ExpressKeys – formerly known as ExpressVPN Keys – is the simple and secure password manager from one of the best VPNs, ExpressVPN.

Like many of the best password managers, ExpressKeys enables you to generate and store secure, complex passwords, alongside logins, notes, and credit card information.

Previously, ExpressKeys was part of the ExpressVPN app, but it now has its own standalone app, making up part of ExpressVPN's new privacy suite. ExpressKeys access comes bundled with ExpressVPN Advanced and Pro, with plans starting from $3.59 per month.

Historically, you could continue using ExpressKeys even after your ExpressVPN subscription had expired, freely adding and generating passwords, at no extra cost. But ExpressVPN has recently changed this. While legacy ExpressVPN users can still access their stored information, nothing new can be added – rendering ExpressKeys somewhat useless unless you reactivate your subscription.

If you're one of these legacy users, you might want to export your passwords and switch to another passwords manager – here's how.

Setting up

You can export your ExpressKeys passwords using both its mobile app and desktop browser extension. ExpressKeys offers a smoother, more intuitive experience on mobile devices, and that's where I typically access my login details.

However, I found the export/import process was easier to achieve via desktop, and I'll explain why further down.

ExpressKeys allows you to store passwords, logins, secure notes, credit cards, and authenticators – all these details can be exported.

Before doing anything, make sure you're logged into your ExpressKeys app. You may be asked to enter your vault password – you'll also need this later, so make sure you have it to hand. If you don't, you'll need to contact ExpressVPN support.

Ensure you have all the details you want to export, and ideally, have an alternative password manager ready to import them into.

Although you can do both, I'd recommend exporting via desktop, especially if you're going to be importing your data into another password manager. The exporting process is actually more secure on mobile. But when importing, you're often prompted to do this via a web page, making desktop far easier.

Exporting via mobile

Opening your ExpressKeys app on mobile brings up your dashboard. Here you'll see an overview of all your stored information.

First, select the Account icon in the top right of the screen – it looks like a person. This will bring up your account information. Scroll down to Password Manager Settings and click Export your Data.

You'll be asked to enter your vault password, so make sure you have that handy. If you've lost it, you'll have to contact ExpressVPN support before proceeding.

After entering your vault password, you'll see a message telling you your data will be exported as an encrypted ZIP file.

You'll then be prompted to create a password for this file, and you'll need to enter it to access your data.

It's important to enter a secure password as, once unlocked, all your exported data will be visible. Once you've created and entered your password, you'll have the option to choose the export destination – I exported my data to Files on iPhone.

Once exported, you can navigate to your chosen destination, enter your password, and view your exported data.

From here, you can either leave the data as it is, or import it to another password manager. I'll talk you through how to import your data into another password manager later on.

Exporting via desktop

Although ExpressKeys is a mobile-first app, it has a browser extension too. If you don't already have this installed, head to the Chrome Store and install it. You'll have to enter your login details to access your vault.

Exporting via desktop is a similar process to mobile. Once logged in, you'll be greeted by a dashboard which lists all your login details.

To start exporting, click the Options tab in the top right, then click Settings. In Settings, scroll down to Data, and click Export data as CSV.

You'll be asked to enter your primary password – this should be the same as your vault password on mobile. Once entered, you'll be able to export your data by clicking Export Password Data.

Unlike mobile, you're not prompted to enter a password to protect this data, and it doesn't appear to be encrypted as standard. You should therefore be extra vigilant over where you're exporting the file and who might be able to access it – we wouldn't recommend exporting passwords on a shared or work computer.

After clicking export, and choosing your destination, you should receive a message saying your password data was exported successfully.

Like mobile, the file will contain all your details in full, meaning they can be read by anyone. So take extra care when opening it.

Importing to another password manager

If you've gone to the trouble of exporting your data from ExpressKeys, you'll likely want to import it to another password manager.

There are plenty of good options out there, but for this example we're looking at two password managers linked to two of the best VPNs – Proton Pass and NordPass, from the teams behind Proton VPN and NordVPN respectively.

I opened the mobile apps of both password managers, navigated to settings, and selected the option to import my data. However, I found that both prompted me to use a web page to import my data, and I couldn't easily import via mobile.

This was a slight pain and is the main reason I'd recommend exporting via desktop.

NordPass is included in NordVPN Plus plans and above, with prices starting at $3.59 per month. It's also available as a standalone plan. Proton Pass comes as part of the Proton Unlimited plan, which costs $9.99 per month and also includes Proton VPN. It's available as a standalone plan, and you can access a limited version for free.

With NordPass, once logged in, you'll see a range of options to add password data. Alongside creating details from scratch, you can import from a browser, password manager, or spreadsheet.

To import your CSV file, click Import from spreadsheet. You can then select the file and click import.

However, when importing my data, NordPass only imported my email and password, not my secure note or credit card information. The app supports both secure notes and credit cards, so I'm not sure why these didn't transfer over as well. In contrast, Proton Pass allowed me to import all three pieces of data.

After importing, my data was stored in both apps and ready to access.

Despite a few quirks, exporting your password data from ExpressKeys, and importing it to another password manager, is a relatively easy process. Exporting via mobile is more secure, but exporting via desktop makes importing more straightforward.

No matter which app you choose, we recommend signing up to an alternative password manager if you're a legacy ExpressKeys user – or resubscribing to ExpressVPN. Having secure complex passwords is crucial for protecting your accounts and data, and using a password manager allows you to generate and store your information with ease.

We test and review VPN services in the context of legal recreational uses. For example:1. Accessing a service from another country (subject to the terms and conditions of that service).2. Protecting your online security and strengthening your online privacy when abroad.We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Keeping track of dozens of passwords is a hassle, which is why more and more people are relying on one of the best password managers to do the heavy lifting instead. However, your digital vault is only as secure as your ability to spot a scam. That’s the hard lesson LastPass users are facing after the popular password manager was hit with a convincing phishing scam after a recent holiday weekend in the U.S.

As reported by BleepingComputer, LastPass has issued a warning about a new phishing campaign in which cybercriminals are impersonating the company to encourage users to create a local backup of their vaults and all of the passwords stored inside them.

What’s so dangerous about backing up your passwords? Well, clicking on a button within the email takes unsuspecting users to a phishing site designed to steal their logins and potentially even the master passwords to their vaults.

Here’s everything you need to know about this new phishing scam, along with some tips and tricks to help keep your accounts and passwords safe, even if you don’t use a password manager.

From backup to account takeover

This new phishing campaign starts with a malicious email in your inbox that looks and reads like it comes from LastPass itself. However, that couldn’t be further from the truth as the hackers behind this campaign have gone to great lengths to impersonate the popular password manager.

In a blog post, LastPass explains that the campaign began on January 19 and that the phishing emails came from senders with addresses like “support@lastpass[.]server8” and “support@sr22vegas[.]com”. Besides these less-than-legitimate-looking email addresses, the following subject lines accompanied these malicious messages:

• LastPass Infrastructure Update: Secure Your Vault Now
• Your Data, Your Protection: Create a Backup Before Maintenance
• Don't Miss Out: Backup Your Vault Before Maintenance
• Important: LastPass Maintenance & Your Vault Security
• Protect Your Passwords: Backup Your Vault (24-Hour Window)

The scam emails themselves create a sense of urgency by explaining that, due to scheduled maintenance, a backup is recommended. If you’ve used a password manager before, you know how important it is to have your passwords backed up just in case you’re unable to access them, which helps make this campaign appear more legitimate. However, as the company explains in its blog post: “Please be advised that LastPass is NOT asking customers to back up their vaults in the next 24 hours.”

Still, a late-night email sent after a long holiday weekend is enough to convince some people to take action, and that’s just what the hackers who launched this attack are hoping. Towards the bottom of these emails, there’s a button that reads “Create Backup Now.”

Instead of actually creating a local backup of a LastPass user’s passwords, clicking it takes them to a hacker-created phishing site where their password manager credentials are waiting to be harvested. Fortunately, the phishing site — mail-lastpass[.]com — is now offline according to BleepingComputer.

How to keep your passwords and accounts safe

Although the very reason one decides to use a password manager in the first place is to keep their logins safe, you still need to be careful when using passwords. This is the reason many companies are now offering users the option to log in using a passkey instead.

Unlike with passwords, passkeys can’t be guessed or cracked, and they’re tied back to a device you already own, like your phone. That way, a hacker would need both the public and private keys for your password and your phone to gain access to your account. However, while the private key is stored securely on your device, the service you’re using your passkey with holds the public key. The two will never be together except when you log in using a trusted device, which makes them almost impossible to crack.

If you’re worried about putting all of your passwords in one basket with a password manager, I’d recommend using multiple services or even not using a password manager to store your most critical passwords, like the ones for your banking or financial accounts. Another important thing to remember is to keep your master password safe when using one. Don’t write it down on a Post-it note or save it in a document on your computer. Instead, this is the one password you’ll still need to have memorized to unlock access to the rest of your credentials.

In the campaign detailed above, keeping a level head and not letting your emotions get the best of you is the easiest way to stay safe. When you see an urgent warning in your inbox, it’s easy to let your guard down. However, instead of doing that, you should stop, take a moment and ask yourself if this seems real.

Does this particular company often communicate with you this way? From there, you need to inspect email addresses, URLs and everything else with a close eye. One good trick is to hover over links first before clicking on them and to be really careful, copy the link and then paste it into a document or somewhere else so that you can thoroughly inspect it before heading to that site.

Although the best antivirus software can help protect you against malware and other viruses, in this case, the best identity theft protection is a better investment. With one of these services, you can get your identity back if it’s stolen as well as recover any funds lost to fraud as a result of a hacker gaining access to your credentials and the online accounts they’re associated with.

As one of the biggest players in the password manager business, LastPass has been targeted before and this likely won’t be the last time. As such, it’s up to you to practice good cyber hygiene and always think before you click.

More from Tom's Guide

• Fake Chrome extension ‘breaks’ your computer before it hits you with malware — how to stay safe
• Even if you hate Liquid Glass, you shouldn't skip updating to iOS 26 for the sake of your iPhone
• Kaiser Permanente reaches $46 million settlement over data breach — how to file your claim

How do you keep track of your passwords? Unless you answered with: a password manager, then you may have a less than secure method for signing into your accounts. Hackers love lazy, reused, breached and just plain bad passwords because it makes their job – breaking into and taking over your accounts – so much easier.

It's no secret that the problem with passwords is: people. People are the ones creating this issue by using terrible passwords which is why so many companies are switching over to better systems (like passkeys).

Since the first way to fix any issue is to identify the problem, let's own up to it. If people are the problem, they can also be the solution.

How bad passwords create risk

This year one of the biggest news stories was the heist at the Lourve, which revealed a security system that was riddled with issues – including that it had 'Lourve' as its password. We'd like to say that's the worst we've ever heard but in a world where the most common passwords of 2024 were “123456” “111111” “ADMIN” and “qwerty”, that's actually far from surprising.

According to research from SpyCloud, more than 140 million people had their passwords exposed in 2024. That same report points out that more than 70% of people also reuse passwords, which means that those stolen passwords allow bad actors to access multiple accounts putting a lot more personal data at risk.

Solution: Password managers

We recommend using one of the best password managers, over and over again, because of how many benefits there are to doing so – and that's in addition to the convenience of not having to keep track of the 168 passwords you probably have. That's right, according to research from NordPass, 168 is the average number of passwords for most people.

The other good reasons for using a password manager is that doing so cuts down on the kind of lazy, bad password habits that make passwords so easy to crack. Namely, password reuse and short, easy to remember passwords.

A password manager creates strong and unique passwords with long strings of multiple upper and lower case characters as well as numbers and symbols that are unique to each account. It remembers them so there's seamless synced across all your devices, and because a password manager won't recognize a mimic or look-a-like site it can also protect against phishing.

Solution: Multi-factor authentication

If you don't use two-factor authentication, here’s a brief run-down: Two-factor, or multi-factor, authentication is a secondary method that involves verifying access into your accounts in a way that makes it more difficult for hackers to emulate.

This can be via a static passcode, an SMS message, a phone call or even a USB-based security key. Most online sites or apps are set up so that you can easily enable this extra layer of security. The only drawback is that it will require a few extra minutes to get done initially — and it means an extra step when logging in. However, there's a significant security benefit.

Two-factor authentication, 2FA, is extremely effective. In 2022, Google said that rolling out 2FA had shown a 50% decrease in account takeovers. And according to CISA (Cybersecurity and Infrastructure Agency) and research from Microsoft, multi-factor authentication shuts down 99% of automated hacking attempts.

Setting up 2FA isn't complicated: When you log in, using your username and password as usual, you enter in a code you receive on your smartphone via email or text message. Sometimes though, you’ll need to open an app to receive the code. When you return to log in, you enter in the code and then can access to your account.

This makes it very difficult for anyone else to get into your account, since they won’t be able to get both the password and code. A hacker getting access to your password – be it cracked, stolen or purchased – isn't so unusual, but when you receive the prompt that lets you know someone is requesting access to your account, you have time to switch your password, lock your account or run a scan with the best antivirus software.

Solution: Passkeys

Since their introduction just a few years ago, passkeys are now being widely adopted as the preferred — and more secure — method of accessing an account. Both Microsoft Authenticator and Dropbox Passwords announced they would close this year with Microsoft in particular switching users to a passkey login.

Passkeys are a passwordless login used in place of traditional passwords. This is preferred as a more secure options since each passkey is a unique digital key that can’t be reused. Passkeys are kept in an encrypted format on your device, instead of on a company's servers, making them safe in the event of a data breach too.

You don't have to remember a password, and you can use your own smartphone or laptop. Passkeys are built on the WebAuthentication or WebAuthn standard, which uses public-key cryptography to better secure your accounts. Passkeys also can’t be stolen in phishing attacks.

Cybercriminals and hackers often use phishing or social engineering as a way to gain access to someone’s username and password in order to steal their accounts. With passkeys, though, you have a private and public key and while the public key stays on a company’s servers, the private key remains on your device and can’t be easily stolen.

If you opt to set up a passkey, you will be asked to confirm your account log in, then an authenticator to use a secondary form of verification to access your password, like your face or fingerprints. That's the private key stored on your device. When it comes time to login, the site's server sends a request to the authenticator which asks for your "private key" like your face ID or fingerprint. When it matches, you're able to access your account, the process usually happens quite quickly after the initial setup.

Taking back control

By putting the advice above into good use, you can finally say goodbye to the security concerns and anxiety that comes from using insecure passwords. This will take some time and effort on your part, but trust me, it's worth it.

More from Tom's Guide

• I’m a security editor and this is how I create strong passwords that are also easy to remember
• The best password managers in 2025
• What are passkeys? Everything you need to know about the death of passwords

On December 3, 2025, Russia blocked popular US gaming platform Roblox, accusing it of supplying extremist materials and promoting LGBTQ propaganda. The communications watchdog Roskomnadzor believes the platform spreads inappropriate content that could stunt the moral and spiritual development of children.

This is a common claim any time an online platform is blocked in Russia. Still, Russian Roblox fans aren’t ready to accept their fate just yet, sending many to seek the best VPNs that can unblock the platform.

Extremist materials

Russia frequently uses claims of "extremist propaganda" as a reason for outright bans, throttling, and temporary blocks on gaming and social media platforms. The country heavily throttled and blocked chat platforms like WhatsApp and Telegram earlier this year, and then rolled out Max. Max is Russia’s state-integrated solution to mainstream video and chat services.

A government push to use Max has officials making it a prerequisite for civil servants and students, even going as far as to threaten job loss or expulsion if the app isn’t installed.

Russia isn’t the first country to block the game, though – Iraq and Turkey have also placed a ban on Roblox, citing concerns that predators could use the game to lure and abuse children.

Children at risk

Protecting children online is important, but some argue that moderating children's activity within the Roblox universe may be more sensible than an outright ban. It is salient to note that Roblox is not solely a child's game.

The online platform hosts millions of user-generated games and social experiences for adults, such as virtual coffee shops and other meeting places. It even has its own game creation software (Roblox Studio), which allows users to create and publish games using virtual currency (Robux).

For the most part, it claims to do its due diligence in trying to keep children from accessing adult-themed content. The game implements safety measures based on user age that restrict access to certain tools and games.

The platform's website further details what is and isn’t accessible within a certain age range under Safety by Age. In the Safety section of Roblox’s website, there’s also information about other topics such as parental controls, transparency practices, and safety tools and policies.

It is also notable that Roblox does come under the remit of Australia's upcoming Online Safety Amendment – legislation that is intended to protect under-16s from inappropriate content on social media.

A spike in Roblox VPN searches

It is unsurprising that fans of the online gaming platform are looking to VPNs for help navigating around the block. In the last few hours, we have seen a considerable traffic increase to the Tom's Guide Roblox VPN page, with almost all traffic coming from Yandex users in Russia. As of yet, it is unclear whether using a VPN will allow access to Roblox in Russia.

Notably, the Russian government is considering an outright ban on VPN apps in app stores. This has not yet been implemented, but VPNs may well be under threat in the country.

At Tom's Guide, we stress to our readers to only use reputable, verified VPNs. Many free VPNs in both the Apple App Store and the Google Play Store are unsafe to use. Instead, we recommend VPNs that we have tested and reviewed, and have verified as safe. Examples include NordVPN, Surfshark, and ExpressVPN.

We test and review VPN services in the context of legal recreational uses. For example:1. Accessing a service from another country (subject to the terms and conditions of that service).2. Protecting your online security and strengthening your online privacy when abroad.We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

On Wednesday, December 10, 2025, Australia will enforce its blockbuster social media ban – officially titled "Online Safety Amendment (Social Media Minimum Age) Act 2024."

This legislation aims to stop children under the age of 16 from accessing a wide range of social media applications, including Facebook, Instagram, TikTok, YouTube, and Reddit. The ban is the first of its kind to come into effect, although countries such as Denmark, Norway, and France are also considering similar measures.

The bill was passed in November 2024, and states that tech companies that do not take "reasonable steps" to enforce the bill will face fines of up to AU$49.5m (US$32m). Controversially, however, each individual platform will decide how it verifies a user's age, rather than using a centralized system.

The Online Safety Amendment addresses the widely held belief that children's lives are negatively impacted by social media, and that it can impact socialization, self-image, and physical activity, and also make children vulnerable to predators.

However, privacy and internet freedom advocates claim that its implementation may do more harm than good, and that these platforms may become even more harmful for those children that manage to circumvent the ban with tech like VPNs.

What platforms are affected?

Almost all major social media platforms come under the remit of the bill, although gaming platforms and apps are currently unaffected.

