Password managers are the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For nearly a decade, that’s been “123456” and “password”—the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.
The safest (if craziest) way to store your passwords is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our memory.
A password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. Read our guide to VPN providers for more ideas on how you can upgrade your security, as well as our guide to backing up your data to make sure you don’t lose anything if the unexpected happens.
Updated March 2023: We’ve reorganized this guide, added some notes about why self-syncing options might be a better bet, and noted yet another LastPass security breach.
Special offer for Gear readers: Get a1-year subscription toWIREDfor $5 ($25 off). This includes unlimited access to WIRED.com and our print magazine (if you'd like). Subscriptions help fund the work we do every day.
Most web browsers offer at least a rudimentary password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox ask if you’d like to save a password.) This is better than reusing the same password everywhere, but browser-based password managers are limited. In recent years, Google has improved the password manager built into Chrome, and it's better than the rest, but it's still not as full-featured or widely supported as a dedicated password manager like those below.
The reason security experts recommend using a dedicated password manager comes down to focus. Web browsers have other priorities that haven’t left much time for improving their password manager. For instance, most of them won’t generate strong passwords for you, leaving you right back at “123456.” Dedicated password managers have a singular goal and have been adding helpful features for years. Ideally, this leads to better security.
WIRED readers have also asked about Apple’s MacOS password manager, which syncs through iCloud and has some nice integrations with Apple’s Safari web browser. There’s nothing wrong with Apple’s system. In fact, I have used Keychain Access on Macs in the past, and it works great. It doesn’t have some of the nice extras you get with dedicated services, but it handles securing your passwords and syncing them between Apple devices. The main problem is that if you have any non-Apple devices, you won’t be able to sync your passwords to them, since Apple doesn’t make apps for other platforms. All-in on Apple? Then this is a viable, free, built-in option worth considering.
A concerted effort to get rid of passwords began roughly two days after the password was invented. Passwords are a pain—you’ll get no argument here—but we don’t see them going away in the foreseeable future. The latest effort to eliminate the password comes from the FIDO Alliance, an industry group aimed at standardizing authentication methods online.
It’s still early days, but Apple has implemented the FIDO protocols in what the company calls passkeys. Passkeys are generated cryptographic keys managed by your device. You don’t need to do anything. Apple will store them in iCloud’s Keychain so they’re synced across devices, and they work in Apple’s Safari web browser. Passkeys have been available since iOS 16 and MacOS Ventura, but there are some limitations. Websites and services need to support the FIDO Alliance’s protocols, which, at the moment, most don’t. We expect that to change rapidly though. Google has already rolled out Passkey support in Android and Chrome. Passkeys will eventually also function with systems by Microsoft, Meta, and Amazon.