The best password managers and security tips: how to solve your login problems

You have probably heard of password managers. They may seem complicated, but setting up your password stronghold doesn’t have to be painful. These services remember all your passwords and can generate new, secure passwords. When you access a login page in a web browser and even many applications, the manager will automatically fill in what you need to access your account. Some even scour the web to alert you if any of your information appears in a security breach.

A significant change for one of the most popular managers, LastPass, is why I have passwords in my brain again. On March 16, LastPass Free users will need to upgrade to the service’s premium plan – typically $ 36 a year, but currently offered to them for $ 27 a year – if they want to continue syncing passwords on their devices. Although I am a fan of LastPass, your free plan is no longer a good choice.

The best password managers work on as many platforms as possible – that’s why we generally recommend independent services instead of password protectors built into browsers and operating systems. I tested the most popular ones, looking for high security, wide options and ease of use. Here’s what I found:

• Easier to use:1Password ($ 35.88 per year for individuals, $ 59.88 for families up to five years old) has a user-friendly design and several layers of security incorporated at a good price. 1Password does not have a free level – security is something we believe is worth paying for. “Free software almost always involves concessions,” said a 1Password spokesman. “We can focus our efforts on developing new ways to defend your data, instead of collecting or exploiting it.”

Like other password managers, you can organize passwords into different collections: one for personal accounts, one for work, one for shared family logins. Travel Mode is exclusive to the service – it is for people who need to hide confidential information when traveling to countries where they fear that their phone may be searched.

Dashlane ($ 59.99 per year for individuals, $ 89.99 for families up to five) is also easy to use and is a good choice if you are interested in additional features, such as a built-in VPN (also known as a virtual private network) ) for more secure Internet access and a dark-web monitoring service that keeps an eye out for hackers who may have your credentials.

At the end of the day I opted for 1Password, because of the price. (I also thought that the Dashlane browser extension for Mac Safari, now in beta, had bugs. A spokeswoman for Dashlane said the team is working on a fix.)

• Best service with emergency access: It’s a tie between Dashlane and LastPass Premium ($ 36 per year for individuals, $ 48 for families up to six). Both allow you to grant a trusted contact access to your safe if you are dead or disabled. Resources like this are important because our lives are closely linked to our digital accounts, as my colleague Joanna said recently. If something happens to you, your representative can request access to your safe. You can set a specified delay period between three hours and 30 days, during which you can deny that access if you can.

LastPass Premium is not as elegant as Dashlane, but it is a very capable password manager, also with dark-web monitoring, in addition to a gigabyte of encrypted file storage (and a good extension of the Safari browser). If you use Safari and don’t need a VPN, use LastPass.

1Password sees this type of emergency access as a security threat. In a forum post, a company official explained that a domestic attacker, to get into a password safe, can keep the victim against his will. He suggests that you store a hard copy of your secret code and master password in a safe or with your lawyer.

• Best free option:Bitwarden has a complete free plan for individuals and businesses with two people that synchronizes an unlimited number of passwords between devices. The service has many basic principles: end-to-end encryption, secure password generator, two-factor login and applications for all desktop, browser and mobile operating system platforms, as well as web access.

A premium subscription ($ 10 per year for individuals, $ 40 for families up to six) is required for bells and whistles, such as an exposed password report and enhanced login protection.

“We are a for-profit company, but we found it totally harmonious and compatible to offer a basic manager for free,” said Michael Crandell, Bitwarden’s CEO. Many users who start with the free plan end up deciding to upgrade, he added.

After choosing a password manager, you can manually add all your old passwords. If you store passwords in your computer’s Chrome browser, you can export them and then import them into your new password manager. (Apple does not have a similar password export option.) If you are switching from one password manager to another, exporting passwords is often also an option.

Password managers will improve your digital life. But, regardless of whether you get one or not, there are four simple password protection rules that you need to know.

Rule # 1 – Don’t just rely on passwords.

Use two-factor authentication, also known as 2FA, whenever possible. This requires additional code or validation sent to another device.

In general, turning on 2FA is better than not having it. But if you have a choice, use an app authenticator (I like Authy) instead of a simple text message. It works when you have no cell phone reception and is not susceptible to SIM hijacking – when a hacker, targeting someone with a valuable account, goes against that person’s phone number from the wireless operator. You can call your operator and add a password to your wireless account for added security.

Rule # 2 – Create long passwords.

The term “password” must be removed. The new hotness is the secret phrase. “Password length is a more important factor than complexity, because a longer password is more difficult to decrypt,” said Jameeka Green Aaron, director of information security at client authentication company Auth0.

For example, the secret phrase “Raccoon Doorknob Spacecraft” would take centuries to discover, according to Bitwarden’s free password strength testing tool. Meanwhile, according to the verifier, a 12-character string, with uppercase and lowercase letters, symbols and numbers, can only take three years for an attacker to break. Most password managers allow you to set the length of the automatically generated passwords.

Rule # 3 – Make it unique.

Whatever you do, don’t reuse passwords. It’s the most common way to hack accounts, said Aaron. If hackers discover that your password is used in one place, they will try elsewhere. This is where password managers come in. Use them to create strong and unique passwords and store them for all your accounts.

Rule # 4 – Have a backup plan for your backup plan.

The key to your password manager is a master password, along with a device to authenticate your login. A good password manager does not know what your master password is – and cannot help you recover your account.

So, to be a good password parent, you need to think about the worst case scenario: what if you lose the device your two-factor authentication codes are sent to? What if you forget your master password?

Authy syncs authenticator codes across multiple devices (say, your phone and your iPad), which helps if you miss one. Setting up a physical security key, such as YubiKey, as an additional authenticator is another protection measure. As for remembering your master password, the best solution is low-tech: write it down on a piece of paper and keep it with the rest of your most important documents. It is safer in the physical world than in the digital world.

—For more WSJ Technology reviews, analysis, advice and headlines, sign up for our weekly newsletter.

Write to Nicole Nguyen at [email protected]