This is currently the full list of apps affected:

• Facebook
• Instagram
• TikTok
• Snapchat
• X
• YouTube
• Reddit
• Twitch
• Kick
• Threads

Notable platforms that are unaffected include Discord, WhatsApp, Messenger, and YouTube Kids. Some social media platforms like LinkedIn and BlueSky have been omitted due to being either low risk, low usage in Australia, or being of less perceived interest to children.

However, as reported in the Guardian, this is a "dynamic list," and if the exodus from one app sees a considerable uptake of another, there is scope for that app to be banned as well.

How will the ban be enforced?

It's unclear exactly how the ban will be enforced, although independent government regulator eSafety states that the methods used need to "meet the regulatory requirements and respect privacy laws and digital rights."

The details are made even more woolly due to the fact that each platform is free to decide exactly how it verifies the age of its users. However, most apps have already sent notifications to most users suspected of being under 16. For these users, methods used to verify age will likely include facial scans, government IDs, and bank account information.

Interestingly, Meta is kicking things off early, and on December 4, users it estimates to be under 16 will be blocked. Appeals can be made, in the form of an age-verification check performed by dedicated age-verification software Yoti. However, as reported by ABC Australia, facial recognition checks are less effective at determining the age of people under 16, and are also less effective for people from an Indigenous or south-east Asian background.

Snap, owner of Snapchat, will use "behavioural signals based on account activity" to estimate ages of users, and will use ConnectID and K-ID to perform any check necessary. Both ConnectID and K-ID are private companies.

Other platforms have been less clear about the methods they intend to use, and we may have to wait until December 10 to get a clearer picture.

What does this mean for people over 16?

eSafety's guidelines state that it "does not expect a platform to make every account holder go through an age check process if it has other accurate data indicating the user is 16 or older.

"For example, if someone has had an account since Facebook started in Australia in 2006, Meta could reasonably assume they are older than 16 so no further check is needed."

However, if your account has been flagged but you're over 16, you will need to verify your age. As mentioned above, each platform will have a different method of doing this. Expect facial scans to be a common option, alongside uploading official identification documents like driving licences or passports.

What are the downsides?

Despite the fact that the Online Safety Amendment's intention is good – the protection of children online is paramount – privacy advocates have raised very similar concerns to those associated with the UK's Online Safety Act.

Primarily, this revolves around the mandatory sharing of personal details and documentation, alongside linking a real identity with your account, but also includes concerns over the potential rise of phishing scams.

If you're a user of all the affected apps, it's quite possible that you will be required to send your personal details to five or six different third-party companies to verify your age. If even one of these stores your information after verification and is hacked or compromised in the future, your personal data is at risk.

What's more, YouTube has claimed that these measures will make its platform less safe for teens. It stated that parents will "lose their ability to supervise their teen or tween's account," and that the "rushed regulation that misunderstands our platform and the way young Australians use it."

A rise in risky VPNs

VPNs are often seen as a quick and easy way to circumvent internet restrictions, and it's likely that VPN use will spike when the social media ban comes into force. However, eSafety states in its guidelines that social media platforms are "expected to try to stop under-16s from using VPNs to pretend to be outside Australia."

It's important to note that many fake VPNs exist, and a considerable amount of free VPNs on app stores have very poor privacy credentials. Most will do more harm than good. This is why we rigorously test VPNs, focusing on privacy, logging policies, and general performance. In a landscape where there are so many risky options, being informed is essential.

We rate NordVPN as the best VPN, closely followed by Surfshark and ExpressVPN. All three are safe to use, have been fully audited to prove they do not log your personal data, and have servers in dozens of countries around the world.

We test and review VPN services in the context of legal recreational uses. For example:1. Accessing a service from another country (subject to the terms and conditions of that service).2. Protecting your online security and strengthening your online privacy when abroad.We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

It's been almost a month since the brazen robbery at the Louvre where $101 million worth of jewelry was stolen in broad daylight. And while four suspects have since been arrested, the focus has now fallen on the weakness of the museum's security systems which had apparently gone unaddressed for long periods of time.

Multiple publications including Cybernews and Tom's Hardware cite the French publication Libération as a source, via machine translation, regarding the details of a 2017 security audit from the ANSSI (French National Agency for the Security of Information Systems). The audit stated that the threat of an attack with "potentially dramatic consequences could no longer be ignored."

Additionally, a museum curator was quoted as saying “What I can testify to is that the Louvre’s management was fully aware of the … not of the weakness, but of the need to have a fresh look at the security system of the entire museum.”

The longstanding weaknesses of the system include using an outdated version of operating systems on the museums computers, not having enough video surveillance coverage of the massive museum itself, and perhaps most often noted by news stories, having "LOUVRE" as the password to the video surveillance system.

The last example is perhaps least surprising given how bad most passwords are – which is exactly why many companies are moving away from them altogether.

According to CompariTech which released a report on Thursday, "123456" is the worst password of the year (for at least the second year in a row). More than 7.61 million accounts leaked on a data breach forum this year had “123456” as their password.

This year's list of most uses/worst passwords are all, well, terrible. In addition to "123456" the top ten include "admin," "password," and "1234." Passwords are already on their way out, as many companies from Google to Microsoft move to the more secure passkey technology, and this report proves that the adoption of a more secure method is essential as users will simply default to the easiest or laziest option instead of taking time to properly secure their accounts.

Here are three ways you can make your home more secure than the now infamous Louvre, starting with your password.

1. Don't use your name as your password

In 2014 the password to the museum’s video surveillance systems’s was the name of the museum itself – LOUVRE – the same audit showed that another system built by defense and cybersecurity company Thales, used THALES to access credentials. It's unclear whether or not these were default passwords that were left in place, or if they were purposefully chosen as the secure passwords for the organization.

However, either way, I think that in the year of our internet 2025 we should all be able to do better than our own names, our spouse's names, kids names or pets names as passwords. I can literally come up with three better passwords right now off the top of my head: PurpleMonkeyDishwasher. ArianaGrandestarsinWicked. Fridayisthelastdayintheweek.

All of those are phrases, contain more than twelve characters and aren't easily associated with anything that could be brute force guessed about my life. That makes them much harder to crack.

CTO at Dashlane, Frederic Rivain, was quoted by Cybernews suggesting that companies make better passwords by using one of the best password managers, by enabling multi-factor authentication or by switching to passkeys. And I recommend that advice for private individuals as well.

2. Update your operating system

Whether you manually update your computer's operating system regularly, or automate it, making sure that you're running the most up-to-date patches and updates against all the most recent malware, spyware, infostealers and ransomware.

According to reports, the Louvre's automated network was using computers equipped with Windows 2000. Support for Windows 2000 ended in 2010 which means that the museum's computers were not receiving any updates, patches or protections against any current malware. They systems were vulnerable to all manner of viruses or threats; according to the Libération, the museum was still running the outdating operating systems as late as 2021.

3. invest in well placed cameras

The Louvre is epically huge, at over 652,000 square feet, and according to a 2024 report 61% of it had no CCTV coverage. Covering that area is a daunting task, however, since it's unlikely that you have to deal with 37 hectares, it'll be a lot easier to get decent coverage with smart home security cameras if you start with the right areas.

First, cover your front entrance, then make sure that the most frequently used entrances have coverage. Sometimes that might be a back door, garage door or side door.

Next, make sure a camera is watching your garage and/or driveway – garages are common break in points both because they often contain expensive goodies like bicycles or tools and because they're harder to watch and hear as they’re often separate or removed from a home.

Last, put a camera up watching the backyard, deck or patio so you have a wide field of view over back entrances, as well as fences, gates, sheds, children playing or even wildlife passing through.

Make sure you’re avoiding low mounts on fences, which could get stolen, anything that faces a neighbors property and cameras pointed at a window (which will only reflect back).

How to make better passwords

If you must use a password, and insist upon not using one of the best password managers or a passkey, here are some tips to make sure you can create your own unique, strong passwords.

Make your password a phrase, and use at least twelve characters. The longer the password, the longer it will take to crack; CompariTech showed that nearly 66% of stolen passwords had less than twelve characters. Use a combination of upper and lowercase letters, numbers and characters.

Change your passwords frequently, especially for high profile accounts like banking, email or social media. If you're concerned about a password that may have been involved in a leak or breach, you can check it in the Cybernews Password Leak Check. Also, if you'd like to see how secure a password is, you can check it out beforehand in the Nordpass How Secure is My Password site.

More from Tom's Guide

• The best password managers in 2025
• I ditched my passwords for passkeys on these 3 popular services — and it took me less than 10 minutes
• The 3 best places to put a home security camera — and the 3 worst

Over 100 password managers and software solutions are being impersonated by a new malware campaign targeting macOS users to steal their personal information. As reported by Bleeping Computer, the popular password manager LastPass has already started warning users about this malicious software that is being spread through fake GitHub repositories.

Besides impersonating LastPass, this campaign is also pretending to be other password managers and software solutions including 1Password, Dropbox, Gemini, Audacity, Adobe After Effects, and SentinelOne, among more than 100 others. It's using these fake repositories to spread the Atomic macOS Stealer, also known as AMOS, which is an info-stealing malware often used in ClickFix style attacks. AMOS is a malware-as-a-service offering that can be bought by hackers and other cybercriminals for roughly $1,000/month on the dark web and typically targets the data stored on vulnerable computers.

The developers of this malware also recently added a backdoor component which gives them persistent and stealthy access to compromised systems. A large number of these deceptive GitHub repositories have been created from multiple accounts in order to optimize them to rank high in search results and to evade detection. LastPass has reported the fake repositories to GitHub but since it's easy to recreate new ones through automation from new accounts, even if they're taken down, new fraudulent ones could pop up just as quickly.

As ClickFix style attacks, the repositories feature a ‘download;' button that directs users to a secondary website where they are instructed to paste a command into the terminal to perform an installation of what seems to be legitimate software but is in actuality malware. The “ClickFix’ method takes advantage of a target not fully understanding what the commands are doing on their system; in this case the command is performing a curl request to a base64-encoded URL which then downloads an AMOS payload to the /tmp directory.

How to stay safe from ClickFix malware attacks

In order to stay safe from ClickFix style attacks, the most important thing you need to know is not to run commands on your system, especially when you don't understand them. Additionally, when looking for software online, its recommended to only trust official app stores like the Mac App Store or vendor websites while avoiding offshoots. If there isn’t a macOS version of a particular piece of software available on a company's official site, be extra wary when you find a third-party site or in this case, a GitHub page, suggesting there is one.

If you do come across a macOS port of a program you're interested in, you should ensure that it comes from a reputable source that has been vetted by the community first. Still, you are installing it at your own risk, so when in doubt, it's best to wait for an official port.

It also never hurts to have strong protections when online – one of the best antivirus software solutions can keep your Windows PCs protected while the best Mac antivirus software is specifically designed for your Apple computer. These paid solutions also provide you with plenty of extra useful features like web browsers that warn you about suspicious websites and downloads, ransomware rollback, a VPN, and more.

For those who are really worried about getting hacked or having their bank accounts drained by cybercriminals, you can't go wrong with the best identity theft protection services for even more protection. However, you'll need to sign up before a cyberattack or major security incident to take full advantage of the identity theft insurance and other protections these services offer.

ClickFix style attacks have been quite successful recently and until the general public learns to recognize and avoid them, hackers are going to keep using them in their malware campaigns. That's why it's up to you to practice good cyber hygiene and most importantly, to always be careful where you click and what you download.

More from Tom's Guide

• FBI warns hackers are impersonating crime reporting sites to steal your personal data — here’s how to tell
• Google will let you use passkeys automatically in Chrome - here's how you can switch
• Hackers are now using deepfakes in phishing scams to fool banking apps and steal your money - how to stay safe

Like many other services lately, Google is working on testing automated switching from passwords to passkeys in Chrome. Windows Report first spotted the flag hidden in the Canary build of Chrome which can automatically convert saved passwords into passkeys when a user is logged into a site or service.

The process doesn’t require any prompts or interaction from the user but will run automatically in the background once enabled. When you access a website and log in using a saved username and password, a passkey will automatically be created as long as the site in question supports it. This is supposed to happen invisibly, making the switchover easy for the user. Currently, the system in Chrome prompts users to adopt passkeys instead of passwords and requires confirmation after the prompt.

Passkeys are much safer than passwords because passwords can be easily guessed via either phishing or brute force attacks, are stored on third-party servers and are often reused or created in an insecure fashion in the first place. However, if you're not quite ready to switch to passkeys and plan to continue using passwords, make sure that you're using one of the best password managers to keep them as secure as possible.

How to turn on passkeys in Chrome

In order to turn on this new automatic passkey upgrade feature in Chrome, you first need to be running the experimental version of Google's browser, Chrome Canary. To do so, head to the Chrome Canary site and then download and install it on your computer.

It's worth noting that Canary is Google's most experimental and unstable version of Chrome, so you might run into some hiccups and other minor issues. However, it could be worth it if you want to test out the search giant's bleeding-edge features first.

With that out of the way, you then need to go to Chrome's Experiments page in your browser. This is done by typing "chrome://flags" into your address bar if you want to see all of the experimental features available in Chrome Canary. However, if you want to get right to the chase and start having Chrome convert your passwords to passkeys automatically, you can just enter "chrome://flags/#web-authentication-passkey-upgrade" instead.

Once you find this new experimental feature (either by searching for it or going directly to it with the URL above), you'll need to toggle it on. From there, restart Chrome Canary and then head to Google Password Manager to enable automatic passkey upgrades. And that's it, sites that support passkeys that you log into using Google Password Manager to autofill your credentials will now automatically convert your passwords to passkeys with Chrome's help.

If you don't want to go through the trouble of setting up Chrome Canary, then you'll just need to wait for this experimental feature to come to a stable version of Chrome. As big passkey enthusiasts ourselves, we'll be looking out for this change and will update this story once this useful new feature becomes more widely available.

More from Tom's Guide

• New hacker tool can inject AI-generated deepfakes right into your iPhone — everything you need to know
• Nearly 200,000 people hit in New York Blood Center data breach — names, IDs, SSNs and more exposed
• Google just fixed a major Chrome zero-day flaw — update your browser right now

I don't really spend much time mulling over the contents of our best password manager page, and the various options that are recommended. However it does not surprise me in the slightest that Google's password manager is not on that list.

It's not that it's particularly bad at its job, but it is an absolute pain to deal with most of the time. Thankfully it seems that the launch of the Pixel 10, and various Android 16 upgrades that coincide with it, may have fixed one of the most glaring issues.

Unfortunately I don't think it goes far enough, and Google should steal some of Apple Passwords' ideas instead.

The problem with Google password manager

The big issue with Google's password manager over the years is that it was buried in a maze of menus across various Google platforms. Especially on Android where you had to delve into various Google account settings to see what's there and to access the information on offer.

Admittedly, I can kind of understand what Google was going for with this system. The goal seems to be that Google wanted a password system that worked autonomously, using autofill to enter passwords for you whenever they're needed.

This later changed when Google let you add a password shortcut to your Android home screen. Though, this too required you to dive further into the settings to find that particular option. By this point I had more or less given up on the idea of Google Passwords by that point anyway. It may have been free, but it always felt like such a chore to actually use that I ended up paying for a competitor.

While I'm only paying somewhere around $1.50 a month for my current password manager (NordPass), the fact I'm paying for a premium password manager when a free one was available is, admittedly, pretty dumb. But that's the state of what Google's password manager was at the time.

Now, though, Google seems to have fixed this issue by turning the password manager into its own app (of sorts).

The fix so far

As spotted by 9to5Google, Google Password Manager now exists as its own thing on the Play Store, letting you download it to a bunch of Android phones — if not all of them. You literally just need to head over there on your phone and tap install, and Google Password Manager will exist in app form on your phone.

Of course, the only difference between this "app" and the old shortcut option is the process of acquiring them. They go to exactly the same place, and offer the same access to your Google-stored passwords. It's just that one comes from Google Play and the other one involves some serious menu navigation.

The added benefit of it being a Play app also means that Google could enforce a rule that requires Android phone makers to include the password manager out of the box. Much like it does with apps like Google Docs and Maps. That should make password managers a little more accessible on Android, since there's no actual effort required to get them. So long as users actually set up and save complex passwords instead of using the same password for every single account they own.

Of course the fact the Google Password Manager hasn't changed, despite now being an official Play Store app, is problematic in itself. Because we've already seen that other free password managers can offer a whole lot more than simply securing your login details.

Google needs to follow Apple's lead

I have been extremely impressed by the Apple Password Manager, which launched last year alongside iOS 18. Not because it solved the outstanding issue of accessing the iCloud Password Keychain more easily, or that it was freely available to all Apple device users. It was the fact that Apple turned it into more than just an ordinary password manager.

It's not just a place to store login details or passkeys. It's also home to ever-changing authenticator codes and Wi-Fi passwords, while also altering you if any of your details have been detected in data breaches. It is your single go-to place for all things security.

Google offers these things too. The latter is part of the existing Password Manager, and the Authenticator app has been a staple part of my phone for well over a decade. But the fact that Apple has merged all these things so they're available in a single location, and locked it behind biometric security by default, means it's a heck of a lot more convenient — and has that extra feeling of security.

Is putting everything together in a single spot a good idea? I have no idea, to be honest. There's also the fact Apple Passwords lacks the ability to store secure notes, documents and contacts — something all good password managers offer. But the fact that everything can be accessed in a single spot is very helpful, and it makes it all the more likely people will take advantage of that. Especially since it's free, and works across all your devices.

Matching what Apple does with Apple Passwords should be next on Google's list of priorities. Then it can focus on surpassing that, and gunning for the dedicated password managers. Because the sooner I can downgrade my Nord subscription to just the VPN, the happier I will be.

More from Tom's Guide

• Your Samsung Galaxy phone comes with a hidden Easy Mode — here's how to activate it
• I’ve now held the Pixel 10 Pro Fold and Galaxy Z Fold 7 — and there’s a clear winner
• Android finally steals the ability to undo texts from iMessage — and it's rolling out now

More from Tom's Guide

• Popular Chrome VPN extension caught secretly spying on users — uninstall it right now
• Over 2 billion Gmail users at risk following database hack — how to stay safe
• FBI issues warning to all smartphone users — this dangerous new scam could be at your door

A petition calling for the UK government to repeal the Online Safety Act has topped 450,000 signatures.

It's unlikely it will have a significant impact on the government's stance, but it shows the level of backlash ministers are facing over the law.

The goal of the legislation is an honorable one – to protect children and vulnerable internet users from consuming "explicit content" by introducing age verification checks.

But these checks require sharing sensitive personal data with third-party companies, and people are understandably cautious about doing this.

The best VPNs have seen a huge spike in demand in the UK as people search for ways to bypass age verification checks and, as well as the petition, heated debate has been taking place.

The government has said it won't repeal the Online Safety Act, but there are still a number of ways you can protect your privacy online – here are some examples.

