Companies and websites are hacked all the time, and data they hold about users can be leaked. These leaks often contain usernames and passwords, and can also include other sensitive data, such as credit card numbers or personal information. You don’t always hear about these hacks; only breaches of the biggest companies makes headlines. Wikipedia has a partial list of notable data breaches, listing the largest hacks. Just in the past year, major organizations such as T-Mobile, the Red Cross, and IKEA were compromised. Was your data stored on their servers?
A password manager is software that allows you to create and store strong and very complex passwords so you won’t have to memorize them. All you need to do is memorize one really strong password to get access to all the others. There are quite a few password managers on the market today, so which one is right for you?
We discuss four trusted password managers in this article; each is cross-platform, available for Mac, Windows, and iPhone (and the first three are available for Android). While not a complete comparison of all major password managers out there, this article will teach you what to look for in a good password manager, and will provide a few options.
In this article:
You might wonder why it isn’t good enough to simply memorize one seemingly strong (but memorable) password and use it for every site.
One reason is credential stuffing attacks. If one company’s password database is breached, your password may get exposed. This may be the result of a site storing passwords in a less-secure (or completely insecure) manner, or a determined attacker cracking your password. Either way, once your password is out there, attackers will try “credential stuffing” attacks: checking to see if anyone with the same username or e-mail address has reused that same password on other sites.
Imagine a scenario where a forum gets hacked, your password is leaked, and then an attacker uses that database of leaked usernames and passwords to break into your bank account or your e-mail account. If they can access your e-mail, all the rest of your accounts are one reset-password request away from being compromised, too. So even using a couple of different seemingly strong but memorable passwords isn’t a great idea.
If proper procedures are followed, sites should store your account details (including your password and credit card info) both “hashed” and “salted” using a strong cryptographic cipher. Here’s what those terms mean:
Hashing is technically a one-way function, meaning that if the only thing a site’s administrator (or an attacker) knows is the hash, they cannot somehow reverse it and extract the original password. However, if the original password is weak — or if an attacker has enough processing power and time — the password may eventually be guessed, which would result in the same hash. If the hashes match, then the attacker has successfully guessed the password.
This is one reason why you often see stolen data from a hack surface weeks or months later. Cracking password hashes takes time, but a large percentage of passwords can be cracked very quickly as they are commonly used. If your password is Password1, it will be cracked in under a second, but if your password is something similar to ZK}8xR%YtrvVAk4nuad#Y9g}X (don’t use this exact password), it can take so much time it’s not worth the effort for those attempting to crack it (unless they’re specifically targeting you).
It’s safe to assume that once a company has been hacked and your account details are stolen, your password will be exposed at some point. Before that happens, you want to make sure there is enough time to react and change your password. In the event of a data breach, the company must first discover the hack, investigate it, and report it. This can take weeks or months, during which time you have no idea that hackers have been trying to crack your password. In some cases, sites may never discover — or never disclose — the fact that they were compromised.
Ideally, your password is strong enough that by the time you learn of a hack, the chances of it being cracked are slim. This brings me back to the previously mentioned, much more secure password example: ZK}8xR%YtrvVAk4nuad#Y9g}X. A password similar to that one will likely be among the last that is cracked, but as a user, it would be very difficult to remember it. (Again, don’t use that exact password, just in case attackers add it to a password dictionary.) If you have a hard time remembering one password like that, imagine trying to use unique, strong passwords on dozens of websites. There’s no way you can remember them all, and this is exactly where a password manager comes in.
Below are four password managers that meet all of the above criteria.
Cost: Pricing starts at $2.99/month for an individual, and $4.99/month for a family of 5 users. This includes access to 1Password for all available platforms, on as many devices as you use.
Platforms: Mac, Windows, Linux, iOS, iPadOS, watchOS, Android, and browser plugins for Chrome, Safari, Firefox, and Brave. You can also access your 1Password database through a web browser.
