Passwords used to be your friend. By typing in a handful of characters, you were granted instant access to your email, bank account, or social network. Today, every new service, app, or device that requires one is a security flaw, and an opportunity for some online miscreant to take control of your life. The solution is to go post-password. That means getting and using a password manager, a class of program that can automatically store entire passwords, as well as other sensitive data.
Some managers let you create more complex log-ins (the service remembers them, so you don’t have to reuse or simplify them), and others can actually turn passwords or credit numbers into encrypted, one-time data strings. And the sooner you start using one of these managers, the sooner the hackers and predatory resellers will run out of easy prey, and their entire shadow economy will hopefully collapse. If nothing else, a good manager means no more putting up with people like us, nagging you about improving your security habits. Here are the best of the many options currently on the market, picked because of features that go beyond basic password management.
Best for Multiple Devices
The free version of LastPass is a great password manager for computer browsers — you sign in to the service using a master password (which should be incredibly weird and long, and never reused elsewhere). It will store most usernames and passwords you enter, and reenter them when you return to a site or service. That data isn’t stored on the company’s servers, or even on your own computer as a handy, easily-pilfered list, but encrypted with AES-256 keys. That’s enough security to make even the NSA think twice about decryption, much less a random hacker.
But all of that is standard operating procedure for this class of application. What’s made LastPass one of the biggest names in password security is the way the service syncs across multiple devices, including machines provided by employers (assuming the IT department is on board, and they should be). So while LastPass is free to use with browsers, it’s most useful in its Premium form, so you can auto-fill passwords across all of your gadgets, including PCs, Macs, and both Android and iOS devices. Also, and this is important, LastPass was hacked earlier this year. While some information was exposed, such as user email addresses, none of its customers’ master passwords were compromised. It’s only a matter of time before high-quality security companies are hit. That LastPass weathered its attack is a genuine selling point. [$12/year; lastpass.com]
Best for Phones
If you’re mainly concerned with password security on your phone — where thumbs can easily mistype complicated passwords, and lists of stored passwords aren’t always easily accessed — 1Password’s clean, intuitive interface sets it apart from other mobile managers. User interface is important, because any amount of frustration can tempt you to stop using these applications, and become vulnerable all over again. The latest version for iOS also includes the Diceware Password Generator, which creates a random string of words as a suggestion for your master password. This solves one of the dilemmas surrounding master passwords — you’re supposed to change them regularly, and keep them unique, but you’re more likely to forget or mistype a garbled string of letters and numbers than a bunch of actual words. Plus, that code that you think is impossible to suss out — like the birthdays of your children, only reversed — could be unlocked by someone with sufficient time and motivation. By presenting you with a random sequence of real words, such as “cleft-lacy-knob,” 1Password gives you a password that’s random enough to defeat automated password-cracking software. However, it’s not so random that you’re always forgetting it. [Free; agilebits.com]
Best for Early Warning
The only problem with Dashlane is price — at $40 per year for use across multiple devices, it’s hard to justify using this password manager over something like LastPass. And its free version doesn’t compete with more-streamlined services. Unless, that is, your interest in security borders on the obsessive, and you want to know when your data might be exposed due to attacks on the sites and services you interact with each day. Whenever news of a hack or breach makes the rounds of the security industry, and you’ve saved a password or similar data related to that target, Dashlane can send you an alert. They can’t confirm that your information was or wasn’t exposed. Even if that was feasible, that would require that Dashlane collect and reference that data on its servers, which would itself be a huge security flaw — but any such incident is a good time to change your related password. Because companies are under no legal obligation to share this sort of problem with their customers, Dashlane is closing a pretty shameful communication gap, and helping you head off any real damage before it’s done. [Free; dashlane.com]
Best for Locking Up Data
Along with storing and strengthening log-in info, many password managers also act as a digital lockbox, providing a secure spot for sensitive data that doesn’t have to be constantly accessible. The Social Security numbers of loved ones, for example, or account numbers, or even notes and images you’d rather keep private, can be encrypted and password-protected. oneSafe takes this feature a step further, by letting you assign separate passwords to whole categories of information (such as financial accounts, for example), or to specific data (such as private photos). There are more tools for organizing and searching protected data with oneSafe’s various apps than the competition. You also have the option to double-encrypt information — requiring, for example, a passphrase and a PIN number. oneSafe is currently available for Android devices, iPads, iPhones, and Macs, with Windows apps still in beta. [From $5; onesafe-apps.com]
Best for Safe Purchasing
Our final pick isn’t technically a password manager, but it’s a similar tool that focuses on securing online transactions. Retailers are routinely targeted by hackers because of the valuable sales-related data they retain such as credit card or bank account numbers. Instead of letting your information sit on someone else’s servers, Privacy applies a bit of spycraft to your transactions. When you pay for something through the service, it creates a single-use, disposable string of data that stands in for your uniquely identifiable financial data. Once the transaction goes through, that info effectively self-destructs. OK, not really, but it’s useless to hackers, because it can’t be reused elsewhere, and can only be traced back to Privacy. In fact, Privacy lets you use false names and addresses to further confound hackers trying to tie data to a real person, or even to confuse legal, but nonetheless disreputable attempts by corporations to track your purchasing habits. This sort of feature might become obsolete in the future, as more people use features such as Apple Pay (which also anonymizes your transactions), and as retailers and financial organizations overhaul their point-of-sale systems. But in the arms race between those who want to keep their data private and those who want to exploit it, Privacy is as powerful of a tool as its name implies. [Free; privacy.com]