Why do people want to protect their privacy?

Whether it's scams, hackers, malware, or data harvesting, there are countless ways our privacy and security can be exploited online.

Specifically addressing age verification checks, privacy advocates believe you shouldn't have to hand over information such as credit card details, photo ID, or selfies to sites like AgeGO or Yoti.

VPN provider IPVanish described privacy as a "fundamental right," and "not something to be traded for access."

There are serious security concerns, and many cybersecurity experts cited these as their reason for opposing age verification checks.

Centralized databases full of highly sensitive data will be created. They'd be a gold mine and prime target for hackers and should they be breached, the consequences would be catastrophic.

Obscura VPN founder Carl Dong called the law a "ticking time-bomb." He said "the question isn't if a site gets breached, but when."

This threat isn't exclusive to the Online Safety Act. Our data is valuable to big tech companies, governments, data brokers, and hackers.

Data breaches are regularly seen and the likes of Google, Meta, and Amazon profit off tracking us and our data.

But how do we start to reclaim control of this data and protect ourselves online?

The role of VPNs

Although not a silver bullet, VPNs are one of the most popular tools people use to protect their data.

When you connect to the internet through a VPN, your traffic travels through an encrypted tunnel and is protected from hackers and third-parties. Your IP address is also changed, with it being possible to appear as though you're visiting a site from another country.

Many VPNs have dedicated ad and tracker blockers, with malware protection features also common – although their effectiveness varies between VPN providers.

Scams are one of the main ways hackers can steal your data. Fake, malicious links, alongside scam texts, emails, or calls are popular methods of attack. They trick you into thinking links or sites are legitimate, but in fact they're specifically set up to steal your data.

If you fall victim to a scam, most VPNs won't be able to help you. But threat protection features are effective at warning you a link may be suspicious.

The best rule of thumb to follow is never click on anything unless you're 100% sure it's genuine.

NordVPN's Threat Protection Pro has been rated as the best VPN malware protection and is a certified anti-phishing tool. Surfshark also has an award-winning antivirus software.

Leading VPN providers offer additional security features such as Double VPN (sometimes called multihop).

Connecting to one of these dedicated servers sees your VPN traffic routed through two secure servers rather than one, doubling your layers of encryption. You may find this added protection comes at the sacrifice of speed because of the extra distance your data has to travel.

We wouldn't recommend Double VPN for everyday browsing. But if your data is particularly sensitive or you're living under internet restrictions, it's a much needed feature.

NordVPN, Surfshark, Proton VPN, and Mullvad VPN are just some of the providers to offer this option.

Although not everyone needs a VPN, there will be one to suit you. The most secure VPNs are ideal for those valuing privacy and security. If you're on a budget, consider the best cheap VPNs or even the best free VPNs.

We also have guides on the fastest VPNs and the best streaming VPNs, if all you want to do is unblock Netflix.

Review your passwords

You don't need to be a cybersecurity expert or even subscribe to a VPN to begin protecting your data online.

Weak passwords are a major cause of data breaches, for both individuals and businesses. Last year, 123456 was the world's most popular password, and many can be cracked in seconds.

People often re-use passwords. If one is included in a breach, it's highly likely hackers will get into multiple accounts belonging to you.

Complex and lengthy passwords are the solution, and the best password managers make things easy by generating and storing secure passwords for you.

Password managers can be downloaded individually but NordVPN, ExpressVPN, and Proton VPN include them in some of their VPN plans.

Follow good internet practices

How we behave online goes a long way in protecting our data.

Be mindful of what you're signing up to and accepting. Always reject cookies where possible, and always try to verify the validity of the sites you visit, messages you receive, and links you click.

We know they're long and boring, but it's important to read privacy policies to understand what data is being collected, how it's stored, and if it's shared or sold.

This is seen to be an issue with age-check services, as not all of them make this clear. If people don't trust third-parties, they won't hand their data over.

Despite the sheer amount of data collection taking place, individuals can begin to take steps to stop it. So, while the Online Safety Act is unlikely to be repealed, people can turn their attention to practical ways of protecting their data.

We test and review VPN services in the context of legal recreational uses. For example:1. Accessing a service from another country (subject to the terms and conditions of that service).2. Protecting your online security and strengthening your online privacy when abroad.We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

After just five years, it’s time to say goodbye to one of the best password managers as Dropbox Passwords is officially calling it quits.

Users of the password manager should start planning on transferring their passwords, usernames and sensitive data to other services as the company has announced the service will begin shuttering services starting on August 28, 2025 when users will no longer be able to add new passwords.

Both the mobile app and the browser extension will become read-only at this point, and the autofill function will also be deactivated on this date.

Beginning on September 11 the mobile app will stop working, though users will still have access to their information through the browser extension, and on October 28, the password manager service will be fully discontinued when both the mobile app and browser extension will have logins deleted.

The dark web monitoring tool will also be discontinued on this date. According to reporting from Android Authority, Dropbox will be permanently and securely purging all customer data from its servers.

Dropbox has stated that the decision to close the service was made so the company can focus on “enhancing other features in our core product,” and according to PCMag, they recommend migrating user data over to 1Password – even including a tool to assist users with the process.

Dropbox Password customers can also create a CSV file of all their passwords to import into any other password manager of their choice by clicking Preferences > Account > Export then selecting > Export to confirm that you want all of your data downloaded as a CSV file. The mobile app offers a similar process, simply use the settings icon, then select Export twice to confirm the download.

When you’ve found a new password manager, there should be an import option that allows for CSV files.

More from Tom's Guide

• Microsoft Authenticator is going to delete your passwords on Friday — what to do right now
• The top 3 cybersecurity risks posed by the Online Safety Act and age verification
• The best password managers in 2025

Microsoft Authenticator users who have not yet made plans to switch to a new method are running out of time: The app will stop storing, managing, saving and auto-filling passwords this Friday, August 1.

Microsoft has been sending out messages for weeks indicating its plan to move to a passkey method; as of June, users were no longer able to add passwords, and as of July, the autofill function was shuttered. Starting in August, users will be unable to access their saved passwords unless they have ported them over to Microsoft Edge.

However, as CNET reports, the passkey method is widely accepted as the next step toward a much more secure option — passwords can be easily guessed via either phishing or brute force, are stored on servers and are often reused or created in an insecure fashion in the first place.

Alternatively, passkeys like a fingerprint or facial recognition, are only available on a personal device and don’t need to be remembered. Users don’t have to use a password manager to keep track of dozens of unique, strong passwords for each account.

The Microsoft Authenticator app has been providing secure sign-ins for mobile accounts that require multi-factor authentication, such as push notifications, password-less logins, time-based one-time passwords or biometric-based confirmation. It let users sign into Microsoft accounts using a PIN, facial recognition (such as Windows Hello) or other biometric data like fingerprints.

Microsoft's support page explains that saved passwords (not generated password history) are securely synced to your Microsoft account, so users can continue to access them and use the autofill functionality with Edge.

What to do to switch to a passkey

More from Tom's Guide

• Microsoft Authenticator will shut off the password autofill feature in July — here’s how to save them
• Millions hit in quishing attacks as malicious QR codes surge — how to stay safe
• The best password managers in 2025

I have a confession to make: I used to reuse passwords.

It’s the number one security sin, but this was over a decade ago and I didn't know about the best password managers yet. This was a huge mistake. And with news that researchers just uncovered a database of 16 billion records, including passwords and other sensitive data, this could be a problem for you, too.

Details are scarce — we don't know where the data came from or who is behind it — but the most important thing is try and look past the feelings of anxiety, and take practical steps to improve your security, and I should know; I've been hacked before.

In 2013, Adobe was hacked and the attackers got a list of 153 million usernames and passwords. These passwords weren’t encrypted which allowed people to read them — they were stored in plaintext — so once the list was out, attackers had all they needed to target unfortunate Adobe users like me.

It was a stressful time and given that your email account houses some of your most sensitive information, once they had access to that account, they could reset your passwords to lock you out of other websites and services too. But I kicked them out and learned pretty quickly how to protect myself from then on.

More than a decade later, there are still attackers trying to get into my account, but there’s an important difference — they can’t now. So, now feels like the perfect moment to share how I learnt from my mistakes and how you can easily improve your security to stop the same thing happening to you.

How to protect your accounts: in short

1. Don't reuse passwords
2. Enable Two-Factor Authentication
3. Delete unused accounts
4. Sign up to Have I Been Pwned
5. Start fresh

1. Don’t reuse passwords

Okay, you’ve probably already guessed this one from earlier in the story, but one of the major issues I had when the Adobe hack happened was I was using the same password on multiple sites. So it was pretty easy for the attackers to use credential stuffing and break into my other accounts too.

Like others, the reason I did this is because there are a lot of passwords to remember! I obviously didn’t want to get locked out of an account, and password reset forms aren’t always that reliable, so I decided that the best course of action was a simple, easy to remember password I could use on all sites.

I thought it was secure as it has numbers, capital letters and symbols. It wasn’t quite as risky as using “password” or “passw0rd,” but it wasn’t far off.

The best way to avoid this issue is to use a password manager like 1Password or Proton Pass (my preferred option). These store all your credentials in one place securely and can generate long, complex passwords for you to use, but never need to remember.

Most have apps for your browser, computer and smartphone too, so you always have access to your passwords.

• Data breaches used to be big news because they rarely happened. But with this new leak, which could be new or repackaged from older hacks, and with more automated or AI-based tools at the hacker's disposal, it's getting even quicker and easier for them to try these details on all of your accounts.

2. Enable Two-Factor Authentication

One of the reasons attackers can get into some accounts so easily is that once they have your username and password, they can just sign in as if they’re you. But what if you had a unique token to show that you are really you, and without it, someone can’t access your account?

That’s the idea behind two-factor authentication (2FA). If you haven’t used this on your personal accounts, you may have done at work. It comes in various forms, but the most common are six-digit codes generated by an app or sent to your phone by SMS.

Requiring one of these codes along with your login details shows that not only do you know the username and password, but you have a known physical item with you that helps to verify it’s really you trying to log in.

This is one of the most effective ways to cut attackers off from your accounts, even if your passwords gets leaked. After I set this up for my Microsoft account (using the free Authy app on my smartphone), hackers kept trying to get into my account, but they never can. It’s an easy way to shore up your defences.

I only know this, though, because Microsoft has a really useful Account Activity page which shows when and where sign in attempts come from and whether they were successful.

If you want even more security for your online accounts, you may also want to consider using a physical security key instead.

3. Delete unused accounts

There’s not really a lot to say on this one: if you don’t use an account anymore, delete it. It’s good to have a cleanup from time to time, and getting rid of old or dormant accounts means less clutter and fewer opportunities for your data to go awry.

Not every site gives you an easy “Delete account” button, but if you head to the company’s privacy policy (usually linked in the footer at the bottom of a website), you can find a privacy contact and send an email to request they delete your data.

Plus, in the years since I was hacked, authorities around the world have strengthened privacy regulations, so in many places, there’s now a legal obligation for the business to comply with your request. This is why you can do things like delete your Google account so easily these days.

4. Get notifications from Have I Been Pwned

Yes, Have I Been Pwned is a strange name for a security website (pwn is hacker slag for gaining unauthorized access), but it is easy one of the best free security resources for protecting your accounts. Troy Hunt, the man behind the site, collates data from hacks and can send you alerts when your account is involved.

This is how I would later find out my details were leaked in the MyFitnessPal, NetGalley, LinkedIn and Last.fm breaches, alongside many, many more — usually random sites I had no memory of even signing up to (and had probably stored my details for at least a decade without my realizing).

It’s easy to use and gives you a very early heads up when you need to change passwords on a hacked account. Hacked data can be messy and difficult to verify, so if you want to check if a specific password has been compromised, there’s a searchable Pwned Passwords database too.

As things stand right now, Have I Been Pwned hasn't loaded this database into its system (the researchers said the data was only exposed briefly, so it's not publicly accessible, and HIBP does thorough verification checks before adding any breach).

• You can perform a manual check of your email address on Have I Been Pwned, but I recommend using the Notify Me service to get an email notification as soon as a hack includes your details.

5. Consider a clean start

By the time hackers were knocking at my virtual door, I’d used my Hotmail email account for almost 15 years. It had built up a long history, and now it was a target, I decided it was time for a fresh start. That’s when I switched from Outlook to Gmail, and more recently, to Proton Mail (which we rate as the best email service for security).

It was a lot of work — I won’t lie to you about that. Going through every account that I had, changing the email address, creating a new password, and setting up 2FA was a big time suck. But it was worth it. My current address has only been involved in one leak (thanks, Twitter), and so there’s less of my data floating around.

Plus, starting from scratch meant that I could make more deliberate security choices. I became more mindful which services I chose to sign up to, where I put my details and how I protected the account. I rarely use my actual phone number unless I have to, and I make sure I opt out of marketing lists.

These aren’t fool-proof techniques that’ll keep your account secure forever; your data is at the mercy of whichever company controls the account. But it does mean I’ve had fewer security issues, I don’t need to worry that someone will get into my account (as they can’t) and I barely get any spam emails now too.

• While it's always a good idea to get rid of unused email subscriptions, risks that way lie too. Some email unsubscribe links direct you to a malicious page to either steal data or download malware. Instead, click the "Unsubscribe from newsletter" buttons that your email provider puts at the top of the email.

More from Tom's Guide

• New AT&T data leak links previously exposed info to Social Security numbers, birth dates
• Meta called out for tracking Android users across the web without their consent — what you need to know
• Microsoft Authenticator will shut off the password autofill feature in July — here’s how to save them

Microsoft users who have been taking advantage of the Authenticator app and its password autofill feature have this month to save their passwords and find a new solution for managing them.

As reported by Bleeping Computer, the app has begun issuing a full-screen banner notification to alert users that the password autofill feature will be deprecated next month. The warning also recommends that users transfer their saved passwords to Microsoft Edge to continue using the autofill feature.

What does the Microsoft Authenticator app do?

The Microsoft Authenticator app has been providing secure sign-ins for mobile accounts that require multi-factor authentication, such as push notifications, password-less logins, time-based one-time passwords or biometric-based confirmation.

However, it is now being shuttered and users are being encouraged to either switch their passwords over to Microsoft’s browser or export their saved passwords before the end of the month.

Microsoft is making the switch a bit easier by including a button at the bottom of the notification window that says “Turn on Edge,” which can be clicked (in iOS) to bring users to the AutoFill & Passwords setting menu, where Edge can be enabled as a password autofill provider.

The notification also links to a Microsoft support page that provides additional information and a timeline of how the deprecation will proceed.

Starting this month, June 2025, users will no longer be able to save any new passwords in Authenticator. During the next month, July 2025, users will no longer be able to use autofill with Authenticator. Then, from August 2025 onward, saved passwords will no longer be accessible in Authenticator.

The linked Microsoft support page explains that saved passwords (not generated password history) are securely synced to your Microsoft account, so users can continue to access them and use the autofill functionality with Edge. To use generated passwords, users can save them from the Generator history by accessing them from the password tab in their saved passwords.

Suppose you don’t wish to use Microsoft Edge. In that case, you can go into the Microsoft Authenticator settings and export the passwords into a CSV file, so they can be imported into a different program.

More from Tom's Guide

• It’s time to stop believing these lies about antivirus software
• More than 184 million passwords exposed in massive data breach — Apple, Google, Microsoft and more
• This new Defendnot trojan can get Windows to disable its own antivirus software

Apple Passwords is the standalone password management app for Apple Account users, an upgrade from the existing iCloud Keychain password feature. Passwords looks and feels more like other premium password managers on the market, though its primary use case is saving and filling usernames and passwords for website accounts across your Apple devices. This makes it a solid choice for users in the Apple ecosystem, especially those who are either new to password management or who want an app that’s integrated into the operating system.

Passwords is free and built in for those running newer versions of Apple’s OSes (iOS 18, iPadOS 18, macOS Sequoia, and visionOS 2 and up) and syncs as long as you are logged into your Apple Account. Both of these facts further lower the barrier to entry for getting started with password management using Apple Passwords.

While it doesn’t cost anything, downloads automatically upon upgrade, and is easy to learn, Apple Passwords can’t fully compete with most third-party password managers, which offer much greater functionality and multi-platform compatibility. Here’s how it stacks up against the best password managers you can get today.

Apple Passwords: Costs and what's covered

Apple Passwords is a free app for anyone running the operating systems that support it: iOS 18, iPadOS 18, macOS Sequoia, and visionOS 2 (and up). Windows users can access their passwords in Google Chrome or Microsoft Edge via iCloud for Windows. There are no features that require a paid subscription or premium upgrade.

Passwords does basic password management: saving, storing, and filling logins, passkeys, one-time verification codes, and Wi-Fi networks. The app also includes security monitoring, which lets you know if your credentials have been detected in a data breach, and password health reports for weak or easily guessed credentials. At the time of writing, Passwords lacks some features commonly offered by other password managers, such as the ability to save and fill credit cards and identities or store text or files. That said, because Passwords is connected to an Apple Account, there are a few standouts wrapped in, like account recovery options and the ability to add a legacy contact who can access your data (including your passwords) after your death.

I tested Passwords using a 2020 MacBook Air running macOS 15.0.1 Sequoia and an iPhone 15 Pro running iOS 18.0.1 as well as in both Chrome and Safari.

Apple Passwords: Setup

The Passwords app is automatically downloaded when you upgrade to the versions of Apple’s software that support it and will sync across your devices if you’re logged into your Apple Account and have Passwords turned on in your iCloud settings—to do this, go to Settings > [Your name] > iCloud > Passwords and make sure Sync this [device] is toggled on.

When you open the app for the first time on your desktop, you’ll see a series of prompts that guide you through importing passwords, installing a browser extension, and allowing notifications. (If you need to return to the setup process at any point, go to Help > Welcome to Passwords.)

If you have logins already saved in iCloud Keychain, those will auto-populate in the Passwords app. Alternatively, you can import en masse or add individual logins. At the time of writing, Apple Passwords allows imports only via CSV, so if you’re currently using another password manager, you’ll need to download your data in that format in order to add it to Passwords. No other file types or direct imports are currently supported.

Setup on mobile looks very similar. Simply launch the Passwords app and go through the prompts for enabling autofill and notifications. Both apps are unlocked via your enabled biometrics (Face ID or Touch ID) by default but can also be accessed on desktop using your system password. Changes to my vault synced quickly across my devices.

PC users who have iCloud for Windows can also access and manage their passwords in the iCloud Passwords app and browser extensions for Chrome or Edge. To set this up, open iCloud for Windows, click the arrow next to Passwords and Keychain, and turn on Passwords & Keychain. Follow the onscreen prompts to install the appropriate browser extension.