1Password is is one of the most popular password managers. It has a great reputation, offers strong encryption, and syncs through 1Password’s servers. Your passwords and password generator are quickly accessible from your Mac’s menu bar or browser plug-in. and 1Password’s Watchtower feature warns you if your credentials have shown up in data breaches. More pricing details and a full list of features are available on their website.
Cost: Free for personal use, a $10/year premium plan offers advanced features
Platforms: macOS, Windows, Linux, iOS, iPadOS, Android, and browser plug-ins for Chrome, Firefox, Edge, Safari, Opera, Vivaldi, Brave, and Tor Browser. Bitwarden also offers a command-line interface for a variety of platforms, and you can access your Bitwarden database from the company’s website.
Bitwarden is an open source password manager that has a plan for individuals that claims to be “free forever.” Like other password managers, it handles passwords and other types of data, along with two-factor authentication codes, and offers a “username data breach report,” as part of its free plan. The $10/year plan offers a full range of features, and family and enterprise plans are also available. A full list of its security features are available on their website.
Cost: Dashlane has a free plan, which provides basic password manager features for a single device, and plans at $2.75, $3.33, and $4.99 per month (billed annually). The Premium plan ($3.33/month) includes access to a VPN, and the $4.99 plan is a “friends and family” plan that covers up to 10 users. There is also a range of business plans.
Platforms: There is no Dashlane desktop app; it works with a web app, a Safari extension, and iOS and Android apps.
Dashlane is another popular password manager. It’s available as a web app or browser extension for all major browsers on Mac, Windows, and Linux, and apps are available for iOS and Android; the iOS app also includes an app for the Apple Watch. The company got rid of its desktop app early in 2022, and now focuses almost entirely on its web app, which is an approach that other password managers don’t use. It can be more practical to have a web app, because it allows you to access your passwords on any device.
Passwords are encrypted and stored on the Dashlane server, and you can protect access with two-factor authentication. This is important with Dashlane because of the web access; other password managers with desktop apps store their passwords locally, so someone would need access both to your device and to your master password to access your passwords. Dashlane emergency access allows you to nominate someone who can unlock your account if you have lost or forgotten your master password. Dashlane’s Dark Web monitoring (available with the premium plan) checks to see if your personal information has been compromised. More pricing details and a full list of features are available on their website.
Cost: Free; included with all Apple ID accounts
Platforms: macOS, iOS, iPadOS, Windows, Safari (doesn’t support non-Safari desktop browsers, Android, ChromeOS, or Linux)
If you mainly use Apple products, another option that might work for you is Apple Passwords (formerly known as iCloud Keychain). With syncing across all your Apple devices, the latest version of Apple Passwords includes support for credit cards and two-factor authentication codes, bringing its feature set up to par with (at least the free features of) many other password managers. You can use it natively on macOS, iOS, and iPadOS. You can even get iCloud Passwords on Windows PCs using iCloud for Windows. However, there is no web access, so you won’t be able to directly access your passwords on other devices such as Chromebooks or Android phones or tablets.
Check our our comprehensive review of how iCloud Keychain works for macOS and iOS.
Mac and iOS Keychain Tutorial: How Apple’s iCloud Keychain Works
There are many other password managers out there; a couple additional options that have been around for more than a decade include Keeper and RoboForm. (If you happen to use ExpressVPN, there’s also the relatively new ExpressVPN Keys; it’s a password manager that comes bundled with your VPN subscription.) Whichever option you choose, make sure it works for you and meets all your needs. If you’ve never used a password manager before, there will be a small adjustment period. It may also take some time to consolidate all your passwords, but it’s worth it!
In a previous version of this article (originally published more than a decade ago, way back in 2012), we mentioned several other password managers that were available at the time. A lot of time has passed since then, and the industry has learned a lot from recent events like the LassPass hack of 2022. In addition to LastPass, any password managers that are no longer being updated, or no longer available to download, should be presumed less safe (or unsafe) to use. They may use less-secure encryption methods, and at the very least, older apps may have compatibility problems with the latest operating systems.
If you use any of the password managers listed below, we recommend that you:
Here is a partial list of some now-defunct (or no longer safe to use) password managers:
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
