Technology

Product overview

Welcome to New Zealand’s trusted, independent source of practical consumer information. Join us now to access all our information and Consumer advisers when you need them.  

Password managers

14may password managers hero default

Keep better track of your passwords.

Coming up with a strong password usually means one you can’t remember. That’s where a password manager comes in.

From our test

Join us now for instant access

Join more than 100,000 members today and you'll get:

  • Independent info
  • Thousands of test results and research you can trust
  • Everything in one easy place
  • Expert support a phone call away if things go wrong


What is a password manager?

Essentially a password manager is a vault for all your passwords.
Essentially a password manager is a vault for all your passwords.

To stay safe online, you should have unique passwords for all the different sites you sign into.

To make them difficult to crack, these passwords should contain upper and lower case characters, punctuation and numbers. However, remembering all these different and complicated passwords isn’t easy. Here’s where a password manager can save the day. Not only do they store all your passwords in a “vault”, but they can also generate new complex passwords.

Some password managers work with your browser to automatically enter your passwords into login pages. While browsers also have this ability, they aren’t as secure as a password manager, which encrypts and stores your passwords.

Strong passwords

What is a strong password? Probably not what you think.

“Pretty much anything that can be remembered can be cracked,” says security expert Bruce Schneier. In 2013, a tech publication gave three experts a 16,000-entry encrypted password file. It asked them to break as many as possible: working singly they got between 62 and 90 percent of them – all within a few hours.

The newest systems for cracking passwords rely on dictionaries. This means they have words and phrases and can check combinations quickly. The dictionaries also include words with simple letter-to-number changes (such as 0 instead of o and 3 instead of e).

Bruce Shreiner says: “So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m’. That nine-character password won't be in anyone's dictionary.”

Also don’t be afraid of adding in punctuation like > ? ^ ( \, which will add further complexity to your password. A super strong password is something like: “[98a.)%46g7_|2s”. Good luck with remembering that.

Fortunately, many sites requiring good security – such as webmail sites – offer two-factor authentication. What this means is after you log in with your password the website sends a text to your phone with a code to enter into the site. So for someone to break in they need to crack your password and have your phone.

You might think this is extreme, but in late 2013 a program called oclHashcat-plus could make eight million guesses per second and could crack in minutes passwords like “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1,” (a phrase from an HP Lovecraft horror story). It helped that this phrase was in a dictionary of known words.

The problem with strong passwords is they’re hard to remember. Using the sentence technique helps, but you still have to remember which phrase you used for which site (repeating passwords across different sites is a dangerous idea). Instead you may want to use a password manager.

About our test

A password manager stores all your passwords in a “vault”.

As this is a simple task we don’t focus on how well password managers did this, instead we tested how easy they are to use, as accessing your passwords can be the tricky part.

With so many operating systems and browser combinations available, we tested password managers on several platforms and browsers. We tested the password managers on computers running Windows 10 with both Chrome and Internet Explorer 11 browsers. We also tested them on a tablet and phone running Android, and an iPad running iOS.

We assessed how easy they were to install and the help information provided, the ease of storing and managing passwords in the app and how easy it is to access and change security settings.

We looked at how easy it was to use the stored passwords on 4 websites — Gmail, an online magazine subscription site, a news website and Netflix.

Two-factor authentication

Also known as 2FA or two-step verification, this security method adds extra security by requiring you to enter a second type of identity verification when logging in.

The most common types of two-factor authentication are:

  • a passcode stored on a physical object, such as a memory card or USB drive
  • a secret number or code, such as a PIN or favourite phrase. This could also be a code sent to you by another means, such as text message.
  • a physical characteristic, such as fingerprint, eye or voice pattern.

Some password managers use a specific type of two-factor authentication, which “locks” your vault to a specific device or devices, such as your tablet or home PC. This means only approved devices can access the vault.

Expert tips

Passwords aren’t just a matter of choosing a good one. Here are 4 tips from Bruce Schneier about password use.

  • Never reuse a password that’s important to you. Even if you choose a secure password, the site you’re now using it on could leak it because of its own incompetence. You don’t want someone who gets your password illicitly for one application or site to be able to use it for another.
  • Don’t bother updating your password every few months. Every 6 months to a year should be enough for most websites. However, if you suspect your password has been compromised, then change it immediately.
  • Beware the “secret question.” You don’t want a back-up system for when you forget your password to be easier to break than your password. It’s smarter to use a password manager or to write down your passwords and secure that piece of paper.
  • If a site offers 2-factor authentication, seriously consider using it. It’s almost certainly a security improvement.

The jargon

Here’s a breakdown of some of the jargon involved with password managers.

Virtual keyboard

An onscreen keyboard for desktop computers. It lets you enter your password by clicking with your mouse, this bypasses any keylogging malware that could record your keyboard strokes.

Online and local sync

There are two common synchronisation methods: online, where your data is synced with a cloud-based vault, and local, where your data is synced between your devices on a home network.

Operating system

This runs everything on your computer. The main operating systems are Microsoft Windows (Windows), Apple OS X (Mac), and Linux. Mobile devices such as smartphones also have operating systems; the main ones are Apple’s iOS and Google’s Android.

In-app browser

This means the password manager has its own browser that opens inside the app instead of launching another browser. An in-app browser can be more secure than the one installed on your computer or device, but it won’t be as convenient as your device’s browser, which will have your bookmarks and browsing history.

Dictionary

In this context it means a list of common words and phrases that password-breaking programs use to try and break a password. This includes words with common letter-number swaps such as replacing I with 1 or A with 4. For example, Pizza becomes P1zz4.

Browser

The program your computer uses to browse the internet. Internet Explorer, Edge, Chrome, Safari, Firefox and Opera are the most common browsers. We recommend you regularly download any browser software updates, so security holes are fixed.

Secret question

Some sites offer “secret questions” for logging in or for recovering your password. These are usually along the lines of “What was your first pet’s name?” or “What is your mother’s maiden name?” While they sound secure, they are often things that people can guess. If given a selection, pick the question with the least obvious answer.

×