We last reviewed password managers in 2016. New test results will be available mid-June 2020.
Lost track of your passwords? We may have the answer.
Coming up with a strong password usually means one you can’t remember. That’s where a password manager comes in.
To make them difficult to crack, these passwords should contain upper and lower case characters, punctuation and numbers. However, remembering all these different and complicated passwords isn’t easy. Here’s where a password manager can save the day. Not only do they store all your passwords in a “vault”, but they can also generate new complex passwords.
Some password managers work with your browser to automatically enter your passwords into login pages. While browsers also have this ability, they aren’t as secure as a password manager, which encrypts and stores your passwords.
“Pretty much anything that can be remembered can be cracked,” says security expert Bruce Schneier. In 2013, a tech publication gave three experts a 16,000-entry encrypted password file. It asked them to break as many as possible: working singly they got between 62 and 90 percent of them – all within a few hours.
The newest systems for cracking passwords rely on dictionaries. This means they have words and phrases and can check combinations quickly. The dictionaries also include words with simple letter-to-number changes (such as 0 instead of o and 3 instead of e).
Bruce Shreiner says: “So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m’. That nine-character password won't be in anyone's dictionary.”
Also don’t be afraid of adding in punctuation like > ? ^ ( \, which will add further complexity to your password. A super strong password is something like: “[98a.)%46g7_|2s”. Good luck with remembering that.
Fortunately, many sites requiring good security – such as webmail sites – offer two-factor authentication. What this means is after you log in with your password the website sends a text to your phone with a code to enter into the site. So for someone to break in they need to crack your password and have your phone.
You might think this is extreme, but in late 2013 a program called oclHashcat-plus could make eight million guesses per second and could crack in minutes passwords like “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1,” (a phrase from an HP Lovecraft horror story). It helped that this phrase was in a dictionary of known words.
The problem with strong passwords is they’re hard to remember. Using the sentence technique helps, but you still have to remember which phrase you used for which site (repeating passwords across different sites is a dangerous idea). Instead you may want to use a password manager.
As this is a simple task we don’t focus on how well password managers did this, instead we tested how easy they are to use, as accessing your passwords can be the tricky part.
With so many operating systems and browser combinations available, we tested password managers on several platforms and browsers. We tested the password managers on computers running Windows 10 with both Chrome and Internet Explorer 11 browsers. We also tested them on a tablet and phone running Android, and an iPad running iOS.
We assessed how easy they were to install and the help information provided, the ease of storing and managing passwords in the app and how easy it is to access and change security settings.
We looked at how easy it was to use the stored passwords on 4 websites — Gmail, an online magazine subscription site, a news website and Netflix.
The most common types of two-factor authentication are:
Some password managers use a specific type of two-factor authentication, which “locks” your vault to a specific device or devices, such as your tablet or home PC. This means only approved devices can access the vault.
The vault master password lets you into your vault to see all your other passwords. But what happens if you forget the master password?
Some password managers provide hints to help you remember your vault master password. A few offer a password reset option, but as this is the one password “to rule them all”, a reset option can be a security risk.
The vault master password should be a strong password, but also easy to remember, as forgetting it can mean you can lose access to all your passwords. Try to make it a phrase you can easily remember, such as a line from your favourite song, but make it more complex by including punctuation and upper and lower case characters.
Here’s a breakdown of some of the jargon involved with password managers.
An onscreen keyboard for desktop computers. It lets you enter your password by clicking with your mouse, this bypasses any keylogging malware that could record your keyboard strokes.
There are two common synchronisation methods: online, where your data is synced with a cloud-based vault, and local, where your data is synced between your devices on a home network.
This runs everything on your computer. The main operating systems are Microsoft Windows (Windows), Apple OS X (Mac), and Linux. Mobile devices such as smartphones also have operating systems; the main ones are Apple’s iOS and Google’s Android.
This means the password manager has its own browser that opens inside the app instead of launching another browser. An in-app browser can be more secure than the one installed on your computer or device, but it won’t be as convenient as your device’s browser, which will have your bookmarks and browsing history.
In this context it means a list of common words and phrases that password-breaking programs use to try and break a password. This includes words with common letter-number swaps such as replacing I with 1 or A with 4. For example, Pizza becomes P1zz4.
The program your computer uses to browse the internet. Internet Explorer, Edge, Chrome, Safari, Firefox and Opera are the most common browsers. We recommend you regularly download any browser software updates, so security holes are fixed.
Some sites offer “secret questions” for logging in or for recovering your password. These are usually along the lines of “What was your first pet’s name?” or “What is your mother’s maiden name?” While they sound secure, they are often things that people can guess. If given a selection, pick the question with the least obvious answer.