Lately it seems like there’s a new security breach every other day, exposing the PII of millions. That includes full legal names, usernames, email addresses, physical addresses, and yes, passwords. Very often the goal of hacking some obscure forum is not to gain access to your account on that forum. Instead, it’s to get your login credentials that you likely use on other websites too. Now hackers can access all accounts that use your email/username and password.
There are entire services like Have I Been Pawned dedicated to this. They check if your password has leaked by looking in databases of stolen passwords. Hackers often use these databases in dictionary attacks. There are even services that automatically alert you when your password has leaked. Many password managers come with this functionality built-in.
Obviously, the first thing you should do when this happens is change your password. But if you’re using the same password on other websites, you now have to change all those other passwords too. And that’s where password managers come in. Their core functionality is to store your login credentials for each service. That way, you don’t have to remember every single password. With this freedom, you no longer have to create passwords that are easy to remember. You can create strong, impossible to guess passwords without needing to remember them. As such, most password managers also allow you to generate strong passwords.
Password managers also protect you from fishing attacks with their autofill service. If you click on a link to log into a website and your credentials don’t appear, you’re not on the real website. That’s because password managers show your credentials when you visit the right URL.
You can take this a step further by using different email accounts for each service. This way, login credentials become disposable and leaks have minimal impact. Some password managers integrate with email forwarding services. This allows you to create masked emails on the fly for new accounts. If you have your own domain, you can manually create an address for each service. This protects your real email address from getting leaked as a login credential. If a throwaway email gets leaked, change it. Email forwarding services also allow you to stop receiving emails from leaked addresses. This helps avoid spam as well.
Many password managers also include 2FA functionality for added convenience. Some security experts recommend using separate services for your passwords and 2FA. The logic is that if you one gets compromised, you don’t lose everything. But most people are likely not willing to manage two different apps for security. So until they get used to it, the convenience of having both in one is worth the minor security sacrifice. Security always comes at the expense of convenience. Where you draw the line is up to you and how much convenience you’re willing to sacrifice. You can check my recommendations for dedicated authenticator apps to help you decide.
Speaking of convenience, passkeys are the future hailed to replace passwords. They get saved on your device (or in your password manager) and you don’t have to remember anything at all. Services can log in as soon as they detect a passkey and ask you to authenticate using biometrics. Passkey adoption is on the rise as they are more secure (and convenient) than passwords. The downside to passkeys is that they are tied to the device, meaning you need a new passkey for every device. This adds an extra layer of difficulty if you lose access to your device. For now, it’s still recommended to use password authentication as a backup.
Cloud
ProtonPass
ProtonPass is Proton‘s recent foray into the password management space. It’s actually rather impressive. It lags behind Bitwarden in features, but it’s leagues ahead when it comes to UI/UX. Looks don’t seem important to security purists. But for the average person, UX is what determines if they’ll use a product.
ProtonPass is a Swiss open-source password manager that supports all devices and browsers. Like Bitwarden, it also includes 2FA and e-mail masking as paywalled features. If you plan to use a separate authenticator app, you’ll likely find the free tier satisfactory.
Unlike Bitwarden, you can’t self-host ProtonPass. Although you can self-host their email forwarding service, SimpleLogin, which Bitwarden also supports.
IronVest
IronVest is not open-source!
IronVest is a browser extension that has evolved over the years. I first started using it when it was MaskMe. All it did was create masked email addresses on the fly and forward emails to your main address. It had dedicated inboxes for each masked email address. MaskMe also offered masked phone and masked cards, but I never tried those paid features. MaskMe then turned into Blur and added tracker blocking. This is also when they developed mobile apps.
Today, it’s called IronVest and their overly-corporate website is deliberately confusing. Underneath all the the jargon, it largely mirrors other password managers in features. Masked emails are no longer free, but also no longer unique in the market. What sets it apart is the masked phone and cards, but their marketing focuses more on security. They claim they’re more secure than other password managers thanks to blockchain technology. Since they aren’t open-source, it’s anyone’s guess whether this is actually true.
If I hadn’t personally used their product for many years and loved it, I wouldn’t even include it here. Based on their website, their current marketing material doesn’t inspire confidence. That said, it’s obviously aimed at businesses and not me.
Self-hosted
Nextcloud
Nextcloud users are likely already aware of the simply-named Passwords. It’s a fully-featured password manager you can install from Nextcloud’s official app store. It supports E2EE, QR codes, and password sharing with other Nextcloud users. You can organize using tags, folders and favorites. Each password can also have a note, as is standard, but here it’s taken to another level with a rich text editor.
The developer only offers official browser extensions for all browsers. But since it’s open-source, the community has built mobile apps for it. Android users can use this or this. iOS users can use this.
Note that certain features like passkeys and 2FA are client-side features. Their support depends on the app you’re using, not the server backend. This is important to keep in mind when it comes to community apps.
Bitwarden
Bitwarden is the default recommendation for an open-source self-hosted password manager. It is very feature complete, covering not only logins but also identities and card info. This is because saving and managing passwords is only half the job of a password manager. The other half is autofill, inputting your info for you in browsers and apps.
Bitwarden not only supports every platform and browser, it’s also free to use. They paywall a few features, like 2FA, but full functionality only costs $10 a year. A year is plenty of time to decide if it’s worth self-hosting, which unlocks all functionality for free. Family plans are also available, for up to 6 members.
The biggest factor working against Bitwarden is UI/UX. Security software often neglects design, especially with the limited resources of FOSS. On the flip side, since it’s FOSS, there are many alternative front-ends for it. For Android, I recommend KeyGuard. It integrates added functionality like automatically checking if your passwords have leaked. It prompts you to update insecure, leaked, or duplicate ones. It also informs you of websites you use that support passkeys and 2FA. Passkeys are more secure and also more convenient than passwords. They can’t be stolen or forgotten, and they allow you to log in without entering your password every time.
Offline
Passy
Passy is a smaller, lesser-known FOSS project. But don’t let that fool you, as it is pretty feature-complete. It separates itself by focusing on being offline and local, but also capable of online sync. Automated sync is possible to a server of your choice, but you can also sync manually by scanning a QR code. An interesting approach.
When it comes to features, Passy pretty much matches all other password managers. In fact, it even allows for more customization in some areas. For example, you can choose your 2FA algorithm when setting it up for a set of credentials. Another notable inclusion is the ability to set both a username and an email address. This may seem obvious or even silly, but some competitors lack it. Passy supports credentials, identities, and payment cards, as is standard. Custom fields are also nice.
Passy works on all devices, including specialty features like biometric authentication and autofill. A browser extension is also available for all browsers.
Pass
Pass is the hacker’s password manager. There’s no GUI of any kind (there is a client that offers one though) and it’s completely managed and used through CLI. This might seem daunting if you’re a Windows user, but if you live inside the terminal, it makes sense. It’s very straight forward in its approach. It saves your passwords locally in GPG-encrypted files. This makes it very easy to share or migrate them to other devices, and only your GPG key can decrypt them.
It allows you to add, edit, and retrieve passwords using simple commands. Cross-platform sync is possible over Git or something like SyncThing. This offers a secure and decentralized way to manage your passwords. Being open-source, the community has, over the years, created clients for every device. Most of these clients also support 2FA.