip to footer navigation 

How to find the best password manager

Trying to remember a long list of passwords is a recipe for insanity. We explain the ins and outs of password managers.

logging into banking website on tablet

Passwords are an annoying but increasingly necessary part of your digital life. Security experts say you should create unique and complex passwords for every single account and login, but mentally keeping track of an ever-growing list of letters, numbers and symbols is difficult.

But a password manager can do all that and more, taking a lot of the pain out of being secure while online.

These programs help manage and safeguard not just your collection of website login passwords, but also pin numbers, credit cards and other private details. This sensitive information is protected from prying eyes in a digital vault with layers of encryption, and a master password that only you know.

CHOICE tester in a lab coat

Australia's source of unbiased reviews

  • No fake reviews
  • No advertising
  • No sponsorships

What are password managers?

Put simply, password managers are a secure database of access keys such as passwords. They're affordable, easy to use, and are the most effective means of keeping your login details safe, short of memorising every single password across all your accounts. And if you're not the sort of person that can memorise a phone book, you need one.

Most password managers, however, have many more features. They can:

  • automatically log you into websites, services, accounts and so on
  • assess the strength and quality of your passwords (weak, strong etc.)
  • set up two-factor authentication (which adds a second step to the login process, such as an additional, one-time password that's sent to your smartphone via text message)
  • provide security reports such as repeated password notifications and information on unsafe websites
  • notify you when someone has successfully used, or attempted to use, your login details
  • generate new passwords
  • sync with your smartphone

The latter feature is particularly handy, as your password manager can create complex passwords full of letters, numbers and symbols that would take thousands of years to crack – and you don't need to memorise them. They're a far cry from the collection of birthdays you've probably been using. 

Some also let you add multiple users to a single account, so you can share pertinent passwords with your partner, kids, relatives and close friends.

Some also have a digital inheritance feature that means all your private and valuble information is not lost in the event of your death or incapacitation.

Why you should get a password manager

It's important to have a different password for every account. If you use one or two and they are compromised, hackers can break into any website or service that you log into. Password managers keep track of your different details so you don't have to, and they do it securely.

Even if someone steals your computer or accesses your desktop remotely, they can't get into your digital vault without your master password. This makes managers much more secure than a simple document hidden on your PC. The only equivalent is a handwritten list, locked in a safe and let's face it, that's just impractical.

Passwords in your pocket

Most password managers also include apps, so you can securely access your login details on the go. You don't need to worry if your phone goes walkabout either, as good apps provide the same level of protection as their software equivalents.

Note that desktop and mobile versions of the software are not always identical for features and ease of use, so try out the software on both platforms before deciding which one you want to use.

lastpass-premium_1

LastPass is a popular password manager.

Are password managers safe?

Once you enter your information, password managers use a multi-step system to protect your details.

Master password

When you create an account, you need to come up with a master password that unlocks your protected details. This is the only key to your vault, so you have to keep it secret and safe. The password manager will not store this information for security reasons.

But what happens if you forget your master password? Well, it's called a master password for a reason, and unless your memory returns, you're not getting into the vault. Very few have a password recovery feature, for the simple reason that it could be compromised.

Some password managers protect your digital inheritance by allowing a trusted person access in the event of your death or incapacitation

However, some password managers have a feature that can allow a third party, such as a close relative or friend, to access your vault after a certain time. This is handy in the case of accident or death and allows your precious information to be passed on to a trusted person.

You can also use this to access the account of a relative that's deceased, or no longer able to support themselves (for example, due to dementia or a stroke). This level of access requires proof of relationship, such as a birth certificate, or approval from the second party.

Using a password manager with a digital inheritance feature  such as this means the work you spend each day on keeping track of your websites, accounts and passwords can pay off big time for whomever has to sort our your affairs after you're gone or not able to take care of them yourself.

Encryption

Even if a hacker managers to get into your vault, the data contained within is encrypted. This means that the software converts it to a scrambled series of random letters, numbers and symbols that are completely meaningless and which only the software can unscramble.