Apple Passwords: Desktop

The Passwords app on desktop has a simple interface with three vertical panes. The far left has icons for website logins (“all”), passkeys, verification codes, Wi-Fi networks, security recommendations, and deleted items. Click on a category to open up the full list of saved items in the middle pane, and click on an individual item to open its details in the right pane.

You can add new usernames/passwords using the plus sign in the “All” tab or new MFA codes using the plus sign in the “Codes” tab. The only information you can include in an item is the username, password, and text notes. Passwords does not have different record types like credit cards, identities, or other types of forms.

In the Wi-Fi tab, you can view all of the networks you have accessed and saved. There are options to share network credentials via Messages, Notes, or other apps and to forget networks. Note that sharing logins is only possible via AirDrop or if you set up a group and add trusted contacts. That said, password sharing is unlimited.

To add a group, tap the plus sign next to Shared Groups on the left pane. You’ll assign a name to the group and add members from your contacts. To receive an invite, contacts must have a device running at least macOS 14, iOS 17, or iPadOS 17.

The security pane shows items that have passwords detected in data breaches as those that are weak or can be easily guessed. There’s an option to change the password, which links you directly to the website to update your credentials—this is a feature offered by a few other password managers (such as 1Password) but not all.

It’s also worth noting that, deleted items remain available for 30 days before being permanently deleted.

Passwords autofill integrates seamlessly with Safari—saved credentials will pop up to select when you tap a form field.

To use form filling with Chrome, you have to add and log into the iCloud Passwords extension, which autofills via iCloud Keychain. You can also add a mini version of Passwords to your Mac menu via Passwords Settings > Show Passwords in Menu Bar.

Apple Passwords: Mobile

The mobile version of Passwords looks and functions just like the macOS app, which makes navigation simple. The main page has the six category icons as well as the option to create groups for securely sharing data with trusted contacts. There’s a search bar at the top and a plus sign in the bottom right corner for adding new passwords. You can also set up new verification codes by tapping the icon followed by the plus sign.

To autofill saved logins from Passwords on apps and mobile browsers, make sure it is enabled in your device settings (Settings > General > Autofill & Passwords) if you didn’t do so the first time you opened the app. Apple allows you to have autofill turned on for both Passwords and another third-party password manager at the same time, and you can select which vault you’d like to access when filling credentials. Generating and saving new passwords and auto-filling existing ones worked well in testing on my iPhone, as did passkey usage.

Passwords on iOS has the same security alerts, MFA support, and sharing options found on the desktop app. One other handy point of consistency is the ability to update compromised passwords directly from the Passwords app.

Apple Passwords: Security

Apple Passwords and Keychain are encrypted end-to-end, meaning your data is only accessible on your device when you are logged into your Apple Account, using AES-256-GCM. Your Apple Account is protected behind two-factor authentication, which requires a verification code each time you sign in on a new device or on the web. (Go to Settings > [Your name] > Sign-In & Security on your device to ensure 2FA is enabled for your account.) If you lose access to your Apple Account, you’ll need to go through one of several recovery options in order to regain it.

Biometric unlock for your Passwords vault is available via Face ID, Touch ID, and Optic ID if enabled on your device.

Apple Passwords: Passkeys

Apple Passwords supports creating and saving passkeys, which are stored in iCloud Keychain and sync across any device where you are signed in with your Apple Account. When you use a passkey, you can opt to log in with biometrics, a QR code from a camera-enabled device, or an external security key like YubiKey. Authentication worked smoothly in Safari, Chrome, and apps on both my devices.

Apple Passwords: Verdict

Apple’s Passwords app is a solid upgrade to iCloud Keychain password management. Its user interface is similar to other premium password managers—allowing you to better view, organize, and update your data—and the convenience of a free, built-in app is hard to beat.

That said, Passwords is relatively simple in terms of functionality: while it lets users create, save, and autofill logins with ease, it doesn’t have any particularly unique features. It also has limited crossover with Windows and no integration with Android or Linux, so it’s really for users who exist primarily in the Apple ecosystem (on newer OS versions) and those who want basic password management that runs primarily in the background. If you already use a fully featured, third-party password manager, Passwords probably won’t completely replace it.

Just when you thought all of the fallout from the LastPass hack back in 2022 was over, hackers have now used stolen data from that incident to launch a series of attacks on users of the popular password manager.

In case you’re in need of a refresher, back in 2022, LastPass fell victim to multiple hacks in which its source code, API tokens, MFA seeds and keys were stolen from customers. With all of this valuable data in hand, hackers then launched a series of attacks in which they went after users’ crypto. Up until this point, LastPass was considered one of the best password managers and came highly recommended.

Then in October of 2023, $4.7 million in cryptocurrency was stolen and then in February of this year, an additional $6.4 million in digital currencies was drained from the accounts of LastPass users.

Now though, as reported by The Block, hackers with LastPass data have stolen yet another $5.36 million from over 40 different crypto wallet addresses of its users. This was discovered by the blockchain expert ZachXBT who claimed in a Telegram post that these new attacks are just the latest fallout from the one that took place two years ago.

In his post, ZachXBT explains that after this $5.36 million in crypto was stolen, the hackers then swapped these funds for Ethereum and proceeded to transfer them to various instant exchanges while converting them into Bitcoin.

Unfortunately with cryptocurrency, there’s really nothing at all victims can do to restore these stolen funds. This is why it’s recommended that you use a hardware wallet to store your crypto instead of a digital one or worse, keeping your crypto on an exchange where you don’t control the private keys.

In a statement to Tom's Guide, LastPass' CTO and CSO Christofer Hoff provided further insight on these crypto thefts, saying:

“A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass. Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team at securitydisclosure@lastpass.com.”

How to stay safe after a major security incident

Once you find out a service you use has been hacked, you need to take action immediately if you want to avoid getting caught up in the fallout yourself. This means changing your passwords and potentially placing a credit freeze or fraud alert on your financial accounts if they could be at risk.

In the case of a password manager like LastPass though, you want to change your master password which lets you access all of the other passwords and data you have stored with the service. Your master password is protected by strong end-to-end encryption and other safeguards, but you can never be too careful.

ZachXBT also pointed out in his post that the reason so many crypto accounts were attacked using stolen LastPass data is due to the fact that some users might have relied on the service to store their seed phrases or keys. If you’re unfamiliar with crypto, these are what are used to regain access to your account — and your money — when you forget your password.

Seed phrases and keys can be tricky though since storing them online in something like one of the best cloud storage services might seem like a good idea as doing so is convenient. In reality though, this is a terrible idea and one of the best places to store your seed phrase is offline in a safe or even in a safety deposit box. That way, if your other accounts get hacked, it won’t be accessible. Another thing to keep in mind is that under no circumstance whatsoever should you ever share your seed phrase with anyone, especially online.

So let’s say you switched to Dashlane, NordPass or another password manager after 2022’s LastPass breach. Even then, if you have compromised passwords and especially if you reuse them, your accounts could still be at risk. This is why you want to break the password reuse cycle and instead, use a strong and unique password for each of your online accounts. If you have trouble coming up with passwords on your own, a password generator can help make secure ones for you and most password managers include this feature though, there are also free password generators available online.

The cybercriminals behind 2022’s LastPass hack have milked that attack for all its worth but the fact that we’re still seeing that stolen data used in new attacks today might mean that they’re not quite done yet. Only time will tell but by practicing good cyber hygiene and online habits, you should be able to stay safe. If worse comes to worst though, it might also be worth investing in one of the best identity theft protection services as they can help you recover stolen funds (and your identity) more quickly after a crisis.

More from Tom's Guide

• Over 900,000 Americans just had their personal and health info exposed in medical data breach
• What are passkeys? Everything you need to know about the death of passwords
• I’m a security expert — here’s my top 3 tips for protecting your accounts on World Password Day

How secure is your password? For many, the answer will be not very. Research from NordPass, developed by the team behind one of the best VPNs, NordVPN, has revealed the top 200 most common passwords for the last year, across 44 countries. This is the sixth edition of the research, with this year's instalment being the first to reveal both personal and corporate password data.

Globally, "123456" is the most common, with over 3 million uses. Add "789" onto the end of that and you get the second most common password, used by 1.6 million people. Almost half of the world's most common passwords this year are made of the easiest keyboard combinations of numbers and letters, with "qwerty", and its many variations, occupying top 20 spots.

Countries in common?

The US stands alone as "secret" tops the list here, a password not found amongst American's top choices last year. The word "password" can now be considered one of the most common and enduring passwords – year after year it ranks near the top of every country's list. In the US, it is the third most-used password, and it's number one in the UK and Australia.

The study found that 78% of the world's most common passwords can be cracked in less than a second. Compared to last year (70%), the situation is getting worse. Experts have repeatedly urged internet users to make their passwords stronger but many have seemingly misunderstood the assignment.

The popularity of "qwerty" has been challenged by the similarly weak "qwerty123", now the most common password in Canada, Lithuania, the Netherlands, Finland, and Norway. In the US, this password made a huge jump this year, breaking into the top five.

Is this just a personal problem?

This year's edition of the research also examined corporate password usage. You may, or may not, be surprised to know that 40% of the most common passwords used among individuals and business representatives are the same.

There are some interesting differences however. Default passwords such as "newmember" or "admin" are more commonly used for business accounts. Passwords presumably created for new users, and meant for changing, such as "newpass" or "temppass", often get leaked because people are not big fans of changing their passwords.

"No matter if I wear a suit and tie at work or I'm scrolling through social media in my pyjamas, I am still the same person. This means that regardless of the setting I am in, my password choices are influenced by the same criteria – usually convenience, personal experiences, or cultural surroundings", says Karolis Arbaciauskas, head of business product at NordPass.

"Businesses ignoring these considerations and leaving password management in their employees' hands risk both their company's and client's security online."

Password overload

According to previous research by NordPass, a single internet user has an average of 168 passwords for personal use and 87 passwords for work use. Managing this load is simply too complicated for most and experts say it's only natural for people to create weak passwords and reuse them.

However, weak passwords created by company employees serve hackers because with brute-force, dictionary, or similar large-scale attacks, they can gain easy access to the company's IT systems. Another common scenario sees hackers break into the company using leaked personal credentials of an employee just because they used the same passwords for both personal and work accounts.

Improving your passwords

If you are worried about the strength of your password, there's no need to panic. You can very quickly improve your personal security in a few steps.

The first, and easiest step, is simply to create longer, more complex passwords. Passwords should be as long as possible, at least 20 characters long, and be a random combination of letters, numbers, and special characters. A longer password can do wonders and is a simple change. Alternatively, you can use a passphrase, which is a long string of random words.

A second easy step is never reusing passwords. Each of your accounts should have a unique password because if one account gets stolen, hackers can use the same credentials for other accounts.

These are quick and easy steps you take to instantly boost your account security. If you want to go further and have some money to spare, there are a number of password solutions available. One of these is using a password manager. Password managers allow you to easily and securely store all your passwords in one place. Autofill features mean you never have to remember passwords and many of the best password managers will generate, and remember, secure, complex passwords for you.

You can also set up 2-factor authentication (2FA), which adds an additional layer of security to your account. If your password is compromised, 2FA prevents hackers accessing your account. 2FA alerts often come to your phone and you have to approve the login before your account can be accessed.

NordVPN's plus plan includes its password manager NordPass, as well as Threat Protection Pro, Nord's cybersecurity monitoring tool, which scans for data leaks and protects against malware and phishing threats. One of the best beginner VPNs, ExpressVPN, includes its ExpressVPN Keys in its plan. The team behind one of the most secure VPNs, Proton VPN, also offers a password manager. Proton Pass is focused on privacy, and is included in the Proton Unlimited plan.

Switching to passkeys is another option. Passkeys are considered the most promising alternative to replace passwords for good. Most modern online service providers, including Google, Microsoft, and Apple, offer passkey support.

Businesses can adopt password policies in their organisations, setting up 2FA and rules for employees to protect their information. Human error is still a huge cause of cybercrime, so following these steps, and changing your password behaviour can go a long way in protecting yourself online.

Proton Pass, the password management tool from the developers behind digital security services Proton VPN and Proton Mail, is a solid platform that does all of the basics with some unique premium features. In addition to everything you expect from your password manager, Proton Pass offers dark web monitoring, hide-my-email aliases, offline access, and passkey support for mobile apps and browser extensions.

Proton Pass’s paid plans cost more than similar password managers like 1Password, NordPass, and Keeper unless you buy an annual subscription—at the time of writing, this discounts the price below most competitors to just under $24 for an individual and $48 for a family of up to six. Proton Pass also offers an excellent free tier that syncs unlimited credentials across unlimited devices with access to password health reports and up to 10 email aliases.

Navigating Proton can be somewhat confusing at first, and not all features are available across all platforms at this time. However, the company releases updates frequently, so it is catching up with other more established password managers. My Proton Pass review will help you decide if this is the best password manager for you or if you’d be better off going with another service instead.

Proton Pass review: Costs and what's covered

Proton has two paid tiers and a free version of its password manager. Pass Plus is $59.98 per year for an individual user, and Pass Family, which launched in October 2024, costs $83.88 for up to six user accounts. Proton does offer deals on its annual plans though.

Proton Pass is also included with a subscription to Proton Unlimited ($119.88 with an annual plan discount), which comprises the company’s full premium product suite: Proton Pass, Proton Mail, Proton Calendar, and Proton Drive. Proton Duo and Proton Family are essentially Proton Unlimited for up to two users and six users, respectively.

At full price, or when paid month-to-month, Proton Pass is more expensive than most other paid password managers, which charge around $35 per year for a single user. Dashlane is the most comparable in its cost—also $60 per year, though with no discount for annual billing—and feature set, but Dashlane’s premium bundle includes unlimited VPN service.

That said, Proton Pass’s free tier is solid, and Pass Plus and Pass Family are also a great value when paid annually. Proton also offers a 30-day refund policy.

Proton Free includes the essentials of password management: unlimited logins across unlimited devices, password auto filling, passkey support, and basic password health alerts. Free users also get 10 hide-my-email aliases for creating new online accounts. This tier does not come with credit card storage or secure item sharing, features that require a paid subscription to access.

If you upgrade to Pass Plus, you get more granular vault organization and sharing options, unlimited credit cards and hide-my-email aliases, integrated two-factor authentication, the ability to view changes to and previous versions of stored items, and dark web monitoring via Pass Monitor. Your subscription also includes Proton Sentinel, which provides security alerts such as suspicious login attempts.

Pass Family is six Pass Plus accounts bundled together. Each user has their own login and private vaults but can also join shared vaults, and up to two accounts can be designated as admins. With an annual subscription, Pass Family is a good deal with all of the premium features included. For comparison, though, the six-person family plan at Bitwarden is just $40.

Proton Pass supports Windows 10 and up, macOS 13 and up, and most major Linux distributions. Chrome OS is supported via the Android app. Browser extensions are available for Chrome, Firefox, Safari, Brave, and Edge, and there are mobile apps for iOS (16.0 or later) and Android (8.1 and up).

I tested Proton Pass using a 2020 MacBook Air running macOS 12.7.6 Monterey, an iPhone 15 Pro running iOS 17.6.1 and Google Chrome.

Proton Pass review: Setup

Setting up and navigating Proton Pass can be a bit confusing at first, as the password manager is just one of the apps available when you sign up for Proton. You’ll need to create a universal Proton account, which can be used to access any of the tools in the Proton suite, with your email (or a new encrypted Proton address) and a strong password and then enter the verification code and choose a display name. You can then select which Proton app you want to go to—in this case, Proton Pass.

Note that the main Proton dashboard, where most of your global account settings are stored, can be accessed via account.proton.me. It looks like it’s specific to Proton Pass, but you need to use the app switcher to actually go to your vault or any of the other Proton services. This global dashboard is where you can download Proton Pass desktop apps and extensions (though the macOS version wasn’t listed, so I had to go to the support page to find it).

The Proton Pass web app and vault, meanwhile, is located at pass.proton.me. From here, you can adjust Proton Pass-specific settings, such as adding a secondary password if you want another layer of protection for your vault. You’ll also be prompted to install and log into the appropriate browser extension if you haven’t already.

Proton Pass allows you to add individual logins, credit cards, identities, email aliases, and secure notes to your vault, as well as import from a number of other password managers and browsers or CSV upload. Imports are available on the web and desktop apps as well as browser extensions. The browser extension, mobile app, and web app synced almost immediately as I added logins to my desktop vault.

To use Proton Pass on mobile, you’ll log in using your Proton credentials and extra password, if you created one. You can also set up an extra password in the mobile app, though account settings are somewhat buried. Go to the Profile tab, tap the arrow next to your username, and tap the three vertical dots to select Manage account. There is also a separate app settings menu on the main Profile tab. To enable biometrics or a PIN code, tap Unlock with and select the option you want.

Proton Pass review: Desktop

Proton Pass is available on desktop via a web-based vault, a browser extension, and a standalone app. The interface looks nearly identical across all three so you can navigate easily from one to another. The desktop app is nice to have, but you can use nearly all of Proton Pass’s functionality in your browser with the extension and access to your web vault.

The desktop and web apps have a left-justified menu to switch between vaults, which you can use to organize stored items, and your trash folder—items remain here until permanently deleted. You can also sort vault items and pin those that are frequently used so they are always visible underneath the search bar at the top of the vault.

To view or edit an individual vault item, select it from the list to open it. Proton Pass shows each item’s history, including when it was created, updated, and autofilled. In addition to importing data (under Settings > Import) from other password managers, you can manually add items or generate passwords using the plus button in the top-right corner. You can also generate secure links to share credentials, which can be set to expire after a certain time period or number of views.

Further down the menu are your secure link list, Pass Monitor, vault lock, and various Proton Pass settings. Remember that global Proton settings can only be changed from your account dashboard, which will open in a new browser window.

Pass Monitor shows you weak and reused passwords—also visible in each item listing—and items that have inactive 2FA. Unlike some other password managers, Proton Pass does not link directly to websites to update credentials. If you have Pass Plus or Pass Family, you can also set up dark web monitoring for your email address to receive alerts if any associated personal information is found in a data breach.

The browser extension looks very similar to the desktop and web interface, with the main menu accessible by clicking the Proton icon in the upper-left corner. While most features are available within the extension, a few—like Pass Monitor—will redirect you to the web app.

Like most other password managers, enabling the browser extension allows auto-filling from your vault. Click the Proton icon in form fields to select and fill saved credentials, credit cards, and identities (or pause autofill for that domain). If you log in using a username and password that isn’t saved in your vault, you’ll see a pop-up menu prompting you to add it.

Proton Pass will generate and auto-suggest passwords for new accounts, and you can adjust the settings from the pop-up to meet specific website strength requirements. Proton offers hide-my-email aliases for both free and paid users, which can be set up from the browser extension when creating a new account. The browser extension also has full sharing functionality: tap the share button on an individual item to generate a secure link, and select Secure links from the home menu to view the full list.

