Every time you re-use the same password for a different internet account, you dramatically increase the likelihood of your online security becoming compromised.
According to US security company DigiCert, 73% of people use passwords multiple times and the average password is only six lower-case characters long — meaning an expert hacker could crack it in under 3 minutes.
Not only are the vast majority of passwords easy to crack, but the companies storing your login details often aren’t as safe as you might think they’d be.
A visualisation of the world’s biggest data breaches shows just how many big-name companies have been hacked — and it’s worth checking out, as it may reveal that one of those hacked companies had important passwords of yours, passwords that could now be roaming around the internet.
As you can see, it isn’t just social media companies that have been compromised, the trail of destruction goes all the way up to the US’s biggest bank and the government of Greece.
That said, if the idea of remembering unique passwords for everything hurts your head, you’re not alone. Thankfully password managers can transfer the burden of generating and storing strong (ie. gibberish!) passwords onto your computer.
Don’t be misled, switching to a password manager may not be a rapid process initially, but once you’re using the system it’s dead simple — and it will be a lot easier than attempting to recover money stolen from a hacked bank account.
What are password managers?
Password managers are systems that collect all the passwords you use in one place, allowing you to store secure, randomly-generated strings that can then be used to easily unlock your online accounts.
Many browsers have the ability to save passwords, but this only offers limited security — and in fact, most security experts warn against letting your browser remember passwords.
The other saving grace of password managers is that they can check the SSL certificates of sites, so you don’t enter your password into a fake ‘phishing’ web site that is imitating something legitimate like Facebook.
The best password managers encrypt your data using a master password. This means you only have to remember one password to access your entire password library.
As you’ve only got that one password, however, it’s critical to make it one that’s strong and therefore difficult to crack.
Preferably, it should be an eight-character (or longer) combination of numbers, upper-case letters, lower-case letters and symbols.
Other than that, an email address, mobile phone and a bit of patience are all it takes to be secure online.
Choosing a password manager
Most are compatible with Mac and Windows OSs and plug into the major four web browsers (Internet Explorer, Chrome, Safari and Firefox), but smartphone and tablet support varies considerably.
App or plugin?
Password managers generally come in two forms: direct browser plugins with online accounts, or standalone applications.
The plugins tend to have more cloud integration, while standalone apps have the added security option of not syncing online.
Some have no integration with this extra security measure, some have their own service and the best offer linking with independent two-factor authentication services.
Digital wallet/info storage
The option to auto fill forms such as name and address or credit card details from a secure place can make it much faster and safer to purchase things on the internet.
Just because a service is more expensive or charges a subscription fee doesn’t necessarily mean it’s any more secure or easy to use.
Some password managers can capture any password you’ve ever saved (in a web browser or otherwise) easily, while others have trouble importing them — even from other password managers.
Keep an eye on this feature if you’re already using an existing password manager.
You may want to let someone else have a specific password and rather than letting it loose in an email, some password managers will let you share encrypted passwords with other account holders using the same platform.
Audits & hack alerts
A number of apps will be able to tell you how secure each of your passwords are and give you an overall security score.
The best apps also keep a log of companies that are hacked and will notify you if you have an account with them.
There are advantages to 1Password’s stand-alone, application-based approach, and the service also offers browser plugins (and a unique widget), but overall, we found it a little less useful than some others here.
Why? Well, firstly it isn’t quite as versatile, focusing only on the most common Mac, Windows, iOS and Android operating systems.
Unfortunately the 1Password app can only import passwords from a couple of sources and because it needs you to find the saved ‘password bank’ files for these, which is more difficult than it needs to be.
Recently, a Microsoft engineer discovered that websites you visit are indexed without encryption when using the 1Password Anywhere feature, and while this doesn’t compromise your passwords or account details, it does make it easy for a hacker to know what secure sites you visit and have passwords for — a little concerning, considering you’re trusting them with your passwords.
Verdict: A little more bland than some, but you can buy it outright.
Price: Desktop app single licence, $46.99; Android and iOS apps free
Rating: 3.5 stars out of 5
However, it’s also one of the most expensive, and the handful of benefits it offers over LastPass arguably don’t add up to the subscription price.
Dashlane can import from a wide variety of locations and has a simple, engaging tutorial to start you off. It’ll also walk you through all the more in-depth features of the service and gives a full security report of the compiled passwords.
Like LastPass, it keeps track of big hacks and automatically advises you when you should change your password.
Dashlane outstrips LastPass in two ways; it has even more versatility in two-factor authentication options and it can automate the process of changing passwords after hacks.
Dashlane isn’t as good as LastPass at recognising web boxes on more obscure sites, but it doesn’t have any major technical downsides. The only drawback is the price.
Verdict: The most comprehensive and user friendly password manager available, if you have the dosh.
Price: Free without syncing, sharing, web access or backup; Premium subscription US$39.99 per year
Rating: 4 stars out of 5
It doesn’t have any bells and whistles, but it uses the Advanced Encryption Standard (AES) — approved by the NSA for top secret information.
If you want access to your passwords remotely or on a mobile device, you’ll need to copy the encrypted file-vault manually using a cloud storage service like Dropbox or Google Drive.