Your master password acts as the decryption key, which is why you can view everything in your vault. Once you log out, the content is encrypted again.

Most password managers use AES-256 bit encryption, which is the security tool of choice for government agencies worldwide.

Encryption_explained

A basic illustration of encryption at work.

Automatic log-ins

Plugins that create a link between your vault and the website, program or app allow you to automatically log in. These plugins are created by the password manager software developer. However, they're entirely optional.

Storage

Your passwords will be stored in one of two places, locally or in the cloud.

Cloud storage pros

  • Instant backup.
  • Little chance of losing data in your vault (especially if your hard drive fails).
  • Easy to sync info across devices.

Cloud storage cons

  • Arguably less secure.
  • Target for hackers.
  • Risk of losing data if the company servers fail or shut down.
  • Risk of losing data if the company shuts down.
  • Potentially unable to access vault if internet is unavailable.

Local storage pros

  • Potentially safer than storing data offsite (particularly if you keep the computer offline).
  • Accessible without internet connection.
  • Lower risk of data loss (no dependence on company servers).
  • Less tempting for hackers (one user versus tens of thousands).

Local storage cons

  • No instant backup offsite.
  • Chance of data loss if hard drive fails.
  • Difficult to sync data across devices.

How much do password managers cost?

Most are sold as a subscription service. They cost between $US15 and $US50 per year. Some have family packages that charge less per user if you sign up in groups. Others can be bought outright. They typically start at $US60.

You can also find free alternatives that perform quite well. They are available under open source licensing (free and legal). Most paid and free programs are built on the same open source encryption tools. Odds are, the tools in paid programs are identical, or very similar to, the ones in free alternatives.

So why pay?

  • A subscription generally provides access to the cloud.
  • Outright payment for a lifetime license limits you to local storage, though there are some exceptions.
  • Both subscription and lifetime licenses provide access to ongoing support as long as the company is active.
  • Freebies are typically built and maintained by small teams of enthusiasts or online communities (not a bad thing if they're experienced with security and programming, but you may not get consistent product support if something goes awry, or access to cloud storage because servers cost money).

Pretty much all password managers include a free trial period however, so you don't need to risk laying down cash on a program that may not match your needs.

Are your existing passwords secure?

An understated benefit with this sort of software is the ability to quickly and easily generate new passwords for your accounts as needed. It's good practice to change your passwords periodically, but few of us are actually that vigilant. However, a password manager can easily create new, highly secure passwords and save them in your vault with the click or two of a button.

Some password managers include a security adviser feature that will look at your existing passwords and notify you if you've used the same password across multiple sites, so you can change them to unique passwords. The password manager may even advise if a site you have listed in your vault has been compromised since you created your password, and advise a change.

Roboform_tutorial_9

RoboForm is an example of password management software that includes a password generator.

People tend to underestimate how easy it is for hackers to crack passwords. For example, someone in the know could crack the following passwords almost instantly:

  • abcd
  • 1234
  • password
  • drowssap
  • starwars
  • qwerty
  • family
  • coffee
  • sandwich

Be honest, how many of these passwords do you use? How many do you use with four or five symbols, and which ones are inspired by popular culture or whatever's sitting on your desk? Thought so.

Random generators in password managers make for an easy fix to this problem. For example, you can throw a mix of symbols and numbers in there, and things get a little trickier for prying eyes. Here's some examples and how long they would take a computer to crack using 'brute force' methods:

  • +!password!+ =  about 18 years to crack
  • <+family?/{ = about 29 years to crack
  • ?+qw3r7y:{? = about 200 years to crack

Once you start using randomly generated passwords, you'll get results like this:

  • 4dhrE_gaB9pJ$ = about three million years to crack
  • sArRUZ88Yv\tN_jf9 = approximately four quadrillion years to crack

So, unless you're some sort of encryption genius, a walking random number/letter/symbol generator, or human supercomputer with the ability to permanently retain complicated chunks of data and information, it's time to get a password manager.

Stock images: Getty, unless otherwise stated.