Proton allows you to keep apps unlocked or enable auto-lock with access via PIN code, password, or biometrics (enabled under Settings > Security) on desktop. The web app can be opened via password or PIN code, while browser extensions accept only PIN codes when locked.

Finally, Proton Pass offers an offline mode for paid subscribers, which allows you to store and access your vault items locally. This can be enabled or disabled in your web or desktop app settings by entering your Proton password.

Proton Pass review: Mobile apps

The Proton Pass mobile app looks similar to the desktop versions but is navigated differently. The main tab shows all vault items by default—including pinned items—and can be sorted alphabetically or by recent or frequent use using the three vertical dots in the top-right corner.

The bottom toolbar has tabs for creating new vault items and accessing Pass Monitor and your profile, where you’ll find settings (including biometric unlock) and your securely shared links. As we noted in the setup process, settings are spread across multiple screens and menus, so it may take some exploration to find what you need.

To use autofill on apps and mobile browsers, select Proton Pass as your primary password manager in your phone’s settings. Autofill worked smoothly in testing, as did creating and saving a new login (with and without a hide-my-email alias) and generating a password directly from a browser window. There is passkey support and an integrated 2FA authenticator, and secure link sharing is also available on mobile.

Proton Pass review: Security

Proton Pass uses strong AES-256 encryption and is zero-knowledge, meaning your data are accessible only to you when you enter your password. The platform’s code is open source for anyone to review for security holes, and Proton was independently audited by a third-party security firm in 2023.

Proton has multi-factor authentication for your global account with time-based one-time passwords (TOTPs) via authenticator apps as well as U2F or FIDO2 hardware keys, such as YubiKey. You’ll also need to download and securely store recovery codes so you can access your account even if you lose your MFA device.

Proton also offers numerous options for both account and data recovery, which you can set up on your global dashboard. You can reset your password via email, phone number, a recovery phrase, or an encrypted backup keychain in your browser’s web storage. You can also set up a recovery phrase, file, or a trusted device to regain access to your email and other encrypted files in Proton. If you don’t enable account recovery, you may not be able to access your account if you lose your password.

Proton Pass supports biometric vault logins via Face ID and Touch ID on iOS and macOS as well as Windows Hello, but at the time of writing, biometric unlock is not available on Android devices.

Proton Pass review: Passkeys

Proton Pass supports passkey creation on Android 14 and later, iOS 17 and later, and browser extensions with the ability to store, share, and export across all platforms. If you create a new login for a site on which a passkey is available—or with an existing credential via a website or app’s settings—Proton Pass will prompt you to save it in your vault. Next time you log in using Proton Pass, you’ll see a pop-up with the option to fill your passkey instead of your password.

Unlike traditional usernames and passwords, passkeys rely on the authentication (usually via biometrics) of a public key with a private one stored in your password manager. They are more secure because the private keys are not kept anywhere that is accessible or at risk in a data breach. In testing, creating and filling passkeys worked well on both desktop browsers and mobile browsers and apps.

Proton Pass review: Verdict

Though newer on the password management scene, Proton Pass offers features like comprehensive security monitoring and passkey support that put it on par with already established tools like 1Password, Keeper, and NordPass — plus extras like hide-my-email aliases and integrated 2FA authentication. It may be especially worth considering if you already use other Proton apps (or plan to in the future): Similar to Nord, your global Proton account allows you to integrate VPN service and encrypted email and storage under one login.

Proton Pass is a great value if you purchase an annual subscription—under $24 at the time of this review—and you can try all of the basics before you buy on Proton’s free tier. The free plan is a solid Bitwarden competitor, with no limits on the number of passwords or devices like those imposed by Dashlane, LastPass, and even NordPass.

Note that Proton is still developing its password manager, so not all features have been rolled out across all platforms, and while the interface is simple and consistent, navigating it can feel clunky at times.

Google’s Password Manager just got a crucial update that could help it take on the new Apple Passwords app that launched with iOS 18 and the best password managers — the ability to sync passkeys across devices and platforms.

Previously Passkeys were restricted to Google’s Android Password Manager, meaning you could only access them on your phone. Desktops, Chromebooks and even the Chrome app on iPhones were completely cut off from those passkeys unless you went through a convoluted process of scanning a special QR code. 

Let's be honest, that's the exact opposite of convenient — which is one of the key benefits of using passkeys in the first place. Thankfully, this update changes this, and allows passkeys to sync across Google Password Manager on all devices. Windows, Mac, Linux and Android for the time being, with ChromeOS currently going through beta testing. 

iOS support is supposedly in the works too, though Google has only said that it will be “coming soon” with no clear timeline.

But cross-platform syncing isn’t all that’s changing. Google’s adding a new six-digit PIN to passkeys, which you’ll need to enter when you start using a passkey on a brand new device. So even if hackers have managed to gain access to your Google account, they won’t be able to use those passkeys to access other online accounts. So long as you don’t use obvious PINs like 123456 or leave it lying around for anyone to find.

Google’s really been pushing passkeys in recent months, even making them the default sign-in option to try and push users away from passwords. With good reason, too. Passkeys are more secure than simple or passwords you’ve reused over multiple accounts. 

The fact that passkeys are “passwordless” means they’re also more convenient, since you don’t have to remember different credentials, nor can they be stolen in phishing attacks. Though it relies on actually being able to access them across platforms, something Google Password Manager wasn’t very good at. Fortunately, though, that seems to have changed. 

More from Tom's Guide

• Dangerous new Android malware drains your bank accounts and completely wipes your device — how to stay safe
• New malware locks Google Chrome in kiosk mode until you enter your password — how to stay safe
• FBI issues warning over scammers impersonating banks to steal your debit cards

1Password has risen to the top of the premium password management ranks over the years with its solid user experience, full feature list, and competitive pricing. At just $35.88 annually for an individual plan, 1Password provides everything you need in a secure password manager, from core functions like autofill across unlimited devices to premium security monitoring and passkey support. 

1Password doesn’t offer a free tier like its competitors, but most of those no-cost plans come with fewer features and/or restrictions that make them difficult to use (the exceptions being Bitwarden and NordPass). Plus, 1Password has unique features like Travel Mode that lets you temporarily hide logins from prying eyes at international borders as well as the ability to restore recently deleted records. 

Finally, 1Password offers cross-platform support for its apps and extensions, making it a solid choice for Apple, Windows and Linux users alike. Our 1Password review will help you decide if this is the best password manager for you or if you’d be better off looking elsewhere.

1Password review: Costs and what's covered

1Password costs $35.88 per year for a single user and $59.88 per year for a family of up to five, and you can add additional users to the family for $1 per person per month. Unlike some of its competitors, 1Password has no free version, but it does offer a 14-day trial to new users. 

With a 1Password individual plan, you get unlimited password syncing across an unlimited number of devices, two-factor authentication, 1GB of document storage, 30-day storage of recently deleted passwords, premium support and security monitoring and alerts. The family plan includes sharing functions and account recovery for connected users who are locked out of their vaults. 

On desktop, 1Password supports macOS 10.15 Catalina or later, 64-bit versions of Windows 10 or Windows 11, Chrome OS and several Linux distributions including Ubuntu, Debian, Mint, Fedora, Red Hat Enterprise, openSUSE, Arch and CentOS. There's even a command-line interface for Windows, Mac, Linux and the Unix derivatives FreeBSD and OpenBSD.

Browser extensions are available for Chrome, Firefox and Edge on Windows, Mac and Linux, plus Brave on Windows and Mac and Safari on Mac. Opera, Vivaldi and other Chromium-based browsers can use the Chrome app. The iOS mobile app requires iOS 15.5 or later, while the Android app supports Android 9.0 and later. Finally, you can always access your vault on the web. 

I tested 1Password 8 on a 2020 MacBook Air running macOS 12.7.1 Monterey, an iPhone 15 Pro running iOS 17.1.1 and Google Chrome. 

1Password review: Setup

[1Password Create Account]

To get started with 1Password, you first need to create an account at 1Password.com. You'll have to verify your email address and create a strong master password for accessing your vault. 

During the setup process, 1Password will also generate your Emergency Kit. This is a PDF containing your vault address, email address, Secret Key (more on that below) and a place to write down your master password.

Your Emergency Kit ensures you (or someone you trust) always has the necessary information to access your 1Password account, so you should print it out and securely store at least one copy. If you need to access the Emergency Kit later, you can find it in your account profile or settings, depending on which device you're using.

Note that you can change your master password or regenerate your Secret Key—you’ll just want to be sure you update your Emergency Kit to reflect this new information. When I initially set up my account, my master password contained symbols not found on a mobile keyboard, making it impossible to type my password in to unlock the app. 

Next, download the desktop and mobile apps. You can use 1Password solely via the web vault and a browser extension, but the desktop app has biometric unlocking so you won't have to enter your master password every time you want to access your vault.

The app setup process is a little bit different depending on your device and operating system, but you'll find all app options and steps in your web vault by clicking your profile icon in the upper-right corner and clicking Get the Apps. Pairing devices is especially easy if you scan your setup (QR) code, which you'll find in your web vault or your Emergency Kit.

Once you've entered your master password on the desktop or mobile app, you can enable supported biometrics like Face ID, Touch ID, Windows Hello or face, fingerprint, or iris unlock (as well as auto-unlock using Apple Watch). On mobile, go to Settings > Security and select your biometric option. On Windows, settings are found under 1Password > Settings > Security and on macOS under 1Password > Settings > Security. You can also select how often you want the app to require your password to re-up biometric access.

Finally, grab the relevant 1Password browser extensions for quick access to your vault as well as autofill, saving and updating logins, password generation and more features in your browser.

Importing passwords works on either the web vault or the desktop app (found by tapping your name icon in the web vault or File > Import on desktop). 1Password supports imports from a handful of other password managers as well as CSV files. There are more specific import options on the web than on the desktop.

1Password review: Desktop

1Password's interface has some minor differences between the web vault and the desktop app, but the basic navigation is similar enough. There's a left-justified menu bar for toggling between different collapsible sections of your vault. On the web, this includes favorited items, record categories and tags, as well as your archive, which holds onto removed records until you permanently delete them. 

The desktop app has a category drop-down instead of listing them on the menu bar. 

When you click on a record, you can view, copy or open-and-fill the credentials. There's an edit button either in the top or bottom toolbar. To add a record, tap the plus button. 1Password has a long list of pre-built templates, including ones for passports, medical records, rewards programs and outdoor licenses such as for hunting and fishing.

The menu bar is also where you'll find Watchtower, 1Password's set of security-monitoring tools. This includes lists of your weak and reused passwords; unsecured websites (logins that are connected to http:// pages that don't use encryption); compromised or breached websites; and logins in your vault that have two-factor authentication or passkeys available that aren’t yet enabled.

You can set up 2FA for these accounts right from your 1Password vault when in the desktop app. Interestingly, I got different data about my reused and weak passwords between my web and desktop vaults.

1Password offers the option to create multiple vaults in your individual account so you can organize or share records around specific purposes or projects. For example, you could create a vault with estate-planning documents to share with a partner or spouse, or a vault specific to your social-media accounts. You always have the option to view all your vaults at once or to toggle between them.

1Password also has Psst!, a secure data-sharing service that lets you send someone who isn't a 1Password subscriber a temporary link to view data saved in your 1Password account.

So, for example, if you wanted to send your Netflix password to your brother-in-law, you could send him a link that expires after 1 day and displays the password. Links can expire after as little as one view, or last up to 30 days.

You can also create a vault specifically for trips abroad and enable a unique 1Password feature: Travel Mode. This tool hides the vaults you wouldn't want customs and border control agents to see while still allowing you to access vaults you deem safe.

The Travel Mode option can be toggled on in the web vault at 1Password.com under Profile > Manage my Private vault and toggled off once you return home.

The 1Password browser extensions have most of the features you could need: You can view your entire vault, search for records, generate and autofill passwords (just tap the plus icon) and add, view and edit items. For seamless functionality, including biometric unlock, 1Password extensions require you to run the most up-to-date version of your browser — an important security measure but one that requires frequent restarts on Chrome.

To use autofill, tap the 1Password icon in any form field and select the login you want to use. 1Password will also automatically suggest generated passwords when creating new accounts with a button to save the credential to your vault.

There's also 1Password Quick Access for Mac, Windows, and Linux, which is part of the desktop app and can be accessed via the icon in your main taskbar. This replaces the 1Password mini in previous versions and allows you to find, view, and autofill items without leaving your current app window. In order to enable the full functionality, you may need to adjust your systems’ accessibility features.

As part of a deal with webmail provider Fastmail, 1Password also offers "masked" email addresses that let you generate random Fastmail addresses when signing up for a new online service. The catch is that you have to pay for a Fastmail account, which starts at $3 per month or $36 per year (though you do get a 30-day free trial). 1Password also supports Privacy Cards, merchant-specific, single-use virtual payment cards for shopping online. You have to create and link your Privacy account, but there’s a free plan for up to 12 cards per month.

Finally, 1Password has a long list of keyboard shortcuts for its apps and extensions for faster access to features and functions.

1Password review: Mobile apps

1Password's mobile apps have been updated to include more features, including full Watchtower reports, to better reflect the desktop experience. Plus, they’re more intuitive to navigate than in previous iterations.

The main toolbar lets you toggle between your home screen — which you can customize to show tiles for your favorite or most recently or frequently used logins — as well as categories, search, and Watchtower. You can manually add records from any screen using the plus icon, and you can sort your item list by title as well as date modified, created or used.

Under Settings, now found by tapping your profile icon, you'll find options for security features like biometrics and passcodes, auto-lock timers and Watchtower functions.

You can toggle on autofill in Settings, but as with most other password-manager apps, you’ll also have to enable autofill in your phone settings. You can select 1Password as the default if you have multiple password managers plus your phone’s keychain.

Once enabled, 1Password will fill and save logins in browsers and apps from your keyboard. When login info is required, 1Password will either suggest a login (upon unlock) or launch for you to select one. It will also give you the option to create and fill a new username and password. On iOS, 1Password also has a Safari extension, though the autofill function seems smoother.

One feature I miss on the 1Password app is a password generator. This function pops up when you create or edit an existing record, but there’s no standalone tool as offered by competitor apps from Dashlane and NordPass.

1Password review: Security

Like most of its major competitors, 1Password uses AES-256 encryption to secure your data on your devices and on its servers. Only you can unlock your vault locally using your master password.

1Password adds an extra layer of security with your 34-character Secret Key, which is created and stored locally on your device and prevents hackers from accessing your data outside of your computer, tablet or phone. You do not need to remember or enter your Secret Key to get into your password vault, but you can (and should) save it in your Emergency Kit. 

1Password is also SOC 2 Type 2 certified by the Association of International Certified Professional Accountants (AICPA) to securely manage consumer data and ensure privacy. 

Two-factor authentication on 1Password is available using an authenticator app such as Authy, Microsoft Authenticator and Okta Verify or with a U2F hardware key like YubiKey or Google Titan. 

Finally, 1Password supports a handful of biometrics for unlocking your vault, including Face ID on iOS, Touch ID on iOS and macOS, Windows Hello, Linux biometrics and fingerprint, face and iris unlock on Android. You can also log into your macOS desktop app using an Apple Watch.

1Password review: Passkeys

1Password currently supports creating, saving, and signing in with passkeys through the 1Password desktop app on Mac and Windows as well as across mobile devices running iOS 17. You can view, manage and share saved passkeys on Android. Watchtower will also identify existing accounts that can be secured with a passkey and link you to create one through the desktop and mobile apps. 

Unlike passwords, which can be compromised fairly easily through data breaches, passkeys aren’t stored anywhere for malevolent actors to access. Instead, there is a credential stored on your device that nobody can access. This is called a private key.

When you need to log into a site or application, the site will use a public key to request that you authenticate this private key, typically using biometric authentication like FaceID. Once authenticated, you are able to log into the site or application just like if you had a password.

As of November 2023, the ability to unlock 1Password with a passkey — rather than managing your master password and Secret Key — is available only as a private beta for iOS users. 

1Password review: Bottom line 

1Password is a top-notch password manager that is secure, easy and intuitive to use, and priced competitively. It functions consistently across web, desktop and mobile with all the features you’d expect—including more advanced passkey support than its competitors—as well as standouts like comprehensive security monitoring with Watchtower and a Travel Mode. 

Unlike with Keeper, you don’t need to pay for add-ons to get these features, and 1Password users aren’t charged a premium for access to VPN services a la Dashlane. Your $35 per year gets you everything 1Password has to offer. 

1Password doesn’t offer any type of free plan, so if you’re looking for no-cost options, Bitwarden or NordPass may be worth considering. But we can highly recommend 1Password among paid premium options. 

LastPass has long been one of our favorite password managers thanks to its simple interface, premium features, and affordable pricing, and it’s still a solid choice at just $36 per year for individuals and $48 per year for families. 

However, other password managers have caught up with and even surpassed LastPass, which now lacks some functionality of similarly priced platforms, including passkey support—and no longer has as many unique features or an unrestricted free option comparable to Bitwarden. The LastPass interface also appears outdated alongside the likes of competitors Keeper and 1Password. Plus, LastPass has suffered a handful of security issues in recent years, which is not something you hope for in a tool meant to protect your passwords. 

Our LastPass review will help you decide if this is the best password manager for your needs or if you’d be better off choosing something else.

LastPass review: Costs and what's covered

LastPass has three plans: Free, Premium (individual) and Family. At $36 per year for an individual, the premium personal tier is in line with other similarly featured password managers, while the $48-per-year family plan (up to six users) is cheaper than those of many competitors. 

For many years, LastPass' free tier was a steal, with most of the basic features you'd want in a password manager, including unlimited syncing across all your devices. However, the company in early 2021 limited syncing to a single device type: Users on the free plan can access their vaults on mobile or on desktop, but not on both. 

Other premium, paid password managers with free tiers have similar limitations, such as the number of devices or number of passwords (or both), so LastPass does still have a leg up. But with Bitwarden offering unlimited free syncing, LastPass may no longer be the top free choice. 

That said, LastPass Free users still get to have an unlimited number of passwords, one-to-one sharing, secure notes, limited multi-factor authentication, security tools like password hygiene and dark-web monitoring and the LastPass Authenticator app.

An upgrade to LastPass Premium ($36 annually) unlocks unlimited device syncing, one-to-many sharing, advanced MFA, 1GB of file storage, emergency access, 1-to-1 support and a host of security-monitoring features. LastPass does offer a 30-day free trial so you can test out the premium features. 

The LastPass Family plan ($48 annually) has all the same features as Premium with unlimited shared folders for up to six users. 

