Practical privacy and simple cybersecurity.
TheNewOil.org

The Best Password Managers in 2023

Password managers are thankfully becoming a mainstream topic. In addition to seeing commercials for certain ones from time to time, it’s becoming more common for me to attempt to spread the word about good passwords only to be met with something like “oh I already use Dashlane/1Password/etc.” While it’s good for consumers that there are more options available, that also means it can be difficult for people to know what’s best since many companies are prone to exaggeration or poor practices (as we saw in the somehow still-ongoing LastPass data breach). So this week, I'd like to examine the three recommended passwords on the website and explain what I believe to be their use-cases, strengths, and weaknesses to help readers decide on the best password manager for them.

What is a Password Manager?

A password manager is a critical piece of technology that I would argue is mandatory in today’s world, as they provide a secure place to store your login (and other) information. This serves several purposes. The first and most obvious is account security. Modern cybersecurity advice says that passwords should be at least 8 characters (or more depending on who’s advice you listen to); contain a mix of uppercase and lowercase letters, numbers, and special characters; and should not be reused anywhere. This makes the idea of remembering your passwords laughable – even those with the best memory would struggle after a few accounts, and less-used accounts would be quickly forgotten. A good password manager will help you adhere to best password practices and keep track of all your accounts with zero effort on your end. It is a commonly held piece of wisdom that if you know your passwords, they aren’t strong enough (with the exception of passphrases used to log into your password manager and devices). Password managers can also serve numerous other purposes such as helping to preventing phishing and keeping track of other critical information like two-factor authenication seeds, security answers, and more. With that in mind, here are the password managers I recommend in 2023 and who I think would benefit most from each.

Bitwarden: Feature Rich

Bitwarden is my go-to recommendation for the vast majority of users. With a modern, user-friendly interface and a generous free plan, Bitwarden is a cloud-based password manager offering no device limitations, unlimited entries (including different types of entries like notes, credit cards, and identities), folders, and sharing with one other user (more with a paid plan), a limited file-sharing feature, username and password generator, and a fully-encrypted vault. Users can also export their vault as a backup or to transfer to another service, and you can even integrate with certain email aliasing services like SimpleLogin or Addy.io (both of whom I recommend) if you know how to add an API key (and if you don't but you're confident in your ability to follow instructions, Bitwarden has great user-friendly documentation on how to do this). If you decide to upgrade to Bitwarden's premium plan – a mere $10/year for an individual – you can even secure your account with a hardware key such as a Yubikey, add two-factor authenication seeds to use Bitwarden as an authenticator app (see Note 1 below), use their “emergency access” feature (see Note 2 below), and more. Furthermore, Bitwarden now has an Apple Watch app which can make using their authenticator even faster and more convenient. If you want the value of an easily-synced cloud password manager but you don't trust Bitwarden's servers for whatever reason, you can even self-host it. Bitwarden regularly gets audited about once a year and comes with a plethora of apps for all devices including Android, iOS, Windows, Mac, Linux, and even a browser extension.

The main drawback to Bitwarden in my opinion is the paywalling of certain features. To be fair Bitwarden has to pay the server costs somehow and their premium feature is incredibly affordable for most people (not to mention the free offerings are so powerful that most users can by no problem without paying). And of course, depending on your threat model, the cloud features may also be something you're not looking for. It could leave you slightly hindered if the server is temporarily unavailable or could present a risk if they ever get breached LastPass style (though it's worth noting that Bitwarden is source-available; in other words, we know that Bitwarden is encrypting the things LastPass wasn't, numerous security researchers have helped find and fix vulnerabilities over the years, and Bitwarden is always looking for new ways to help protect users with things like using the latest and greatest recommended hashing algorithms). All in all I have few real complaints with Bitwarden, but nothing is perfect and Bitwarden may not be right for everyone.

KeePass: For the Cloud Averse

If Bitwarden doesn't appeal you, the other most common recommendation in the password manager sphere is KeePass. KeePass's main draw is that it's not cloud-based, but it has other potential draws. For example, because KeePass isn't cloud-based, there's no paywall. All features are fully available to anyone anywhere for free, features like using 2FA keys (see Note 1), hardware security tokens, support for a wide variety of devices, and more. There's also no need to worry about a server compromise or outage. KeePass is a protocol in addition to a password manager – in other words, there are several different apps for all operating systems that should all be interoperable with the same vault or database. If you don't like the look of one or you want a certain functionality, there's almost certainly a fork that does whatever it is or works on whichever operating system you're looking for. Personally I'm a huge fan of KeePassXC, which is available on Linux, Mac, and Windows and has a great security track record. KeePassDX is commonly recommended for Android and Strongbox for iOS, though again there are several options in every category, including apps for Windows Phones, Blackberry, and web extensions. Really, if you need it, it's probably already been forked.