KeePass can import passwords from a large list of other password managers and offers the ability to customise or change everything about it, right down to using either a master password, a file-based encryption key or both.
If you’re a stickler for customisability, have a background knowledge of software and don’t mind plugging in extra hours to get the exact system you want, then KeePass is for you. If not, any of the other password managers would be a better fit.
Verdict: A free open source password manager that is great if you put in a bit of work.
Rating: 4 stars out of 5
As with some of the other less full-featured password managers here, Keeper only allows you to import existing passwords from files, making it hard to migrate from a cloud-based service and there’s no audits on password security, or alerts if one of the sites you use has been hacked.
Annoyingly, the app automatically signs out every time you switch to an internet window, which strikes the wrong balance between security and usability.
The password generator is tucked away in the vault editing section, making it a pain to find and use.
At US$9.99 per year on one device (or US$29.99 for multiple devices) it costs more on average than the leading apps. Keeper isn’t a bad package, but it wouldn’t be first on our list.
Verdict: More concerned with pushing you into a paid subscription than offering a top shelf product.
Price: Single-device subscription, US$9.99 per year; multi-device subscription, US$29.99
From: Keeper Security
Rating: 3 stars out of 5
LastPass can import password lists from over 30 sources and while using it on a single desktop is free, if you want cloud access or smartphone apps, you’ll need to pay the yearly subscription.
LastPass offers some neat features, like security reports on the number of duplicate passwords you have and the total number of secure passwords stored in your vault. It’s also compatible with a number of two-factor authentication services.
It’s one of the only services that keeps track of major data breaches and will cross-reference the websites you have stored in your vault, informing you if an account has been compromised.
LastPass was recently acquired by online B2B software company LogMeIn, so we’re hoping the new owner keeps up the legacy of this gem.
Verdict: Sophisticated password management that won’t break the bank.
Price: Free; Premium, US$12 per year
Rating: 4.5 stars out of 5
Importing is difficult and you can only sync your password file by logging into a Dropbox or iCloud account, which makes this harder than it should be.
The desktop apps for Windows and Mac are US$19.95, and for Android or iOS it’s US$9.99.
However, unlike most others there are no browser-extension options — though you can manually link account logins to URLs in the editor. It will only generate passwords from within editing pages and the lack of a widget or browser shortcuts makes the process a little cumbersome.
It will automatically copy a password to the clipboard when you click through to a site stored on file, but by comparison this isn’t all that helpful.
mSecure is usable, but it feels tired compared to others we reviewed. There’s nothing here that really gives it an edge.
Verdict: You can do better at this price.
Price: Windows and Mac apps US$19.99 per year; Android, iOS and Windows Phone apps all US$9.99
Rating: 3 stars out of 5
This browser extension is super easy to use and since it was acquired by Intel Security in late 2014, the premium service has been available for free. However, that acquisition also means PasswordBox has a finite lifespan, with support ending sometime in 2016.
PasswordBox has no stand-alone application, so it focuses instead on delivering as many features as it can directly in your browser. Your passwords are stored in the company’s encrypted cloud and can be easily synced to apps on iOS and Android.
A convenient password generator, form-filling features (and with the promise of two-factor authentication and fingerprint security on the way) all add up to make PasswordBox a well-rounded option.
We wouldn’t be too deterred by the lack of future support, as most of the better password managers make importing passwords simple, so you can use PasswordBox for free before you swap over to another one.
Verdict: Amazing free software that’s soon to be extinct, but easy to swap out of when it all ends.
Price: Free (until mid 2016)
Rating: 4 stars out of 5
Roboform is another application-based password manager that has extensions for all the major web browsers. Smartphone apps for Android, iOS and Windows Phone are all available for free and it has a personalised webpage that’ll let you quickly log into your most used sites.
Instead of retroactively capturing personal info when you fill in a webpage, RoboForm asks you to create a profile page in your safe that has all your details. It’s not a bad idea, but many other password managers, and even browsers themselves, can automatically grab this info.
The cloud-based version costs a reasonable US$20 per year, allowing you access from anywhere via a web-based interface and unlimited desktop licences for the application.
But seeing as you can only import passwords as CVS documents, it doesn’t offer third-party two-factor authentication, and you can’t see if services have been hacked (or auto-replace passwords that have).
Verdict: A decent but bog standard password manager, that’s straight off the production line.
Price: US$19.95 per year
Rating: 3.5 stars out of 5
Not Sticky though — this password manager just flaunts the fact that it contributes to a foundation that saves manatees. This service can be configured to have online cloud syncing and has its own email authentication system.
Though most browser add-ons worked fine, we weren’t able to get the Internet Explorer add-on to work on Windows 8.1.
However, with no import options, password generator, widgets or browser extensions, the free version is frankly a bit frustrating — so unless you’re prepared to buy it without actually having a real trial, Sticky isn’t worth the effort.
The US$20 per annum sub fee is reasonable, but you can’t have more than one account login for any one site or easily replace a password that exists. Despite some of the ‘excellent’ ratings it gets, Sticky Password isn’t overly impressive.
Verdict: A decent application, but with better options out there it’s hard to stick with it.
Price: Premium subscription, US$19.99 per year; Android and iOS apps free
From: Sticky Password