The Best Password Managers and Security Tips: How to Fix Your Login Problems

You’ve probably heard of password managers. They may sound complicated, but setting your password fortress doesn’t have to be painful. These services remember all your passwords and can generate new ones securely. When you go to a login page in a web browser and even many apps, the manager will automatically fill in what you need to access your account. Some even comb the web to warn you if your information shows up in a security breach.

A major change in one of the most popular managers, LastPass, is why I have passwords in my head again. On March 16, LastPass Free users will need to upgrade to the service’s premium plan – typically $ 36 per year, but currently offered for $ 27 per year – if they want to continue to sync passwords across their devices. While I’m a fan of LastPass, the free plan is no longer a good choice.

The best password managers work on as many platforms as possible. That’s why we generally recommend independent services over the password protections built into browsers and operating systems. I tested the most popular, in a quest for high security, wide options and ease of use. This is what I found:

• Easiest to use:1Password ($ 35.88 per year for individuals, $ 59.88 for families of up to five) has an easy-to-use design and multiple layers of security at a great price. 1Password does not have a free tier. Security is something we think is worth paying for. “Free software almost always involves compromise,” said a 1Password spokesperson. “We can focus our efforts on developing new ways to protect your data rather than collecting or exploiting it.”

Like other password managers, you can organize passwords into different collections: one for personal accounts, one for work, and one for shared family logins. The travel mode is unique to the service – it’s for people who need to hide sensitive information when traveling to countries where they fear their phones will be searched.

Dashlane ($ 59.99 per year for individuals, $ 89.99 for families of up to five) is also easy to use and is a good choice if you’re interested in additional features like a built-in VPN (aka virtual private network) for access the internet more securely, and a dark web surveillance service that keeps an eye out for hackers who may have your credentials.

In the end, I chose 1Password because of the price. (I also thought Dashlane’s Mac Safari browser extension, now in beta, was buggy. A Dashlane spokeswoman said the team is working on a fix.)

Best service with emergency access: It’s a tie between Dashlane and LastPass Premium ($ 36 per year for individuals, $ 48 for families of up to six). With both, you can give a trusted contact access to your safe if you are dead or incapacitated. These kinds of functions are important because our lives are so wrapped up in our digital accounts, as my colleague Joanna recently discussed. If something happens to you, your designated person can request access to your safe. You can set a specific delay period between three hours and 30 days, during which you can deny that access if you are able to.

LastPass Premium isn’t as sleek as Dashlane, but it’s a very capable password manager, too, with dark web monitoring, plus a gigabyte of encrypted file storage (and a good Safari browser extension). If you’re on Safari and don’t need the VPN, go with LastPass.

1Password considers this type of emergency access a security risk. In a forum post, a company employee explained that in order to get into a password vault, a domestic abuser could hold a victim against his or her will. He suggests storing a printout of your secret key code and your master password in a safe or with your lawyer.

Best Free Option:Bitwarden has a completely free plan for individuals and double companies that syncs an unlimited number of passwords across devices. The service has many fundamentals: end-to-end encryption, secure password generator, two-factor authentication, and apps for every desktop platform, browser and mobile operating system, plus web access.

A premium membership ($ 10 per year for individuals, $ 40 for families of up to six) is required for bells and whistles, such as a report of exposed passwords and enhanced login security.

“We are a for-profit company, but we find it completely harmonious and compatible to offer a basic manager for free,” said Michael Crandell, CEO of Bitwarden. Many users starting with the free plan eventually decide to upgrade, he added.

After choosing a password manager, you can manually add all your old passwords. If you save passwords in your computer’s Chrome browser, you can export them and then import them into your new password manager. (Apple doesn’t have a comparable option for exporting passwords.) If you switch from one password manager to another, exporting passwords is usually also an option.

Password managers will improve your digital life. But whether you get one or not, there are four simple password protection rules you should know.

Rule # 1 – Don’t rely on passwords alone.

Use two-factor authentication, also known as 2FA, whenever possible. This requires an additional code or validation that is sent to another device.

Overall, enabling 2FA is better than not having it at all. But if you have a choice, use an app authenticator (I like Authy) instead of a plain text message. It works when you don’t have cellular reception and it’s not susceptible to SIM hijacking – where a hacker targeting someone with a valuable account contradicts that person’s phone number from the wireless carrier. You can call your carrier and add a passcode to your wireless account for extra security.

Rule 2 – Create long passwords.

The term “password” should be withdrawn. The new hotness is passphrase. “Password length is more important than complexity because a longer password is more difficult to decrypt,” said Jameeka Green Aaron, Chief Information Security Officer at customer authentication company Auth0.

For example, the “ Raccoon Doorknob Spacecraft ” passphrase would take ages to crack, according to Bitwarden’s free password strength testing tool. Meanwhile, according to the checker, an attacker could take as little as three years to crack a 12-character string containing uppercase and lowercase letters, symbols and numbers. Most password managers allow you to set the length of automatically generated passwords.

Rule # 3 – Make it unique.

Do not reuse passwords. It’s the most common way that accounts are hacked, Ms. Aaron said. If hackers discover that your password is being used in one place, they will try in other places. This is where password managers come into play. Use them to create strong unique passwords and store them for all of your accounts.

Rule # 4 – Have a backup plan for your backup plan.

The key to your password manager is a master password, along with a device to verify your login. A good password manager does not know your master password and cannot help you recover your account.

So to be a good password parent, you have to think about the worst-case scenario: what if you lose the device that your two-factor authentication codes are sent to? What should you do if you have forgotten your master password?

Authy syncs authenticator codes across devices (your phone and your iPad, for example), which helps if you lose one. Setting up a physical security key, such as YubiKey, as an additional authenticator is another protective measure. When it comes to remembering your master password, the best solution is low-tech: write it on a piece of paper and keep it with the rest of your most important documents. It is safer in the physical world than in the digital.

—For more analysis, reviews, advice and headlines from WSJ Technology, sign up for our weekly newsletter.

Write to Nicole Nguyen at [email protected]