That said, KeePass's strengths are also its weaknesses. Because KeePass is offline, it's up to you to find a way to sync your vault in a way that stays consistent. The easiest way would be to use a privacy-respecting cloud provider but at that point I'm not sure I see the point in avoiding any of the other options on this list. You could also manually sync the vault regularly and set it to read-only on other devices so that it can only be updated from one device to avoid any sort of conflicting vaults entries. And needless to say, since KeePass is entirely offline there are no features such as sharing or Emergency Access (see Note 2). There's also the issue of backups: if you don't keep good, regular backups you run the risk of losing your vault entirely if it becomes corrupted or if your device suffers any sort of data loss. There's also the user interface: I've yet to use a KeePass client that actually looks modern. Most of them look pretty dated – like early 2000s at best – and contain only a single type of entry (unlike how other password managers may offer notes, credit cards, and more). Of course, as I noted early, it's fully functional so you can put whatever you want into a regular entry, it just may require some creative organization. It's also worth noting that not every client has been audited or if they have the audits may not be recent. KeePass itself, for example, was last audited in 2016, and certainly a lot has changed since then.

Proton Pass: For the Ecosystem Lovers

Proton – the giant of the privacy community aiming to create an all-in-one ecosystem to compete with the likes of Google and iCloud – has released their own password manager just a few months ago at the time of this writing. As a free user, Proton Pass offers an unlimited number of entries (username/password login only), no device limitations, and 10 alias email addresses provided by SimpleLogin. At the time of this writing, the paid versions of Proton Pass offer credit cards and notes in addition to regular entries, two-factor authenication integration (see Note 1), and multiple vaults (which function more as folders, compared to other password managers). Proton Pass is source-available and has already been audited. And of course, this is backed by Proton's high reputation, track record, and the fact that they seem unlikely to go away any time soon (which, to be fair, can be said of all the entries in this blog post, but that's always worth considering in a new service especially). At this time there's also a surprising amount of feature parity between all the various apps, something Proton is notoriously bad at. Perhaps it's because there's so few features to keep track of for now.

Like most of Proton's initial releases, Proton Pass leaves a lot to be desired. At this time, Proton Pass is only available as a browser extension (not available on Safari) or mobile app. In the future they hope they add a web vault, desktop app, and Safari extension; the ability to share entries (and even aliases) with other users; different languages; the ability to sync with existing SimpleLogin aliases; and the ability to add favorite entries in addition to a number of other general improvements. Proton in general is also – to my knowledge – missing an emergency access feature (see Note 2). Despite being open source, at this time Proton Pass is not available in F-Droid, and for some reason as far as I can tell Proton doesn't publish releases to GitHub so you can't just download an APK. Hopefully as Proton Pass continues to mature it will become a better offering that may appeal to the people who prefer to use an all-in-one ecosystem that integrates nicely together rather than keeping track of several different services.

Conclusion

There's a lot of solid choices out there for password managers, and this blog post only includes my actual recommendations, not even honorable mentions (you can find those here). It largely depends on your threat model and preferences. If you prefer not to trust the cloud and you trust yourself to keep good backups, KeePass is the clear winner. If you want something modern and easy that “just works,” Bitwarden is the winner. If you prefer to only have a single ecosystem to manage – and you're willing to be patient while the new features roll out – then Proton Pass is the one for you. Regardless of which one you pick, I hope I’ve helped lay out the differences of each and helped make the choice a little bit easier for you. Remember to keep your vault secure. Password managers are game changers in making your digital life safer and more convenient, but they’re also a single point of failure if you don’t take securing them seriously. With that said, be sure to check out these these password managers if you still haven’t adopted one yet.

Note 1: Using Your Password Manager as an Authenticator

Using your password manager as a two-factor authenication authenticator can be an incredibly convenient feature. However, note that by doing so you are creating a single point of failure. If your vault ever gets compromised, the attacker not only has your first line of defense defeated (username and password) but also your second line of defense (TOTP, in this case). If you choose to go this route, be sure to put the maximum amount of protection on your vault including a strong, unique passphrase (five or more randomly generated words) and a hardware token, and be mindful of your device when the vault is unlocked. This advice also holds true if you decide to use the note section to hold things like your backup codes or answers to security questions.

Note 2: Emergency Access

Some cloud-based password managers offer Emergency Access among their premium features. The way this works is that you must select another user in advance – such as a spouse or other family member that you trust. That person – after agreeing to this and being authorized – can then request access to your vault. You will be notified and have a certain period of time – such as 7 days – to reject the request. If you do not reject the request within the time frame, your emergency contact gets access to your vault. The idea is that if you pass away suddenly or become otherwise incapacitated for an extended period of time, a loved one can access your vault to ensure the bills get paid, put your affairs in order, etc. I strongly recommend users take advantage of this feature – or leave their login info with a trusted loved on. I myself recently found myself in this very situation when my mother passed away unexpectedly and we have not been able to guess her password since.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...