To run the LastPass browser extensions, you must have Windows 8.1 and later or one of the most recent two versions of macOS, Linux or Chrome OS. There are browser extensions for Chrome, Firefox, Safari, Edge and Opera, desktop apps for Windows and macOS, and mobile apps for iOS (14.0 or later) and Android (9 or later). 

I reviewed LastPass on a 2020 MacBook Air running macOS 12.7.1 Monterey, an iPhone 15 Pro running iOS 17.1.1 and Google Chrome. 

LastPass review: Setup

To set up LastPass, start by creating an account on LastPass.com with your email address and a strong (and memorable) master password. 

You can also enter a password hint, although this step may be unnecessary and perhaps risky since there's also an account recovery option.

Next, you'll be prompted to install the browser extension, though you can access your web vault without doing so. There are basic extensions for major browsers, as well as universal installers for Windows and Linux, which will add full-featured "binary component" extensions to all of your browsers at once. Mac users can grab this via the "full version" Chrome extension.

These "binary" extensions, which will share your login state across browsers and automatically log you in, among other things, may be helpful if you use multiple browsers on your machine though.

Once you're logged into your web vault, you can add individual items or import them from other password managers by uploading an exported file or basic CSV. The import tool can be found under Advanced Options at the bottom of the menu bar.

LastPass has a wide range of built-in item types for passwords and payments as well as health-insurance plans, Wi-Fi credentials and instant-messenger accounts, plus completely customizable templates.

On mobile, download the LastPass app and log in with your email address and master password. On iOS, you'll be asked to enable Face ID right away (or Face Unlock on a Google Pixel) for easier access to your app, or you can turn on biometrics later (Settings > Security) if they're supported on your device.

There are also desktop apps available for both Mac and Windows. You can get the former from LastPass' download page, while the latter is available in the Microsoft store. Both are basically app versions of the web vault.

If you’re on the free plan, LastPass allows you to switch between desktop and mobile three times before locking you into a device type.

I found LastPass' help articles less straightforward and more difficult to navigate than competitors' support sites. If you're new to password management, this may be frustrating.

LastPass review: Desktop

The main way to use LastPass on the desktop is as a web vault and browser-extension combination. The online vault has a left-justified collapsible menu bar with a Home button for viewing all items and shared records, as well as tabs for passwords, notes, addresses, payment cards and bank accounts. LastPass will display items as tiles or in a list, which can be sorted alphabetically or by recent use. 

As noted above, though, you can create a range of different item types as well as customized templates. To create a new record, tap the plus sign in the lower-right corner. If you hover over the icon, you'll also see an option to create a new folder.

Further down the main menu bar are options to view your security dashboard, emergency access, account settings and advanced options (import, export, account history, deleted items and one-time passwords).

The security dashboard shows you a password-health report as well as dark-web monitoring of email addresses found in your LastPass account. Once you activate web monitoring, LastPass sets you up to receive an email alert if any of your information is found in a data breach. This service is always scanning in the background and does not need to be requested manually.

The sharing and emergency-access screens show you whom you've granted access to your individual records as well as your entire vault. Emergency access can be activated immediately or up to 30 days after a trusted contact has requested it without a response from you.

The account settings are the clunkiest part of an otherwise straightforward (if somewhat outdated) interface. This is where you can update security preferences, enable multi-factor authentication and view connected mobile devices.

The browser extension has most of the functionality of the web vault. You can view, edit and launch all of your items, add new records, generate and fill passwords, enable auto-login and see recently used credentials.

To autofill in your browser, tap the LastPass icon in the form field and select the correct login. When you need to create a password, LastPass will pop up its password generator in the form field and then ask if you want to add the credential to LastPass.

LastPass review: Mobile apps

Like the web interface, the LastPass mobile app is simple (but less dated). The navigation at the bottom of the screen is for your main vault, your security tools and your account settings. Under the vault tab, you can view all items or tap to open specific record categories.

You can also search for individual items or tap Add in the upper-right corner to create a new record using any of the same item types available on desktop. Plus, you can add attachments like photos, files and even audio recordings to a record.

In the security section, you'll find the password generator, emergency access settings, your password-strength report and the option to switch vaults (if you have multiple identities set up).

Note that while there is an option to tap and view your security dashboard, the mobile app does not actually create that report and instead tells you to go to your web vault to view it.

Finally, the settings tab is where you'll adjust security and login options, such as enabling biometrics, auto logout and account recovery. There is a "Remember Master Password" setting, which when toggled on would autofill and log you into your vault, though even LastPass notes that this is not recommended.

To enable autofill, go to your phone settings and select LastPass as your password manager. LastPass popped up automatically when I tapped the Passwords option above my keyboard in my browser so I could select the correct credentials.

You can also launch sites directly from individual records or by tapping on an item in your main vault, and LastPass will ask if you want to autofill with stored credentials. However, LastPass had a difficult time detecting and filling credit-card fields in multiple mobile browsers.

LastPass review: Security

LastPass operates using AES-256 encryption, which protects your data locally on your device and on the company's servers (and in between). LastPass does not have access to your master password or your vault content. 

LastPass is also SOC 2 Type 2 compliant according to the Association of International Certified Professional Accountants (AICPA), which means it can be trusted to securely handle consumer data, and the company undergoes regular security audits. 

All LastPass plans include two-factor authentication options for vault access. Free users can enable MFA with apps like LastPass Authenticator, Google Authenticator, Microsoft Authenticator, Duo and more. Premium subscribers can also use hardware keys like YubiKey as well as fingerprint and smart-card readers.

Finally, LastPass offers account recovery if your master password is lost. The best option is to use a one-time password on a device you've previously used with LastPass. These are generated automatically and stored locally on any device on which you've logged into the extension or web vault and are used as part of the email verification to recover your account.

Alternatively, you can recover your account via SMS or using a password hint previously set up, but neither of these processes are very secure. On mobile, you can toggle the option to use biometrics for account recovery, though anyone with a biometric profile on your device will be able to access your vault.

Note that LastPass suffered a major hack in 2022. While the company reported that no user passwords or data were compromised, the breach was one in a string of security issues for the platform.

LastPass review: Passkeys

As of November 2023, LastPass does not support creating, storing and editing passkeys in user vaults — making it the last of the major password managers to launch this feature. However, the company states that this functionality is coming soon. 

LastPass review: Bottom line 

LastPass is still worthy of consideration with its affordable price point (especially its $48-per-year family plan) and feature set consistent with other premium password managers.

However, unlike its competitors, LastPass has not evolved much visually or functionally since our last review: it has nixed some of its standout features over the years, and it now falls behind most of its competitors, including similarly priced 1Password and Keeper, on passkey support. Thanks to device restrictions, its free tier cannot keep up with the no-cost plan offered by Bitwarden and even the free plan available from NordPass is slightly less limited. 

Dashlane is perhaps the most premium of the password managers on the market, and its price point — $59.88 per year — reflects both its comprehensive features, including full passkey support, and its user experience. If you have a need for extras like a VPN service, Dashlane’s fee may be worth considering. 

However, competitors like 1Password and Keeper offer similar features for much less (around $35 per year), so it may be hard to justify the high cost of a Dashlane Premium subscription. Plus, the platform’s standout automatic password changer has been dropped since our last review. Finally, Dashlane’s heavy restrictions on its free plan have rendered it all but useless, and the company no longer offers a standard free trial, so you have to subscribe to try it out. 

Our Dashlane review will help you decide if this is the best password manager for you or if you’d be better off with something else instead.

Dashlane review: Costs and what's covered

Dashlane has two paid tiers: Premium at $59.88 per year for a single user and Friends & Family, which costs $89.88 per year for up to 10 users. While Dashlane no longer sells its mid-range Essentials tier at a price point similar to competitors (around $35), subscribers already on this plan can continue to renew it. 

There's also a free Dashlane plan, but its functionality is extremely limited — you can store just 25 passwords on a single device (reduced from 50 in November 2023). While you do get some security-monitoring capabilities and passkey functionality, free users no longer receive live customer support, and the fact that Bitwarden is fully featured makes Dashlane's no-cost offering far less appealing. 

Plus, Dashlane no longer offers a 30-day free trial for all users, so the only way to access Premium features at no cost is to refer a friend, which gets you each a six-month subscription.   

With Dashlane Premium, you get unlimited password storage and sharing, unlimited device syncing, secure notes with 1GB of secure storage, dark-web monitoring and a VPN provided by Hotspot Shield — which is where the premium price tag comes from. (To be fair, $25 per year for one of the best VPN services is a steal, since a standalone subscription is $96 annually.) The Family plan is basically Premium with up to 10 accounts.    

For most users, Dashlane no longer has a desktop app — instead, it operates primarily via a web app and browser extensions on Windows, Mac, Linux and Chrome OS as long as both the extension and browser are up to date (within the last two major versions). Extensions are available for Chrome, Firefox and Edge as well as other Chromium-based browsers like Opera and Brave. 

Note that Mac users on Safari will need both the macOS app and Safari extension, which is a component of the desktop app (all other browsers on macOS use the web app). The Safari extension requires macOS 13.0 or later. On mobile, Dashlane supports iOS 16 or later, watchOS 6.2 or later and Android 8.0 or later.

For Dashlane testing, I used a 2020 MacBook Air running macOS 12.7.1 Monterey, an iPhone 15 Pro running iOS 17.1.1 and Google Chrome. 

Dashlane review: Setup

To set up a Dashlane account, you'll need to install the browser extension. Click the Create an Account button, which will open a new window and prompt you to enter your email address followed by a master password. Make sure you make the master password memorable or write it down someplace safe. You can also set up account recovery — highly recommended — via biometrics on mobile or generate a recovery key in the web app’s security settings upon login. 

Once your account has been created, you'll enter your vault, which includes a guided “Get Started” onboarding process for adding bulk or individual passwords and connecting mobile apps. Scan the QR code to open the appropriate app store on your device, or navigate directly there and download Dashlane's mobile app. 

Dashlane supports CSV uploads but does not have separate steps for importing from other password-management tools. Note that all of this happens inside the Dashlane browser extension, through which you can access the fully featured web interface by selecting Open the web app.

To enable biometric unlock, open the My account menu in the web app, go to Settings > Security settings, and toggle Local unlock on. You’ll need to enter your master password and follow the prompts to add your selected unlock method. This is the same menu where you’ll find 2FA and account recovery setup. 

The first time you log in on a mobile device, you'll also have to enter a verification code sent to your email address to authorize your device before you can enter your master password. You can go ahead and enable biometrics upon login or do so later in Settings > Security. The app has a similar guided onboarding process for adding passwords and enabling autofill, which you have to complete before your full vault loads in the Home section. 

If you create your account on mobile, you’ll be asked if you want to connect to Dashlane on your computer. 

Dashlane review: Desktop

Dashlane on desktop is just Dashlane via web vault and browser extension, as there is no standalone app. The vault has a collapsible, left-justified menu bar for toggling between item categories and security tools as well as a search bar. Tap Logins to view vault records, and click on individual records to open, view and edit the details. Dashlane will notify you within a record if your password is weak or compromised and direct you to change your credentials by sending you to the external website (Dashlane will prompt you to save your updated password).

There are also granular autofill settings for individual records, such as auto-login, and you can share the record or launch the website from this view. Alternatively, you can click the three horizontal dots next to the item to quickly launch the website, copy your credentials or add it to a collection.

To add a new item, click the Add new button at the top of the vault window. You can share an item from this view as well, or within the Sharing Center. Other sections in the main navigation bar include notes, payment methods, personal info (addresses and emails, for example) and IDs (which currently include ID cards, Social Security numbers, driver's licenses, passports and tax numbers).

Note that you must add a record within the correct category — the Add item button in Passwords does not have the template for a passport, for example.

Further down are the security tools, including Password Health for weak, reused and compromised passwords and Dark Web Monitoring, which scans the dark web for up to five email addresses that may have been leaked in data breaches. You have to verify added email addresses to activate monitoring. If any leaks are detected, Dashlane will guide you to click through to change your account credentials. Dashlane previously ran a beta of an automatic password changer, but this standout feature was dropped.

The browser extension pop-up from your browser toolbar has most of the basic functions you'll use regularly. You can view your entire vault, search for individual items, open and edit records and generate new passwords. Most other functions will redirect you to the web app. The extension’s autofill tab allows you to pause or turn off autofill on the website you’re currently on as well as globally.

To autofill credentials, click the Dashlane icon in the form field and select the item you want to fill in. If the icon is green, Dashlane has something to fill in. If it's grayed out, you'll have to enter the item manually. When creating a new account, Dashlane will automatically suggest a generated password and ask if you want to save the account to your vault.

In testing, the extension and web app worked together seamlessly—however, they did crash when I attempted to bulk delete logins from my vault. While this is not a process you’re likely to do regularly, it is frustrating to have to reload. Note that unlike some competitors, Dashlane does not temporarily store recently deleted logins, so if you remove them, they’re gone permanently.

Dashlane does have a limited emergency access feature that requires you to export your data as a protected file and share the password with a trusted contact. Note that you’ll need to re-download your vault each time you update a record.

Dashlane review: Mobile apps

The mobile app is clean and easy to navigate and has all of Dashlane's functionality, including full-featured dark web monitoring. 

The main navigation bar has a Home button that pulls up all items in your vault or selects specific categories with an option to search or add a record. Under Tools, you’ll find your security tools (Password Health and dark web monitoring), shared records, and 2FA authenticator as well as your VPN service. There’s also a tab for your password generator.

The final section is your Settings, where you can customize some basic security preferences like biometrics and connect additional devices using a QR code.

To enable autofill, set Dashlane as your default password manager in your phone settings. Dashlane will auto-suggest credentials or open within your browser to suggest login options. This worked smoothly in my apps as well. You can also create and save new credentials into Dashlane directly from the login interface.

Dashlane review: Security

Dashlane uses AES-256 encryption to secure your data, and your information is unlocked on your local device only when you enter your master password and any enabled two-factor authentication methods. That means that Dashlane employees never have access to your vaults, and hackers cannot see your data even if they manage to access Dashlane's servers. 

Two-factor authentication is available for all Dashlane accounts, free or paid, though free users should be careful to enable or disable 2FA with the single device they're using for Dashlane, as doing so on a secondary device will re-encrypt your account and you'll lose your data. Free users should also securely save 2FA codes, as they will no longer be able to receive recovery codes from live customer support.  

2FA works by default with a master password and verification code sent to your contact email, but it can also be set up via web or mobile and the Dashlane Authenticator app for iOS or Android (or apps like Authy, Google Authenticator and FreeOTP). Dashlane does not support U2F hardware like YubiKey for 2FA, though you can use a security key in place of your master password to unlock the web app. 

Dashlane supports Windows Hello and Touch ID on macOS. Fingerprint unlock is available on most Android devices, and there's support for Touch ID and Face ID on iOS. You can also enable PIN unlocking on your mobile devices. 

Dashlane review: Passkeys

Dashlane currently supports saving, storing, and editing passkeys across its web and mobile apps for websites that have this functionality. On the web and iOS 17, you must be logged into Dashlane before creating a passkey. Android 14 users must have Dashlane selected as an identity provider under Settings > Password and Identity. (As of November 2023, you can create passkeys for apps but not websites on Android devices.) 

Passkeys are stored alongside regular logins in your vault but can be distinguished by the accompanying passkey icon. 

Dashlane is currently working on passkey login functionality for its own apps. 

Dashlane review: Bottom line 

Dashlane offers an exceptional user experience and full-featured password management, but it comes at an ultra-premium price. The primary added value with its $60 fee appears to be VPN services from Hotspot Shield—if you don’t need this, you’ll get similar offerings from 1Password, Keeper and LastPass at just over half the price. 

Bitwarden is a top contender for password management because it offers a lot of value at a low price. The platform is highly secure and open source, and it has the best free tier of any password manager on the market. 

Users can get unlimited syncing of unlimited passwords and basic functions like autofill and secure note-storage and sharing at no cost, while premium features like security monitoring and emergency access costs just $10 a year — much less than the $35 annual fee for competitors with similar functionality. Plus, all other free plans out there limit the number or type of device for vault syncing, and Dashlane allows you to store just 25 passwords total. 

Bitwarden isn’t as seamless as some other password managers when it comes to autofilling logins and forms, but it offers all the essential features, including some passkey support, for less than the likes of 1Password, Keeper, and NordPass. Our Bitwarden review will help you decide if this is the best password manager for you or if you’d be better off paying a bit more for something more intuitive.

Bitwarden review: Costs and what's covered

Bitwarden offers three pricing tiers for consumer accounts: Free, Premium ($10 per year) and Family ($40 per year).

The free tier comes with most of the basic features you'd want in a password manager, making it a good option if you're just looking for safe storage. The Premium plan is a bargain when compared to similar tiers offered by other password managers, which often run about $35 per year. 

Users on Bitwarden's Free plan get unlimited password and secure-note storage across as many devices as they want. There's also a password generator and an innovative feature called Bitwarden Send for sharing sensitive text-based information.

Bitwarden will auto-fill usernames and passwords through its browser extensions on the desktop and with the Bitwarden mobile apps on iOS and Android. Form filling for identities and payment info is included with this tier, but only via browser extensions on desktop.  

If you upgrade to a Premium account, $10 per year gets you all of the above features, plus file sharing via Bitwarden Send, the Bitwarden Authenticator app for verifying your identity on accounts that use 2FA or time-based one-time passwords (TOTPs) and an emergency access feature that lets you grant vault access to another user in case of, well, an emergency. 

This premium tier also comes with 1 GB of secure storage, priority support, advanced 2FA options such as YubiKey and "health reports" — basically, security audits (manually generated) that show you if your passwords are weak, recycled or have been exposed in a data breach. 

If you know how to set up a server, then Bitwarden also offers self-hosting (versus cloud hosting) options with all plans for anyone who wants complete control over their data using their own server.

The Bitwarden server can be anything from a leased cloud instance to a Raspberry Pi sitting on a shelf in your living room. Bitwarden has server specifications and instructions here, and there's a good third-party walkthrough here.

Finally, Bitwarden's $40-per-year Family plan is basically Premium for up to six users with unlimited sharing between accounts. 

As we've noted, Bitwarden Free is a solid option for basic password management — maybe the best one out there. LastPass, one of our other top freemium picks, now limits syncing on its free plan to only computers or to only mobile devices, a significant gap that Bitwarden fills. 

LastPass does include some of Bitwarden's Premium features, such as the ability to use an in-house authenticator app, in its free tier, but at $36 per year, its premium option costs nearly four times what you'll pay for a similar Bitwarden plan.

The premium and family plans offered by other password managers will also set you back a lot more than $10 (or $40 for families) annually, which may be attractive only if you really need bonus features like a built-in VPN. 

