The New Oil

2023 was a record-breaking year for cybersecurity in a bad way. Ransomware payments hit a record high of $1.1 billion, which is likely to encourage cybercriminals to keep trying, and in the first two-thirds of 2023 alone, there were a record 2,116 data breaches (that we knew of) for a total of 234 million victims. Keeping your data safe is more important than ever. Thankfully, doing so is – in some ways – also becoming easier than ever. Using good passwords is just one part of a healthy cybersecurity posture, but many experts consider it the first and one of the most impactful parts. Of course, we all know that actually using good passwords as recommended is laughably impossible, so much so there’s a plethora of memes about it. Thankfully, password managers exist and are here to help. However, like any mainstream tech product, the marketplace is now flooded with password managers of varying quality. So this week, I want to breakdown my top recommendations for best password managers in 2024 and which ones are right for you.

A couple notes before I dive in. First, these entires are listed in alphabetical order, not order of recommendation. These are “the best password managers” plural, not singular. “Best” is a matter of your threat model and what you want out of your password manager. Please keep that in mind as you read. Second, it should go without saying, users still need to be responsible in using a strong, unique master passphrase and enabling two-factor authentication on their password vaults to ensure maximum safety. A developer can only do so much to protect you, there’s still some steps that you have to take. Finally, there is one affiliate link here – for Proton Pass. A non-affiliate link is clearly marked and provided right next to it, but in the interest of transparency, know that that’s there. If you decide after reading that Proton Pass is the right choice for you, we’d appreciate you using the affiliate link to help support us, but it is of course totally optional.

Avoid LastPass

Before we can talk about the best password managers, we unfortunately have to issue a warning. As I said, the marketplace is flooded with password managers. Most of them are probably fine enough choices – anything is better than just reusing the same (or some variation of the same) terrible password on every site – but there is at least one offering that stands head-and-shoulders above the rest as “so bad it’s arguably worse than not using one at all.” I’m talking of course, of LastPass. LastPass has been riddled with so many issues it’s hard to figure out where to start. The “enshittification” probably began around 2021 when LastPass announced that free users would be limited to one platform: mobile or desktop, but not both. Later that year, it was reported that user master passwords had possibly been compromised (which of course, LastPass denied). And then came 2022. The 2022 compromise was so catastrophically bad I’m not sure I can overstate it, from disclosure to response to impact. Even the most ardent affiliate-link-farming LastPass defender finally had to stop recommending them. I won’t go into detail for the sake of keeping this entry short, but you can get most of it here. The moral is that no matter who you go with – whether one of these entries or someone else – you should not go with LastPass. With that out of the way, let’s continue.

Photo courtesy of Bitwarden

Bitwarden

Best for users who want easy multi-device sync

Bitwarden is probably my top recommendation for 90% of users. Bitwarden is a cloud-based password manager that’s open source with a long history of being user-friendly and a generous free plan (and even their paid plan is a mere $10/year). You can use it on all operating systems and/or with a web extension, and Bitwarden currently supports passkeys. For those who simply want convenience, Bitwarden offers a seamless experience and a modern UI. They have been audited and regularly engage with security researchers who disclose vulnerabilities or other concerns. They have also been on the forefront of protecting their users with such moves like automatically upgrading master password iterations and KDFs. For the vast majority of “normie” users, Bitwarden provides a reasonably secure, user-friendly option that “just works” with a long, proven track record of trustworthiness.

