In this day and age, with so much available online and with so many different accounts to sign into, a decent password manager has become an essential tool for just about everyone. If we follow the common password rules…
- Do not use the same password across multiple accounts
- Always choose a long and strong password
- Avoid using dictionary words
- Avoid common sequences such as numbers or letters in sequential order
… it becomes even more apparent why we should all be using a password manager.
Browser Password Managers vs Dedicated Software
There are many misconceptions regarding browser password managers and, while I agree that they are generally not as secure as dedicated password manager software, they are nonetheless more secure than a lot of experts give them credit for. For example, I read an article written by a well-known tech writer warning people not to use Edge’s password manager. His reasoning was based on a third-party software called Edge Password Manager which, when run, would reveal all passwords saved in Edge in plain text. He reasoned that, if a third party gained physical access to a computer where the owner is already logged in, he/she could then run the Edge Password Manager software and reveal all the owner’s passwords. Well, I’m sorry, but that is total BS. If a third party with malicious intent gains physical access to a computer where the owner is logged in, the game is already over, regardless.
The fact is that Edge stores saved passwords encrypted in the Credential Manager. There is a ”show” link associated with each encrypted password but, in order to reveal the true password, you need to input the user account password. So, provided the user account is password-protected, the level of security is actually pretty decent.
I also read where another so-called expert claimed that the passwords saved in Firefox could easily be revealed by third-party password extractors, such as reCall. That is also utter BS. Firefox provides an option to protect saved passwords with a master password and are impossible to extract with the master password in place, not even by the very good reCall. Full disclosure– I have to admit here that I have been using Firefox’s password manager, protected by a very strong master password, for many years, albeit without any issues. The only password I do not allow Firefox to save is my PayPal password. Then again, I would not trust any password manager with any of my financial credentials, including dedicated password manager software.
There are a lot of articles out there warning people against using browser-based password managers. However, I don’t necessarily subscribe to that school of thought. As far as I am concerned, a browser-based password manager is far preferable to no password manager at all. That said, there is no doubt that dedicated password managers are not only more secure than browser password managers but also include a lot more features. I’ve been toying with changing over to a dedicated password manager for some time now, only being put off by terminal laziness. However, I have decided it’s probably time to bite the bullet and my research to date has led to me to a seriously worthy candidate.
Bitwarden – Best Free Password Manager
Bitwarden is a free and open-source password manager that is quickly gaining in popularity. I openly admit I hadn’t heard of Bitwarden until commencing my research but there are so many positive reviews that I was pretty much forced into checking it out further.
There is no doubt that Bitwarden ticks all the right boxes– syncing passwords across all devices, support for all platforms, 2FA (two-factor authentication), and an unlimited number of entries (accounts). Bitwarden provides clients for all common mobile and desktop platforms, supports add-ons for all major browsers, and syncs across all devices via the cloud. Now, I know some users are wary of cloud-based password managers but all data is fully encrypted before leaving the device and only the user can access it not even the Bitwarden team can read it. Data is protected with end-to-end AES-256, PBKDF2 is used to derive the encryption key from your master password, which is then salted and hashed using HMAC SHA256. These are all very secure and well respected cryptographic standards. Read more about Bitwarden’s Security.
As is the case with most password managers, Bitwarden will create, save, and remember long and strong passwords, logging you into already saved accounts and creating new entries for new accounts. If you have multiple accounts on a single domain, Bitwarden offers more fields, other than just the username and password, to help identify each entry precisely. Different types of credentials (such as Logins, Secure Notes, Credit Cards and Identities) also offer different fields for more specific information, and you can organize your items into folders to group particular types of entries together. Another interesting feature in Bitwarden is a button in the password field which checks if the password you input has been exposed, comparing the username and password with a database of known password breaches.
Because of Bitwarden’s cloud-based nature and the ability to sync across multiple devices, you do need to create an account, but it is all totally free. For a payment of $10US per annum, you can upgrade to the Premium edition which includes a few additional benefits. However, the free version is full-featured without limitations.
As I said earlier Bitwarden ticks all the right boxes and, in terms of features, it’s right up there with similar commercial offerings that cost quite a bit of money. Nothing among the free versions from alternative password managers comes close to Bitwarden’s feature set. Definitely worth serious consideration.
LastPass Free – A Very Good #2
LastPass has been around for ages, it seems, so I’m pretty sure many would already be familiar with the free edition’s very good feature set. It’s the closest to Bitwarden of all the free alternatives. LastPass’s free version supports syncing across all devices, unlimited passwords, a built-in password generator, multi-factor authentication, secure note storage, one-to-one sharing (not one-to-many sharing), and a security challenge. The security challenge feature reviews your existing passwords, provides you with an overall score and warns you about passwords that are insecure.