The Bitwarden desktop application supports Windows 10 and 11; macOS 10.14 and later; and most major distributions of Linux. The Windows and Mac versions can be downloaded directly from the Bitwarden website or via the Windows and Mac app stores.

There's also a "portable" Windows version you can install on a USB flash drive. If you want to get really elite, there's a command-line version that works on Windows, Mac and Linux alike.

There are Bitwarden desktop browser extensions for Chrome, Safari, Firefox, Opera, Brave, Microsoft Edge, Vivaldi and the Firefox-based Tor browser as well as a beta for DuckDuckGo for macOS 11.4 or later. Mobile apps are available for both iOS (11.0 or later) and Android (5.0 and up). You can also access your vault via any web browser at vault.bitwarden.com. 

I reviewed Bitwarden on a 2020 MacBook Air running macOS 12.7.1 Monterey, an iPhone 15 Pro running iOS 17.1.1 and Google Chrome. 

Bitwarden review: Setup

[Bitwarden Account Create]

To get started, you'll need to create an account on Bitwarden's website using your email address and name. You'll also choose your master password and an optional password hint. There is no account recovery for individual or family users if you forget your master password, so the hint may be helpful. Either way, make your master key something both secure and memorable. 

Bitwarden doesn't do much hand-holding through the setup process, although its help pages are actually pretty useful. Once you have your account set up, you'll be logged into your web vault to start importing and organizing your passwords.

To import data from LastPass, 1Password, Firefox, Chrome or another one of many supported file formats, select Tools > Import Data in the web app (File > Import Data on desktop) and fill out the dropdown fields. If Bitwarden doesn't officially support the service you currently use, you can create and upload a CSV file. Note that data uploads are not possible on mobile.

Next, download the relevant desktop and mobile apps as well as browser extensions. It took almost no time for me to install these and get logged in, and my items synced automatically. Extension features like autofill and password generation functioned immediately, with no additional setup needed.

Bitwarden review: Desktop

Bitwarden would be easy to use with only the browser extension and web app, as the desktop app doesn't add any functionality and is only slightly sleeker.

In fact, some features, such as emergency access (under Account settings) and vault health reports (under Reports), are available only in your web vault.

The browser extension looks a lot like a mobile app, with tabs for your main vault, Bitwarden Send, a password generator and your settings.

There are a few ways to use the automatic form filling feature. There’s no Bitwarden icon that populates in the form field — if the website you're on has a saved login, the Bitwarden extension icon in your browser toolbar will have a number on it. Tap the icon to open the extension and select the password you want to auto-fill. You can also set up autofill on page load, which will fill the username and password fields but not automatically log you in.

To auto-fill credit cards or identities (addresses, for example) when checking out or filling out forms, toggle the Bitwarden extension icon and choose Tab. All available cards and identities should be visible to select. Alternatively, you can right-click (CTRL + click on Mac) on the form field and select from a list of autofill options on the drop-down.

Bitwarden also has a few standard keyboard shortcuts to auto-fill the last-used login, though this was not enabled by default on my Chrome profile (you can set up shortcuts in your extension settings). I found it easiest to open the extension right away and select from there.

Bitwarden's password generator is a little bit clunky compared to those of other password managers — instead of auto generating in the form field, you have to manually go into the Bitwarden extension to create and copy/paste a password. When you create a new login on a website, Bitwarden should ask if you want to save it to your vault.

Sharing texts and files with Bitwarden Send is quick and easy using the browser extension. You can also view and edit the item or copy login information directly from the extension.

If you opt to download the desktop app as well, you'll find a left-justified menu bar where you can select your specific login types to view all the usernames and passwords in that category.

You can also organize or view by folder — use the plus sign to create a new folder — or view your favorites or trash. Search the selected category using the search bar at the top and add a new record using the plus icon at the bottom.

If you toggle Send at the bottom instead, you can create file or text links to content on your computer, which you can then copy or share to send. You can select a date on which access to your send will expire, or on which your send will be permanently deleted, as well as a maximum access count.

File sharing is available only with a Premium account, though you can send text links on the Free tier. Send recipients do not need to use Bitwarden to open the sent links or files.

Unlike the browser extension (and the mobile app, as described below), the Bitwarden desktop app does not have a separate tab for the password generator. Instead, you'll find it under View in the main application toolbar.

Bitwarden review: Mobile apps

Like the desktop app and browser extension, the Bitwarden mobile app is basic. The interface and functionality are almost exactly the same, so the experience will be similar no matter which device you're on. 

The default screen is your vault home, organized by item types and folders. There's a plus sign in the upper right corner to create items and a search icon to search your entire vault. If you tap on Login or another item type or folder, you'll see the full list of items in that category. 

Tap on the three horizontal dots to view, edit or copy the account information. You can also launch the website or app directly from Bitwarden.

Password auto-fill is easy to enable in your phone settings — but unless you want to type in your master password each time you need to connect to Bitwarden, go to Settings > Unlock with Face ID or Unlock with PIN Code in the app. Once enabled, this feature works smoothly. However, you cannot auto-fill cards or identities on mobile.

The Bitwarden app has a built-in password generator, which allows you to set the parameters for the password and copy it to paste directly into the app or website.

You can also use Bitwarden Send in the app just as on the desktop: Create links to text or content on your device, which you can copy or share using any share options on your phone. Toggle the Send icon on the bottom toolbar and select the plus sign in the upper right corner.

Bitwarden review: Security

Like most password managers, Bitwarden uses AES-256 encryption to protect the data stored in your password vault. Your information is only unencrypted, and only locally on your device, once you've logged into your vault with your master key. 

Bitwarden is also SOC 2 Type 2 and SOC 3 compliant, meaning the organization has met standards set by the Association of International Certified Professional Accountants (AICPA) for handling consumer data. Bitwarden undergoes a security audit every two years, but it's also open-source, so the code is available for anyone to review for flaws.

All Bitwarden users get several 2FA options for accessing their vaults. Free-tier members can set up a two-factor authentication login process using email verification or an authenticator app like Authy or Google Authenticator.

The Premium tier also supports Duo Security, YubiKey and FIDO U2F-compliant USB security keys. As mentioned earlier, Premium subscribers can also use Bitwarden's own authenticator app instead of a third-party one.

Once you've logged in with your master password and any enabled two-step method, you can unlock your vault using a PIN or a biometric method. Bitwarden supports fingerprint and face unlock on Android, both Touch ID and Face ID on iOS, biometrics on Windows 10 via Windows Hello and Touch ID on macOS.

Bitwarden review: Passkeys

Passkeys, or private keys, are stored locally on your device, meaning no one can access them. A site or application that supports passkeys will use a public key to request that you authenticate this private key, typically using biometrics, to log you in. Unlike passwords, passkeys are not susceptible to hacks or data breaches, making them more secure. 

Bitwarden currently supports passkey storage for all subscribers, though passkeys can only be saved and used via the browser extension. Passkeys are not editable, and they are viewable but not usable on mobile and other Bitwarden clients. Bitwarden expects to add passkey support for logging into its own applications in the future. 

Bitwarden review: Bottom line

We highly recommend Bitwarden for highly secure password management, especially its free tier, which is the only no-cost plan to still offer unlimited syncing across device types alongside the basic features you’d need in a password manager. 

Bitwarden’s $10-per-year premium plan is the most budget-friendly of the bunch — comparable plans start around $35 annually — and comes with extras like security audits, advanced 2FA and additional storage. Bitwarden is not the most intuitive to use, especially its autofill function, but it does the basics and does them really well. 

NordPass is a solid password management option with all of the tools you’d expect, though it also has a simple, intuitive design. NordPass has caught up to competitors in some ways: it launched a web vault and standalone browser extension as well as biometric login support across platforms, and it removed device limits for its premium tier. NordPass also offers passkey support across its desktop and mobile apps, web vault, and a handful of browser extensions. 

At $45 per year, NordPass does cost more than similar password managers like 1Password, Keeper and LastPass (all around $35 annually), though the price has actually dropped since our last review, and frequent promotions can cut the fee significantly. NordPass does have a free tier which includes most of its features, the primary limitation being that you can only be logged in on one device at a time.

While NordPass’s setup process is a bit roundabout, the user experience is consistent across platforms. Our NordPass review will help you decide if this is the best password manager for you or if you’d be better off with another one instead.

NordPass review: Costs and what's covered

NordPass has two paid tiers and a free plan. NordPass Premium costs $44.85 per year, while NordPass Family (for up to six Premium users) comes to $89.85 per year. As noted above, this is a tad pricier than most premium password managers, which charge about $35 per year. However, NordPass offers frequent sales as well as a discount on two-year plans. 

The exception is Dashlane, which charges $60 for a premium account. But Dashlane Premium bundles in dark-web monitoring and unlimited VPN service, whereas NordPass doesn't seem to offer any discount for NordVPN.

NordPass Free comes with the most basic functions of a password manager, including unlimited password storage; autofill for passwords, forms, identities and payments; passkey support; secure notes; and multifactor authentication. The biggest limitation with the free tier is that you can stay logged in only on one device at a time. 

So while you can use NordPass Free on a phone, tablet and computer — and your vaults will sync automatically — logging into your account on one device will log you out on all the others. While this may be slightly inconvenient, it's still more flexible than free plans that limit you to one or two devices in total, or to a certain number of passwords. 

With an upgrade to NordPass Premium, you get sharing capabilities and basic security monitoring for old, weak or reused passwords as well as for those exposed in data breaches. NordPass previously limited premium users to six devices at a time but now allows unlimited simultaneous logins. 

NordPass Premium also includes 3 GB of secure online storage, passkey sharing, and Emergency Access capabilities. NordPass even has a 30-day free trial of the Premium tier that you can claim in the app, and there is a 30-day refund policy.

The Family plan simply bundles six Premium accounts. It's a decent value at $89.85 annually for households with older children or college students or even a group of friends, since the vaults are not linked together. But again, LastPass for Families costs just over half as much.

NordPass supports Windows 10 and up for both 32-bit and 64-bit systems, macOS 11 and up and any Linux distribution that supports snap 64 bit. There is no desktop app for Chrome OS, but you can always access the Web Vault. Browser extensions are available for Chrome, Firefox, Safari, Brave, Opera and Edge, and there are mobile apps for iOS (15.0 or later) and Android (9.0 and up). 

I reviewed NordPass using a 2020 MacBook Air running macOS 12.7.1 Monterey, an iPhone 15 Pro running iOS 17.1.1 and Google Chrome. 

NordPass review: Setup

To get started with NordPass, you have to download the desktop application (or the mobile app), after which you'll be prompted with a pop-up to create an account. This will take you back to the website to create a Nord account, which is a centralized login for all of Nord's services (VPN and secure document storage, for example).

It's a bit clunky and unfortunately requires you to have two separate passwords. Once you have a Nord account, you can go back to the NordPass app and log in.

From there, you'll create a master password for NordPass. Make sure to save this somewhere secure. You should also go ahead and generate a recovery code (Settings > Reset Recovery Code), which you'll need to access your vault if you forget your master password.

NordPass does not have a detailed onboarding process, but you can tap the Get Started tab in the left-hand menu to view basic setup options, such as adding or importing passwords and enabling a browser extension.

To add an item to your vault, you can import from a handful of other browsers and password managers or upload a CSV. You can also add individual logins, passkeys, payment methods or identities.

On mobile, you'll again need to log into your main Nord account to be redirected to entering your NordPass master password in the app. You can opt to use an emailed verification code instead of your Nord account credentials. Once you're logged in, though, you can go to Profile > Settings and enable biometrics (if not already prompted to do so) if you want to skip entering your master password each time you access the app.

Both the browser extension and mobile app synced automatically from my desktop vault. Remember that with a free NordPass account, logging in on mobile will log you out of the desktop app and vice versa.

NordPass review: Desktop

On the desktop, NordPass is available as a standalone app, a browser extension and a web-based vault. The interface is consistent across the desktop, browser extension and mobile environments, making it easy to find what you’re looking for no matter where you access your vault. 

In August 2023, NordPass released a fully featured browser extension that works without the desktop app — many functions will open in a tab that mirrors the Web Vault. If you install the desktop-paired extension, it will redirect you to the desktop app for those functions, such as manually adding logins, sharing items, changing your settings, and viewing your password health and data-breach reports. Note that only one extension can be enabled at a time. 

The Web Vault, as NordPass calls it, lacks the ability to autofill and autosave passwords and other items, so you'll want to have the desktop app or the full-feature browser extension installed on at least one of your machines.

The desktop app has a left-justified menu where you can select and view specific login types as well as notes and shared items. You can organize your data into folders or view your trash, which saves items until you permanently delete them. 

You can edit, copy or organize an item from the main vault list (tap the three dots next to the item name) or by clicking on and opening the individual item. You can add an item manually from any screen in your vault using the button at the top-right corner. Open your settings, including biometric unlock, multi-factor authentication, and autofill/autosave, using the gear icon at the top of the menu.

At the bottom of the menu are your Tools, including your password generator and security reports, the latter of which is a Premium-only feature. Password Health shows you old, weak and compromised passwords and links you out to the websites needed to change them, while the Data Breach Scanner tells you if anything in your vault, including credit cards, has been leaked online. You can also see password strength within each item's listing.

NordPass has a premium feature called Emergency Access for trusted contacts, which lets you designate certain other NordPass users, such as friends or family members, viewing access to your NordPass account if you fail to respond to an access request for seven days. (Other password managers let you adjust the waiting period.)

The browser extension defaults to a screen showing all of your logins, though you can open the hamburger menu to select a specific category or folder.

To autofill your login or payment info, you must have the browser extension enabled. The NordPass icon will appear in the form field on any website for which you have a saved credential (or if it detects a payment or identity field). Simply tap the icon and select the correct login. There are no keyboard shortcuts for the extension.

When creating a new account, NordPass will automatically open the password generator and an autosave pop-up menu for adding your credentials to your vault, a process that worked smoothly (albeit eagerly, with the pop-up appearing a few times even after closing out). You can tap the Show Options dropdown to change the password strength requirements. NordPass will also prompt you to update an existing password upon login if Password Health detects your password is weak or has been reused.

To share an item, toggle the three dots next to the login and select Share. You can enter the email address of the recipient and select permission levels. View and manage this in the Shared Items tab on the main menu.

Finally, one handy feature of the extension and desktop app, especially if you share your machine, is autolock. Go to Settings > Security to select how long you want the app to remain open before requiring your master password (as little as five minutes to as long as one month).

NordPass review: Mobile apps

On mobile, NordPass looks similar to the browser extension, though it has full functionality for adding credentials, sharing items and accessing settings and security-monitoring tools. 

You'll find all the same menu options under the Browse tab and your main vault screen on the Home screen. Tools houses your security-monitoring options, and Profile directs you to your settings (including biometrics and MFA setup).

To use autofill on mobile, you'll have to enable NordPass as your primary password manager in your phone settings. If you have a saved login for a website or app, a NordPass menu will pop up and allow you to select the correct credential.

When creating a new account on a website, you'll have to go back to the NordPass app to generate a password, copy it and paste it in the app or on the website. You'll also have to manually create a login in the app, as it will not autosave from a mobile browser. That said, I did appreciate how easy it was to access NordPass’s password generator on mobile.

NordPass review: Security

NordPass uses XChaCha20 encryption, which secures your password vault with 256-bit keys. Like most password managers, NordPass is zero-knowledge, so only you can see your data on your local device when you enter your master password. Your vault is never accessible to NordPass employees or hackers via the company's servers. The platform underwent its first security audit in early 2020. 

Multi-factor authentication is available for both free and paid NordPass accounts with one-time password generators, including Google Authenticator, Microsoft Authenticator, Authy and Duo. You can also set up MFA to work with any U2F hardware key, such as YubiKey. 

Supported biometric login options on NordPass include FaceID and Touch ID on iOS and macOS devices, Windows Hello and biometric unlock on Android.

NordPass does offer account recovery with a code you can generate in your settings, but you must do this prior to losing your master password, or you'll be locked out of your vault (since you need your password to create the code initially). NordPass support can reset your account, but all of your saved items will be deleted in the process. 

NordPass review: Passkeys

NordPass supports passkey creation, storage, and synching on all desktop and mobile applications, Firefox and Chrome browser extensions, and the web vault. When you sign up for a new account for which a passkey is an option, you’ll be prompted to create one and save it in your vault. If you have an existing login for a site that supports passkeys, you can change your password to a passkey in your account settings. Unlike 1Password, NordPass does not identify existing accounts in your vault for which passkeys are available. 

Passkeys provide higher security than passwords because they aren’t stored in a way that can be accessed or compromised in a data breach. If you have a passkey enabled with your login, the site will use a public key to request that you authenticate this private key, typically using biometrics. 

All NordPass users, including those on free plans, have passkey support. NordPass is expecting to introduce passkey sign-in for its services at some point in the future. 

NordPass review: Bottom line 

NordPass offers a solid user experience (other than the initial setup process) and is closer in terms of features and price with the likes of 1Password, Keeper and LastPass than in our previous review. However, it still costs slightly more with no significant leg up in form or function, and it doesn’t include extras like its NordVPN service, as Dashlane does. 

The NordPass free tier is more flexible and full-featured than those offered by Dashlane, Keeper and LastPass, which have stricter device sync limits. But users looking for a low- or no-cost password manager may want to consider Bitwarden, which offers unlimited syncing for free users and charges just $10 per year for its premium plan. 

Keeper's password manager comes with strong security features and a simple, consistent user experience no matter which platform or device you're using, making it a solid choice among better-known competitors such as 1Password, LastPass and the higher-priced Dashlane.  

While Keeper's free tier won't be useful for most people because it's limited to just one mobile device, its premium individual plan (Keeper Unlimited) is competitively priced at $35 per year. Keeper also lets you buy individual add-on features such as online storage and dark-web monitoring.  

One long-standing downside to Keeper had been a lack of built-in templates for various document types — it offered only basic identity forms. However, 20 new templates were rolled out just before this review was published, bringing Keeper in line with others of the best password managers.  

Read on for the rest of our Keeper review.

Keeper: Costs and what's covered

Keeper offers two pricing tiers for personal premium plans, and two for families. Keeper Unlimited costs $34.99 per year for an individual, while the basic Keeper Family plan costs $74.99 per year. (For the moment, Tom's Guide readers can get 40% off either plan.)

For the Plus Bundle — which adds dark-web monitoring to the basic features — you'll pay a total of $58.47 annually for an individual and $103.48 for a family.  

Keeper does have a very basic free version, which limits you to password, identity and payment-method storage, as well as a password generator and two-factor authentication (2FA), on a single mobile device. 

However, since Bitwarden and Myki offer completely free unlimited syncing, and other competitors have more flexible no-cost tiers, this free Keeper plan has little value.   

