Password Managers

A password manager is a software program which encrypts and stores various passwords for a user. The user has a master password which unlocks the “keyring” and enables the decryption and use of any stored password. When a user visits a website which requests a password, the password manager will auto-fill the password for them.

Password managers allow and encourage users to choose strong passwords with long sequences of random characters. Some password managers include a strong password generator as well. Additionally, typing uppercase letters and symbols on mobile devices can be tedious. Having software that auto-fills these characters is helpful.

The one drawback to using a password manager is that it could be vulnerable and would yield many passwords as a result. The master password becomes a valuable target. The password storage could be compromised or decrypted or the password manager software itself could have a vulnerability. However, most of these vulnerabilities would require direct access to the computer, making it a small risk when weighed against the security advantages.

Wikipedia has a list of password managers. Options commonly named in current security guidance — including EFF’s Surveillance Self-Defense — include 1Password, Bitwarden, KeePassXC, and Dashlane.

LastPass was widely recommended in the past but is generally avoided by security practitioners today. In 2022 an attacker exfiltrated encrypted customer vault backups along with unencrypted metadata such as names, email addresses, billing addresses, and saved website URLs, giving attackers offline access for brute-forcing master passwords; see the 2022 LastPass data breach and LastPass’s own post-incident notice for details. Note also that KeePassXC is a popular, actively maintained, cross-platform KeePass-compatible option (it reads and writes the KeePass 2.x .kdbx database format) and is the variant most commonly recommended today.