As is the case with Bitwarden, and all password managers that sync across multiple devices, LastPass utilizes strong encryption techniques, securing data with AES-256-bit encryption and salted hashes. Your data is encrypted and decrypted on your device, so the data stored with LastPass is readable only on your own device(s). Definitely a contender.
Dashlane & StickyPassword
Two very good premium password managers but neither supports syncing across multiple devices in the free versions. Furthermore, Dashlane Free is limited to 50 accounts and 5 accounts for password sharing. And StickyPassword Free does not support secure password sharing at all. Still, these are two very reputable password managers and the free editions might well include enough features to satisfy some users.
Bottom Line
Bitwarden is all the rage at the moment and, after reading multiple reviews, I’m not at all surprised. It is a free and open-source password manager that comes very near to, if not on par with its subscription-based rivals. I seriously doubt you could do better for free.
—
I tried to check out Bitwarden, but it doesn’t seem to have support for the Pale Moon (or any XUL) browser.
I’ve been using Last Pass for years without any problems.
I’ve seen articles with every one of the above listed as #1 at one time or another. I recently read 1Password was the new king.
Correct. Bitwarden’s browser integration is WebExtension, no XUL support.
As far as I am aware, 1Password is not free. It has a free trial but no free version.
Not free per se, but it’s constantly on the giveaway sites as a 1 comp/1 year ‘trial’. I’m not rolling those dice though – you never know if it will end before the need to re-up.
We all know that even the bestest and the mostest fully encrypted security software is 110% secure until the moment it is discovered that it no longer is. If such historical revelations are any indication; this assessment has not yet been proven inaccurate. Therefore, I think I will await the release of quantum encryption (and, more importantly, decryption) before I decide to even attempt to try a replacement for my crusty-old KeePass with over 500 credentialing information I trust this FREEware for/with.
“Then again, I would not trust any password manager with any of my financial credentials, including dedicated password manager software.” What exactly is the solution to this valid conundrum?
A conundrum indeed. I use PayPal exclusively. If an online vendor does not support PayPal, they do not get my business. My PayPal password is not saved anywhere, only in my brain. Not ideal, but far preferable to continually imputing credit card details for each and every transaction.with each and every vendor.
I use a secondary bank account that generally has less than $1.00 in it. When I want to purchase something, I’ll transfer money to that account to make the purchase. Hackers have about 15 seconds to grab any info, and even if they do, the account will be back under $1.00 by the time they try anything. So far, so good (12 years).
Note: Make sure your bank does NOT process debits before they process credits for any given time period (like weekends, holidays, or other days they are closed).
Good system. Debit cards can also be used in much the same manner.
I’d probably still be using KeePass if I didn’t need ‘synching’ – which wasn’t available in KeePass when I switched to LastPass.
Operating systems (especially Windows) and browsers are like Swiss cheese with all the ghost data they produce, which most encryption programs do not clean, You’ll need to run a decent ‘free space ‘cleaner after encryption – or – use ‘system’ encryption (as opposed to file/folder/drive encryption) unless all you want to do is keep family members from accessing the data. – just about anything will work for that.
I could go on and on, but it’s Jim’s article
That’s not a problem sirpaul, you go right ahead and post as much information as you see fit. These comments sections often contain a lot of additional useful information so, provided it’s accurate information, feel free to go for it..
What elephant in every password manager is changing to the new password manager and porting the data over to the new manager. I keep thinking I need to ditch my Norton Password manager but with over 800 passwords in it, moving to a new password manager could be a real nightmare or at a minimum take several nights to set up. Is there an easy way to move the data from one password manager to another?
Hey Vince,
Agree 100%. However, most password managers do include a feature to import data from a different password manager.
Bitwarden even has a list of password managers from which it can import data: https://bitwarden.com/help/article/import-data/. Unfortunately, Norton Password Manager is not included in the list. That doesn’t necessarily mean it will not work though.
LastPass also includes instructions on its site on how to import data from other password managers: https://support.logmeininc.com/lastpass. Click “Get Started” and then click “How do I import passwords from other sources into LastPass?”.
Hope that helps.
Like any software having user generated input, I have too much time invested is my KeePass. None of your suggestions appear to have the ability to import my database. I have played around with a number of alternate software products by either found them “restrictive” for the free version or the different features they contained were not enough to get me to change. I actually like the way my current KeePass synchronizes between devices. Just copy the master file to each device.
Hey Tom,
All of the above mentioned include the ability to import a database, either in .csv or .json formats. That said, you are obviously happy with KeePass so by all means stick with that.