How to choose the best password manager

A password manager is an encrypted “vault” containing all your passwords. You can use a password manager to generate unique, complex passwords for each new website you sign up for. Then, if you want, the manager will work with your web browser to automatically enter those passwords into the sites’ login pages.

Why do I need a program to remember passwords for me?

Do you:

• reuse passwords online?
• use weak passwords that are short or easy to guess?
• have to reset the password nearly every time you log into something?

Realistically, if you don’t use a password manager, you answered “yes” to at least one of those questions.

That’s because today’s digital environment requires more logins than ever, and as computers get more powerful, it gets easier and easier to crack passwords. In turn, that means passwords need to be more complex, making them harder for us to remember.

Passwords are cracked by checking combinations of words from a list, including words with simple letter-to-number changes (such as 0 for o, or 3 for e). A strong password is free of words that could appear in such a list, and ideally includes punctuation and symbols too.

A password manager lets you set a different password for every site you use, each one long and featuring a variety of character types, none of which you have to remember.

Setting your password to access the vault

You still need to remember one “master” password, though, to give you access to all your others. Put some thought into your master password – it needs to be very strong, but also memorable because there’s little recourse if you forget it.

Tip: Base your master password on a phrase you can easily remember, like a line from a favourite song, but make it:

• harder to guess by swapping out words for synonyms or rhymes
• more complex by including punctuation, numbers and upper-case letters (as long as it remains memorable).

If you do forget your master password, some managers provide hints to help you remember. A few will let you reset it, but because it’s such a security risk, you’ll have to jump through a lot of hoops.

Can’t I just use my browser to store my passwords?

Web browsers such as Chrome and Edge have built-in password management features and will offer to save passwords for you. We don’t generally recommend using them because they’re not as secure as standalone apps. For a start, if you lend your device to someone, or it gets stolen, your accounts will be compromised.

Do I need to pay for a password manager?

Many companies offer a free version, along with their premium product, but limit the number of passwords you can store or devices you can use. We advise against using most of the free options, given a key benefit of using a password manager is that you don’t have to think about it.

However, there are exceptions.

• Bitwarden is an open-source password manager, with a fully featured free tier (as long as you don’t have more than two users)
• Norton Password Manager is a good no-frills option for a single user.
• iCloud Keychain is built into Apple devices and likely to be all you need if you’re entirely within the Apple ecosystem (including using Safari for web browsing).

For paid password managers, expect a cost of about $50 per year, although there are cheaper options if you don’t need all the bells and whistles. A few products, such as Enpass, can be bought permanently for a one-off cost.

What should I look for in a password manager?

Your password manager needs to:

• have extensions for the web browser(s) you use – installing an extension is the easiest way to use a password manager, as it will automatically capture any new usernames and passwords you set in your browser
• sync between phones and computers – so you can access your passwords on all your devices
• allow you to download all your passwords – so they can be imported into a different password manager if you decide to switch in future
• alert you to insecure passwords – such as passwords that have been involved in a data breach or are being used for multiple sites
• let you adjust length and complexity settings – since you don’t need to remember them, we recommend making your passwords at least 15 characters long and including as many character types as possible
• have an “inheritance” system – so you can nominate a loved one to access your passwords in the case of your death
• be able to handle personal and payment information – for example, filling in credit card details when you want to buy something online. It’s much better to use this feature than to let individual sites remember your details.

Which products does Consumer recommend?

Sadly, we no longer have the budget to test password managers, so we can’t give concrete suggestions. Back when we did test them, top products included 1Password, Enpass, RoboForm and Keeper. While they might not still be best, they’re good places to start your search.

What does all this jargon mean?

Here’s a breakdown of some of the technical terms you might come across in your search.

Two-factor authentication (2FA)

When a second kind of identity check, such as facial recognition or a code sent to a mobile app, is required during login. Some password managers use 2FA so that only devices you’ve approved can access the vault.

Synchronisation

How passwords are shared between devices. The two common methods are online sync, where data is stored in a cloud-based vault, and local sync, where data is sent between devices on your home network.

Passkeys

In the future, passwords are expected to be replaced by a new kind of credential called passkeys. They are stored on your device, rather than on remote servers, making them much more secure. While they’re not widespread yet, many password managers support using them for compatible sites, such as Air New Zealand, PayPal and Uber.

Dictionary

A list of words and phrases used by password-breaking programs. They also include common variations on words, such as letter–number swaps. For example, a dictionary might contain “P1zz4” or “d0gz!”.