There are four simple rules of password protection:
Rule #1: Don’t rely on passwords alone.
Use two-factor authentication, known as 2FA, wherever possible. This requires an additional code or validation sent to another device. If you have the choice, use an app authenticator (I like Authy) over a text message. It works when you don’t have cellular reception, and isn’t susceptible to SIM hijacking— where a hacker cons a person’s phone number from the wireless carrier. You can call your carrier and add a passcode to your wireless account for added security. Rule #2—Make long passwords.
“Password length is a more important factor than complexity, because a longer password is harder to decrypt,” said Jameeka Green Aaron, chief information security officer at customer-authentication company Auth0.
The new hotness is pass-phrase. For example, the pass-phrase “Raccoon Doorknob Spacecraft” would take centuries to crack, according to Bitwarden’s free password-strength testing tool. A 12-character string, with uppercase and lowercase letters, symbols and numbers, could take an attacker three years to crack.
Rule #3—Make it unique.
Whatever you do, don’t reuse passwords. It’s the most common way accounts get hacked, Ms. Aaron said. If hackers discover your password used in one place, they try it in other places. Use password managers to create strong unique passwords and store them for all your accounts.
Rule #4—Have backup plans.
The key to your password manager is a master password, along with a device to authenticate your login. A good password manager doesn’t know what your master password is—and can’t help you recover your account.
Logins Shouldn’t Be a Pain
If you don’t have strong passwords for every online account, it’s time to dig in. Don’t wait until someone’s stolen your identity.
You’ve probably heard of password managers. These services remember all of your passwords and can generate secure new ones. When you go to a login page on a web browser and even in many apps, the manager will fill in what you need to access your account. Some even comb the web to alert you if your information shows up in a breach.
A significant change to one of the most popular managers, LastPass, is why I have passwords on the brain again. On March 16, LastPass Free users will need to upgrade to the service’s premium plan—typically $36 a year but offered to them for $27 a year—if they want to continue syncing passwords across devices. While I’m a fan of LastPass, its free plan is no longer a good choice.
The best password managers work on as many platforms as possible. I tested the most popular ones, in a quest for high security, broad options and ease of use. Here’s what I found:
Easiest to use
1Password ($35.88 a year for individuals, $59.88 for families of up to five) has a user-friendly design and multiple layers of security baked in for a good price. It doesn’t have a free tier. “Free software almost always involves compromises,” a 1Password spokesman said.
Like other password managers, you can organize passwords into different collections: one for personal accounts, one for work, one for shared family logins. Travel Mode is unique to the service—it’s for people who need to hide sensitive information when traveling to countries where they fear their phone might be searched.
Dashlane ($59.99 a year for individuals, $89.99 for families of up to five) is also easy to use, and is a good choice if you’re interested in features such as a built-in VPN (virtual private network) for accessing the internet more securely, and a dark-web monitoring service that keeps an eye out for hackers who might have your credentials.
I opted for 1Password, because of the price. (I also thought Dashlane’s Mac Safari browser extension, now in beta, was buggy. A Dashlane spokeswoman said the team is working on a fix.)
Best service with emergency access
It’s a tie between Dashlane and LastPass Premium ($36 a year for individuals, $48 for families of up to six). Both let you grant a trusted contact access to your vault if you’re dead or incapacitated. Features like this are important because our lives are so tied up in our digital accounts. If something happens to you, your designee can request access to your vault. You can set a specified delay period between three hours and 30 days, during which you can deny access if you’re able.
LastPass Premium is a very capable password manager, also with dark-web monitoring, plus a gigabyte of encrypted file storage (and a good Safari browser extension). If you use Safari, and don’t need the VPN, go with LastPass.
1Password views this kind of emergency access as a security threat. In a forum post, a company employee explained that a domestic abuser, to get into a password vault, could hold a victim against his or her will. He suggests storing a printout of your secret key code and your master password in a safe-deposit box or with your attorney.
Best free option
Bitwarden has a full-featured free plan for individuals and two-person businesses that syncs an unlimited number of passwords across devices. The service has many key basics: end-to-end encryption, secure password generator, two-factor login and apps for every desktop platform, browser and mobile operating system, plus access via the web.
A premium membership ($10 a year for individuals, $40 for families of up to six) is required for bells and whistles, such as an exposed-passwords report and enhanced login protection.
“We are a for-profit company, but we find it completely harmonious and compatible to offer a basic manager for free,” said Michael Crandell, Bitwarden’s CEO. Many users who start with the free plan decide to upgrade, he added.
Once you’ve picked a password manager, you can add in all of your old passwords. If you store passwords in your computer’s Chrome browser, you can export them and then import them into your new password manager. (Apple doesn’t have a similar password export option.) If you are switching from one password manager to another, exporting passwords is usually an option, too.