Photo courtesy of KeePass

KeePass

Best for users who don’t want the cloud

KeePass has a lot to like, but it’s not for everyone. The biggest advantages of KeePass are also its biggest drawbacks. For example, KeePass is not cloud-based. There is no central server or provider handling the sync across all your devices. This is fantastic if you don’t trust the cloud, but it also means that you have to be extra mindful to keep good backups and – if you want to have your passwords readily available on multiple devices – you’ll have to put some thought into how to keep your vault synced without creating conflicting entries. I’m not saying it can’t be done or even that it’s hard, but – as I said – you’ll have to take a moment to think it through because it won’t just be automatically handled by the provider, you have to think about “if I update it on my phone, how do I ensure it also updates on my PC? What if I create a conflicting entry, how will I ensure I resolve it correctly?” There’s a lot of ways to solve this problem that I won’t get into here for the sake of brevity. Suffice to say that in my opinion, KeePass – while great – is probably aimed at an audience with a higher threat model and/or who’s willing to put in more work and time into a solution such as a local NAS at home or willing to put up with some mild inconveniences (like sending yourself a password once through your encrypted messenger’s “Note to Self” feature). That said, if that sounds like you, KeePass has a lot of appealing things to offer. For example, “KeePass” is really more of a protocol than a password manager. There’s a whole host of clients out there to try, so if you don’t like the look or features of one, you can simply try a different one. Just be sure to vet them carefully as some may be missing critical updates or proper vulnerability patches. Another advantage to KeePass is that it’s totally free. No premium plan, no self-hosting costs (in time or money). If you want the maximum number of features at the best price, you can’t beat KeePass. Please note that most KeePass clients have limited or no passkey support, so if you’re eager to adopt this new technology, KeePass may not be right for you.

Photo courtesy of Proton

Proton Pass (Non-Affiliate Link)

Best for users who want an ecosystem

Proton is the Apple or Google of the privacy world in the sense that they seem to be trying to make a one-stop-shop for mainstream users who want an all-in-one, user-friendly solution. Rather than using one service for cloud storage, another for email, another for VPN, and yet another for password management, Proton tries to roll all these things into one. Overall, I think Proton does a pretty good job here, but I’ll also be the first to admit there’s a lot of room for improvement on both the user-facing feature side and the back end. Still, for mainstream users who may be coming from an all-in-one solution like Apple or Google and want to replicate that experience, Proton is probably the best option out there. For the record, putting all your eggs in one basket does come with risks, but that’s a blog post for a different day and it’s up to users to threat model on that front. If nothing else, Proton can provide an easy starting point to get into privacy, and then from there users can decide if they feel the need to diversify or not. With that in mind, if you’re that kind of user – who wants to just log into something once and have everything easily and smoothly integrate – then Proton Pass might be for you as part of the larger Proton ecosystem. It is worth noting that Proton Pass is fairly new – it only came out last year – so there are still a lot of features to be added, but it’s already been audited and they’re adding new features all the time. Once again, if you’re the kind of person who’s looking to recreate that Apple/Google-style ecocystem, Proton is probably the best choice currently on the market and Proton Pass is worth a look. At this time, Proton Pass does not support passkeys however as of their latest announcement on February 29, passkey support is actively on the roadmap and should be coming soon.

Photo courtesy of 1Password

Honorable Mention: 1Password

1Password doesn’t qualify for typical listing because they don’t offer source-available clients. However, 1Password is wildly popular and – I believe – is still a solid choice if none of the above clients meet your needs. 1Password has been audited, and experts regularly praise their work in that regard. They also have a positive track record and are regular supporters of and embrace a variety of open source projects and initiatives. I’m also told (though I have no hands-on experience at this time) that 1Password integrates remarkably with the Apple ecosystem. Finally, 1Password supports passkeys. Be warned that 1Password does not have any free plans, but their paid plans start at $3/month and seem to include virtually everything a single user could need, with higher plans being aimed at families and organizations. Again, if none of the above clients meet your needs – or if you really want an integrated Apple experience – then 1Password would be my recommendation for you to check out.

As I said earlier, at this point pretty much any sort of system you have to ensure that you’re using strong, unique passwords is better than nothing, whether that’s another option not listed here or a notebook locked in your desk. If you’re looking into password managers for the very first time, these are the four I think really stand out in the space as exceptional, mostly for their commitment to protecting users and their login data. (You can see my criteria for password managers here.) If you already have a password manager and you haven’t considered these ones before, I strongly encourage you to try them out. You might find you like them more.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...