Best Password Managers of 2023
CR evaluated 8 popular free and paid services, for digital security, privacy, and ease of use. We can recommend four of them.
When you shop through retailer links on our site, we may earn affiliate commissions. 100% of the fees we collect are used to support our nonprofit mission. Learn more.
Password managers have a straightforward job: Come up with crazy-long, complicated passwords for all of your online accounts, and then safely keep track of them.
The mission sounds simple, but deciding which password manager to use is not. That’s because if there’s a single company you need to trust, it’s the one where you store the log-in credentials for your entire online life. As a 2022 data breach at LastPass demonstrates, password managers deserve a high level of scrutiny.
Consumer Reports tests these services for both security and data privacy, as well as ease of use. Security testing evaluates how resistant the password managers are to hacking attempts, while privacy testing gets at the personal data the company collects, for its own marketing and other purposes, and whether you can control that data. You can see more details on how we test password managers below.
If you’re new to password managers, here’s the idea: A service will store your log-in credentials in an encrypted vault which you can access through an app, web page, or browser extension. To open the vault and log into Facebook or your bank or whatever, you’ll typically click on the browser extension, then enter a primary password that you devise yourself. It needs to be extremely strong, and you need to memorize it (or possibly write it somewhere safe). You should also use multifactor authentication wherever it’s available.
When we last tested password managers, 1Password beat the competition hands-down. This time around, 1Password’s score has dropped, though it’s still in a tie for the top spot in our ratings. One reason for the drop is that CR has added some additional tests where 1Password faltered. And the service does have some flaws. For instance, the company doesn’t clearly state that it won’t share users’ personal data with other companies. However, 1Password remains a recommended service with strong scores for privacy and security, middle-of-the-road pricing, and features similar to what you’ll find on other recommended password managers. We didn’t see evidence of advertising-related software in 1Password. The company offers a 14-day free trial to let you get a feel for the interface.
Like other recommended password managers, Dashlane has important features, such as the ability to warn when one of your passwords has appeared in a data breach or when a password you’ve created on your own is weak and should be replaced. Dashlane does very well in CR’s evaluation of privacy policies and practices. For instance, it gets points for stating clearly that it collects minimal personal data, just what it needs to maintain your account. On the other hand, the app we looked at included software that could be used for tracking consumer behavior, from a marketing data company called Braze. And Dashlane’s data security score trails slightly behind the security scores of our other recommended password managers.
Like all the password managers tested, Dashlane is easy to set up and use. The company also has a free version, which we did not test.
Like other CR-recommended password managers, Keeper Unlimited has important features, such as warning you when one of your passwords has appeared in a data breach or when a password you’ve created on your own is weak and should be replaced. You can access it through iOS and Android apps, and extensions that work with popular web browsers. We didn’t see evidence of tracking software from advertising-related companies in Keeper. We also recommend the free version of Keeper, described below. The main difference is that Keeper Unlimited lets you access the service on multiple devices and platforms.
Like Keeper Unlimited and other recommended password managers, the free version of Keeper has important features, such as warning you when one of your passwords has appeared in a data breach or when a password you’ve created on your own is weak and should be replaced. We didn’t see evidence of tracking software from advertising-related companies in Keeper. The biggest difference from the paid service is that Keeper Free is designed for just one user using a single mobile device. That limits its usefulness for many people. In contrast, Keeper Unlimited lets you use unlimited devices, with a mobile app, desktop app, and browser extensions.
How Consumer Reports Tests Password Managers
Just like other players in the tech industry, password manager companies can collect personal data to use for their own marketing purposes, though to be clear that doesn’t include your passwords or other information that you store in your encrypted vault. Password managers score better in CR testing if they take privacy-protective steps like only collecting the data needed to make the password manager function, and if they make it easy for users to control what personal data is collected, and to delete it if they choose. We also look to see if the password managers contain software used for ad tracking.
One conclusion from the test: All the password managers could improve by giving people easy-to-use controls to turn off any data collection for marketing purposes, and to get a copy of all the data the company might be holding on them, including information they acquire from data brokers.
Security is obviously critical with password managers. Because you’re putting all your password eggs in one basket, that basket had better be secure.
CR examines password managers to ensure that they use strong encryption by default and that the encryption is employed correctly. (It’s not always.) We test for resistance to known exploits—all software has the potential for vulnerabilities, but companies should fix any that arise as soon as they are discovered. We give companies credit for putting internal and external security audits in place and for including automatic software updates.
CR observed several areas where the security of password managers could be improved by implementing industry best practices. None of these shortcomings are likely to result in a typical user getting hacked, but if any product should be meticulous about security, it’s a password manager.
These are just some of the factors we look at. Our test protocol for password managers is based on the Digital Standard, a CR-led initiative for defining best practices for digital privacy and security.
The overall score for each password manager is based on approximately 100 individual tests. The testing of each service takes about two days.
