Choosing the Best Password Manager

There are multiple websites offering advice on choosing the best password manager. Unfortunately, few distinguish between the best password manager for personal use and the best password manager for business use. Furthermore, although you may be a security-conscious individual, the assumption is often made that all visitors to password manager comparison sites are tech-savvy. This is not always the case.

Most people are familiar with the best practice of using unique, complex passwords for online accounts. Most people are also aware of keeping passwords secure and not sharing them with people they don´t know. Yet more than 80% of data breaches from online accounts are due to people using the same password for multiple accounts, using weak passwords that can be cracked by password-hacking software, or inadvertently sharing passwords with people they don´t know.

Although people are mostly security-conscious, this still happens. Why? The straightforward answer is that password best practices are inconvenient. It´s difficult to remember complex passwords; and if – like most people – you have more than fifty online accounts that require login credentials (the number varies according to which research you read), you not only have to remember more than fifty complex passwords, but you also have to remember which accounts the passwords apply to.

With regards to sharing passwords with people you don´t know, thousands of individuals and businesses are victims of credential phishing every day – emails disguised to appear as if they come from a credible source that redirect users to a fake website. When the user attempts to log into the fake website, the login credentials are captured by the phisher who then uses this information to log into the genuine website, access confidential information, extract data, and commit fraud.

What Password Managers Do

Password managers vary in their functionality and capabilities, but at a basic level they save users´ login credentials for each account. When a user visits a website requiring a username and password, if the credentials have already been saved by the password manager, the username and password is automatically completed in the login window. This saves the inconvenience of having to remember complex passwords for each site and encourages the use of unique passwords for each site.

The fact that usernames and passwords for online accounts are saved by URL should mitigate the risk from credential phishing attacks. This is because if a user visits a website for which they believe login credentials have been saved by the password manager, and the login credentials don´t appear because the user has been directed to a fake website, it should ring alarm bells. The lack of login credentials automatically appearing should prompt the user to navigate away from the fake website.

Unfortunately, the theory doesn’t always work in practice because credential phishing emails are designed to exploit users´ fear, greed, curiosity, or helpfulness, and usually contain an element of urgency intended to prompt an immediate interaction. While the lack of auto-filled login credentials may be noticed, the user´s emotional response to the email can override concerns that they may be visiting a fake website and they enter their login credentials after looking them up manually.

Many People Already Use Password Managers

Many people already use password managers – some without realizing it. In 2021, 22.4% of respondents to a YouGov password manager trust survey said they used a password manager to better secure online accounts, yet a similar survey conducted by cybersecurity company Thycotic found that 33% of respondents saved passwords in Internet browsers (i.e., Edge, Chrome, etc.) – Internet browsers having the basic level password management capabilities as mentioned above.

The possible reason for the discrepancy is that many people save credentials in Edge, Chrome, etc. without realizing they are password managers. For example, with the Chrome password manager, you can sync passwords saved on a PC with a mobile device (or vice versa), and add, change, or delete passwords across all devices simultaneously. The Chrome password manager can also generate complex passwords for online accounts and alert you when passwords are compromised.

The main difference between browser password managers and the commercial password managers you read about on password manager comparison sites is they are browser-specific. If you use the Edge browser on a PC and the Chrome browser on a smartphone, the password managers will not sync across devices. There can also be security issues if your smartphone is stolen and you are still signed into the browser password manager, as the thief will have access to all your login credentials.

More about Commercial Password Managers

Commercial password managers are just as simple to use as browser password managers but have additional functionality and capabilities. For example, you can deploy a commercial password manager as a desktop app, a web browser extension, and/or a mobile app. You can also access synchronized login credentials via the password manager´s website. This means you can access saved passwords from any location, any device, and any operating system.

Commercial password managers are also more secure than browser password managers as you have to log into them at the start of each session and, if you don´t use the password manager for a period of time, it automatically logs you out. Consequently, if you were to lose your smartphone or leave your PC unattended, thieves and passers-by would not be able to access any of the log-in credentials stored in the password manager.

At this level of functionality, commercial password managers are usually free. Thereafter, you have to subscribe to a monthly plan to get access to additional features such as encrypted file sharing, advanced two-factor authentication, and priority technical support. Some commercial password managers have extremely advanced features that put them into the category of Privileged Access Management solutions. So, how do you choose the best password manager for your needs?

Choosing the Best Password Manager for Personal Use

If you are looking for a password manager for personal use, it is likely because you have already experienced the limitations of browser password managers and want something with a little more functionality and security. In this respect, most (but not all) commercial password managers offer free plans that will fulfil your needs. If you are looking for a password manager that meets the needs of families, plans supporting up to six users cost between $40 and $60 per year.

Choosing the Best Password Manager for Business Use

The best password manager for business use is going to be dependent on the size of the business, the nature of the businesses, and the level of functionality required. Plans that charge per user per month can be expensive if 90% of the workforce doesn´t require enterprise functionality, while businesses in regulated industries may be required to implement a password manager with monitoring, audit trail, and SIEM integration capabilities. You can find out more on these pages:

Password Regulatory Compliance

SOX Password Requirements

CCPA Password Requirements

PCI DSS Password Requirements

HIPAA Password Requirements

GDPR Password Policy

NIST Password Recommendations

Further Help with Choosing the Best Password Manager

If you require further help with choosing the best password manager for your needs, we have compiled a series of our own password manager comparisons. Those most suitable for personal users include:

Best Chrome Password Managers

Best Firefox Password Managers

Bitwarden vs KeePass Password Management Solutions

Commercial password managers for business often look very similar on the surface, but scratch down beneath the surface and you will likely find pros and cons for each. Our password manager comparisons for business users include:

Best Small Business Password Managers

1Password vs LastPass vs Bitwarden

Password Management Security Review

Author: Maria Perez