If you pay $34.99 for a year of Keeper Unlimited, however, you get unlimited password, identity and payment method storage across an unlimited number of devices. 

This tier also comes with secure storage for up to five files, file-sharing capabilities, emergency access and phone support. Keeper offers a 30-day free trial for its premium tier so you can test out its features before committing.  

The Keeper Family plan ($74.99 per year) is similar to Keeper Unlimited but allows up to five separate password vaults and 10GB of secure file storage.  

Keeper also has a combined plan, called the Plus Bundle, which simply adds its BreachWatch dark-web monitoring service plus more storage to the unlimited and family tiers for a total of $58.47 and $103.48 per year, respectively. 

You can also purchase BreachWatch ($19.99 per year), expanded storage (starting at $9.99 per year) and priority support ($99 per year) as separate add-ons to your selected plan.  

Keeper supports Windows 7, 8 and 10; the most recent two versions of macOS; and some common distributions of Linux, including Fedora, Red Hat, CentOS, Debian, Ubuntu and Mint. 

There are browser extensions (known as KeeperFill) for Chrome, Safari, Firefox, Opera, Internet Explorer, and Microsoft Edge. Mobile apps are available for both iOS (11.4 or later) and Android (6.0 and up). You can also access your vault through the Keeper website.  

For this review, I tested Keeper on a 2020 MacBook Air running macOS 10.15.7 Catalina and an iPhone XR. I used Google Chrome for browser testing. 

Keeper: Setup 

To get started with Keeper, you'll need to create an account with your email address and a strong master password. Keeper will also prompt you to set up a security question for account recovery — we'll go into more detail on this below.  

Note that if you skip the security-question step, you'll continue to see prompts for it when you open your vault on any device. You can always reset the question in your account settings. 

Once you're logged in, Keeper has step-by-step onboarding pop-ups to guide you through the setup process, including for creating or importing logins, installing the browser extensions and enabling two-factor authentication. You can skip any of these steps and come back to them later. 

To populate your vault, you can either create individual records or go to Settings > Import to choose from a long list of supported browsers and password managers, or to upload a CSV file. Each option has in-app instructions for exporting from the original platform. 

You'll also want to install the browser extension, called KeeperFill, which allows you to autofill logins and payment methods online and quickly create and save new logins. 

Next, download the desktop and mobile apps for your platform(s). You can use Keeper without the desktop app, which looks and functions very similarly to the web vault. 

However, the desktop version allows biometric logins and comes with KeeperFill for Apps (on macOS and Windows), which pops out a desktop version of the extension that you can keep open and move around your screen for easier (and constant) access to your vault. 

Keeper requires an extra layer of verification, such as an emailed code or a push notification, when you log into the mobile app for the first time on a new device before you're allowed to attempt a master password. 

Once you approve the device, you can log into your vault, which syncs automatically from the web or desktop. You can then enable biometrics, such as Face ID, in your app settings for faster access. 

If you're newer to password management, you'll likely appreciate Keeper's onboarding process and online-support articles, which are detailed and easy to follow. 

Keeper: Desktop

You can use Keeper as a web-vault and browser-extension combo, or you can add the desktop app. The interface and functionality are very similar between the web vault and desktop app: There's a collapsible left-justified menu bar where you can toggle between your main vault, identities and payments, security monitoring tools and deleted items. The vault will display your items in a list or as a visually appealing grid with website logos.  

Manually creating a new record is simple. The default record type has fields for a title, username, password and web address. The dice icon next to the password field autofills using Keeper's password generator. You can also add custom fields, files and two-factor authentication codes to individual records.  

At the time that we were testing Keeper for this review, the password manager had no templates or record types for identity documents, such as passports and driver's licenses, and the only way to create them was to use custom fields. 

But in January 2022, Keeper added more than a dozen new templates for payment cards, bank accounts, passports and other common record types. Each template can be further customized with additional fields.

Back in your main vault, hover your mouse cursor over a record to launch the website in your browser. Click the record to view the details or tap the three dots in the upper-right corner to edit, share, favorite, duplicate or delete the record or view its history.

Sharing an item is easy. Simply enter the email address of another Keeper user and select the permission level. You can see anyone you've shared a record with here too. 

Tap the drop-down arrow next to your email address in the upper-right corner to pull up your account information (including emergency access settings) or your vault settings, which is where you'll find import/export, customization tools and security options.

Emergency Access gives up to five people you designate, who must have Keeper accounts, access to your vault after a specified period of inactivity on your part, ranging from immediately to up to 3 months. 

Vault settings, meanwhile, allow you to enable biometric access such as Touch ID and Windows Hello (desktop app only), as well as two-factor authentication and a self-destruct function that deletes locally stored files after five failed password attempts. 

The Security Audit tool shows you your weak and reused passwords and gives you color-coded strength scores. You can launch websites directly from individual records to change passwords. 

BreachWatch scans for credentials that may have been compromised in data breaches. Again, you can open the record and launch the website from within this report.

Another reason to consider the desktop app is access to offline mode, which makes an encrypted copy of your vault available on your local device, secured behind your master password or biometrics. This feature is also available on mobile and is helpful for app autofilling if you're without Wi-Fi. You can toggle this on and off on the bottom toolbar in the app. 

The KeeperFill browser extension does all the key things like auto-filling, credential-saving and password generation. The auto-submit option is a nice feature: Keeper will autofill and then actually submit matched credentials to log you in.

You can search your vault for specific items, though you can't view a complete list in the extension (tapping Vault will redirect you to the web vault). It's easy to select from multiple accounts that exist on a single website and to create a new record with a generated password. Keeper will detect updated credentials and ask if you want to save them in your existing records. 

To access the extension, you can tap the Keeper icon in the form field. This sometimes didn't appear for me, so other options include a keyboard shortcut (command+shift+k on macOS or alt+k on Windows) or a right-click on the credential field. The former opens the main extension, the latter a pop-up menu where you can select an action. 

Keeper: Mobile apps 

The Keeper mobile app is fully functional and more streamlined than previous versions. The bottom toolbar lets you navigate between your main vault list, BreachWatch, app settings and your account information. 

The plus button lets you quickly create new records, folders and payment methods or upload a file. You cannot mass-import passwords on the mobile app — Keeper will redirect you to the web.  

Toggle open the More menu in the upper-left corner to view navigation options similar to what's available on the desktop app and web vault. This is where you'll find the Security Audit and your identity/payments list, as well as your favorites, shared items, files, trash and two-factor codes. 

When you create a record on mobile, you have the added option to scan in a photo or document, which Keeper will translate to plain text and attach to the Notes section. 

To enable Keeper's autofill function, available on both iOS and Android, go to your phone settings and select Keeper as your default. Tapping the Password (iOS) or Sign into Keeper (Android) button above your keyboard when entering credentials will open KeeperFill, and you can select, search or create a new record and tap Fill. 

Keeper may also detect and offer an existing login from your keyboard options. In my testing, this only worked in apps, not in the mobile browser. Also note that Keeper didn't always detect email-address fields as stored credentials, which meant I had to know or look up which email address I'd used in order to move on to the password screen. 

One helpful customization: You can launch a website from individual records in Keeper and set the default mobile browser you prefer each website to open in. 

Keeper: Security

Like many password managers, Keeper uses AES-256 encryption to secure data on its servers as well as your devices. Your information is unencrypted locally on your device only when you enter your master password, so neither Keeper employees nor hackers can access it.  

Keeper is also SOC 2 Type 2 compliant, which means it's trusted by the Association of International Certified Professional Accountants (AICPA) to manage consumer data. The platform is also subject to regular security audits.  

Both free and paid Keeper users can set up two-factor authentication to access their password vaults. Keeper supports time-based one-time passwords (TOTP) sent via SMS (not recommended if you can help it) as well as apps like Microsoft Authenticator and Google Authenticator and hardware security keys like YubiKey and Google Titan. An Apple Watch or Android Wear device can also be used for 2FA via the KeeperDNA app.  

After you enter your master password and any enabled 2FA method, you can unlock your Keeper vault using biometrics: Face ID on iOS, Touch ID on iOS and macOS, fingerprint and face unlock on Android and Windows Hello. 

Keeper does offer an account recovery option if you lose your master password. It's enabled by default on new accounts, and it requires you to set up a security question when you create your account.

You get to create the security question instead of being limited to pre-filled options, but keep in mind that using a question that someone else knows the answer to is a security risk. If you answer the question correctly, you'll get a verification code sent to your email address, which will then prompt you to reset your master password. 

Keeper password manager review: Bottom line

If you're willing to pay for a password manager, Keeper deserves serious consideration. The design is simple, consistent and easy to navigate across all major platforms and devices, and Keeper matches most of the features of similarly priced competitors.  

We're also fans of Keeper's security measures and its mix-and-match add-on options like extra storage and dark-web monitoring. Now that more identity-form templates have been rolled out, Keeper is one of the top premium password managers on the market.   

If you're looking for a free option, though, Keeper isn't it. Its one-device limit (mobile only) is surpassed by more flexible no-cost plans from LastPass and NordPass as well as by Bitwarden's free tier. 

Even though you may have downloaded them from an official app store, fake apps can lead to all sorts of problems, from fraudulent charges to malware being downloaded onto your smartphone. But what if the fake app in question is impersonating one of the best password managers?

In a blog post on its site, LastPass is warning users that a fake app is impersonating the popular password manager on the Apple App Store. The app in question tries to copy LastPass’ official app down to a T by using the company’s branding and mimicking its user interface.

However, if you look close enough, you’ll notice that the fake app is called “LassPass” and not “LastPass”. Unfortunately though, due to the way in which our brains are wired to read, unsuspecting LastPass users may have accidentally downloaded this fake app. The reason being is that its name plays on typoglycemia, or the phenomenon where when a word has the correct first and last letter but the letters in between them are wrong, we still read it correctly.

Fortunately, this fake “LassPass” app has now been removed from the App Store but if you did download it and try to log into your account, you could be in trouble. Here’s everything you need to know along with some steps on how to avoid falling for fake apps in the first place.

The worst kind of fake app

Other fake apps can’t do nearly the amount of damage that one impersonating a password manager can. This is because a password manager is used to store all of your credentials across a wide variety of sites and online services.

At the moment though, we don’t know whether or not this fake “LassPass” app — developed by Parvati Patel with a privacy policy hosted at blunee[.]com — was able to steal the login credentials or master passwords of LastPass users. If it was though, this could have serious implications for any LastPass user that accidentally downloaded it.

With your master password in hand, the creators of the app could access your LastPass password vault and from there, gain access to all of the credentials you’ve stored within it. From here, they could lock you out of your social media accounts and worse, drain your bank accounts.

If you did happen to download this fake LastPass app, then you’re going to need to change all of your passwords ASAP. If you still have access to the password manager, you’re in luck as it includes the ability to automatically change many of your passwords. If you don’t though, you’re going to have to do this manually which can be a tedious and time-consuming process. Still though, it beats losing access to all of your online accounts.

How to spot fake apps on the App Store

Despite Apple and Google’s best efforts, fake apps impersonating popular brands do manage to slip through the cracks from time to time. This is why, even if you’re looking for new apps on an official app store, you still need to be able to spot a fake.

In this case, a simple examination of the app’s name would have done the trick since LastPass was spelled incorrectly. However, sometimes hackers, cybercriminals and scammers use foreign alphabets to make their fake apps — and websites — appear more legitimate. When this happens, you want to scroll all the way down on an app’s listing page and look for developer info on the Google Play Store or the seller info on the App Store.

The actual LastPass app is developed and distributed by LogMeIn, Inc while the fake one had Parvati Patel listed as its creator. This is a major red flag and a sign that you should avoid an app entirely. Normally, apps have the name of the company that developed them listed on the app store which is why the name of an individual developer stands out like a sore thumb.

If you’re worried about fake apps on any official app store, you can always go to a company’s official website and then head to their app store listing from there. Just be careful on Google Search though as scammers like to impersonate big brands by buying ads on the search engine. For this reason, you should always scroll down past the sponsored results until you find the real ones. Most businesses have a direct link to their apps on their sites and if you’re concerned you might not be able to spot a fake, this is the best course of action to take when installing new apps.

Another thing you want to look out for are ratings. While the actual LastPass app has over 52 thousand ratings, the fake LassPass app only had one, five-star rating. At the same time, you also want to check any user reviews as people are quick to point out when they’ve been scammed by a fake or malicious app.

The fake LastPass app has now been removed from the App Store, but Tom’s Guide has reached out to Apple to learn more about how this happened in the first place. We’ll update this story if and when we hear back from the iPhone maker.

More from Tom's Guide

• This iOS 17.3 feature keeps vital data locked when your iPhone is stolen 
• This is the one reason iPhone still beats Android on security
• Own an Apple device? 7 crucial security measures you need to take right now

We’re big fans of password managers, which store all your passwords in one place and help you to stay safe online. We’ve tested dozens, but none can match 1Password for its security, ease of use, and pricing.

Not that the folks at 1Password are resting on their laurels, though. Indeed, they’ve just added a shiny new game-changing feature. Passkey support – currently in public beta – is rolling out now across the major browsers: Chrome, Edge, Brave, Firefox, and Safari.

Signing in just got a whole lot faster

New to passkeys? These unique digital ‘keys’ are fast replacing traditional passwords. Each passkey is unique, can’t be reused, and consists of two parts. The private half is stored in an encrypted format on your device, protecting you from phishing attacks and data breaches.

And since you need both halves of a passkey for authentication, nobody can access your online accounts without physical access to your devices – and a way to unlock them (which is all but impossible when you mix in today’s biometric technology).

Using a passkey is a piece of cake. There’s nothing to memorize and nothing to type out. Simply navigate to a website that supports passkeys, head to the sign-in page or button, and let 1Password work its magic (here’s a handy list of passkey-friendly sites).

It’s also worth mentioning that Watchtower, 1Password's security-monitoring tool that flags reused passwords and breached websites, will let you know when a website you’ve saved adds passkey support.

Passkeys: the future of authentication

One of the most frustrating things about some other password managers? They lack support across platforms, resulting in your passkeys being locked into their ecosystem. 1Password has no such limitations and doesn’t lock you into their ecosystem, making it so you can use your passkeys on whatever device/major browser you already use.

Worried that you could end up juggling hundreds of passkeys? Don’t – 1Password remembers where you’ve chosen to use passkeys and serves up the correct credentials each and every time, whatever the website or login method. Neat.

You can even share your passkeys with a family member or trusted co-worker; simply add the passkey to a shared vault or provide access to an individual passkey.

Get the passwordless experience you deserve

Right, ready to kiss passwords goodbye? Simply sign up for 1Password (if you’ve not already), open a compatible website, and create or update your account with a passkey, rather than a password.

That’s it – you’re done! In our humble opinion, staying ten steps ahead of today’s hackers and cybercriminals has never been easier.

Want to keep up to date the latest passkey developments news? Don’t forget to sign up to 1Password's (excellent) passwordless newsletter.

With its Password Manager, Bitdefender extends its already-extensive array of security products by licensing SaferPass’s Personal Password Manager and integrating it into the company’s Central online portal. Easy to install and use, Bitdefender Password Manager is compatible with all major platforms except Linux. It is backed by some serious encryption to protect your privacy and Bitdefender Password Manager can safely put your passwords in all the right places while allowing quick importing of your login credentials from a variety of popular formats. The best part is that if you forget your master password, Bitdefender can recover your entire account.

On the downside, Bitdefender Password Manager shows the potential foibles of a first-generation product by lacking some items we like to see in a password manager, like the ability to work with Passkey password-free authentication. There’s also no free version, although Password Manager has a 30-day trial. 

At $30 a year ($20 for the first year), it is among the least expensive password managers around and is included in Bitdefender’s top two security suites, making it an even better buy. Can this newcomer beat our favorites like the class-leading 1Password and DashLane? Our Bitdefender Password Manager review will help you decide if this is the best password manager for you.

Bitdefender Password Manager: Costs and what’s covered

With other password managers selling in the $40 per year range, Bitdefender’s Password Manager is a bargain at $20 for the first year (or $3 a month). It costs $30 a year after that. There’s no family plan, but the app bolsters Bitdefender’s class-leading top two security suites, Ultimate Security ($180 for 10 users) and Premium Security ($160 for 10 users). You essentially get the password manager for next to nothing. 

On the downside, unlike BitWarden and Dashlane, there’s no free version of Password Manager. New customers can get a 30 day trial while current Bitdefender users get 90 days of free use. 

The service provides unlimited use of Bitdefender Password Manager, including synchronization across as many devices as you like. It works with Windows, Mac, Android and iOS as well as popular browsers, like Edge (version 72 or newer), Chrome (Version 80 or newer), Firefox (Version 65 or newer) and Safari (Version 12 or newer). However, the password manager lacks compatibility with obscure ones like Brave and Vivaldi. It should work with most Chromebooks, but it’s not officially compatible. The weak link in the password chain is that Bitdefender Password Manager doesn’t work with Linux.

Under the surface, the Password Manager uses a layered security approach with several heavy-duty encryption algorithms to hide the actual data. They range from HTTPS and AES-256 to BCRYPT and WSS. All of the activities can be set up to require two-factor authentication and biometric log-in. 

To get a good idea of its potential, I used the Bitdefender Password Manager on several systems, including a Windows 10 ThinkPad T470, a Samsung Note 20 phone and an iPad Pro; I connected with the Chrome, Edge and Firefox browsers.

In addition to my usual online haunts, I used the service with a variety of sites, including Twitter, Facebook, the Washington Post and MSI’s portal 

Unlike some other password managers, Bitdefender’s Password Manager does not come with cloud storage, such as 1Password’s 1GB of encrypted space for keeping photos, videos and all kinds of files safe and secure. By contrast, Bitdefender Password Manager’s Secure Notes is meant for small amounts of sensitive data that might need hiding. 

Bitdefender Password Manager: Web Interface

Bitdefender’s web interface is similar to its mobile apps, making it easy to use across PC, Mac, Android, iPhone and iPad. Bitdefender has done an excellent job of integrating the SaferPass service into the company’s Central portal scheme that includes malware protection, identity monitoring, VPN, parental controls and now password management. The Central Dashboard has a shortcut to the Password Manager’s details with links for adding browser extensions.  

To add my credentials for Facebook access with my ThinkPad T470, I opened the Chrome extension and clicked Add account.

After I included some basic information, the password manager was ready to go. I continued with my other favorites by importing passwords in a .CSV file. At that point, all of my log-in details were also available on my phone and tablet for quick, secure logins.

By going to the Password Manager’s extension’s interface, I could see and edit my login accounts, generate a super-secure password, see the open sessions and view the Security Report. It correctly auto-filled online forms accurately and can securely store credit card data. On the other hand, the interface lacks templates for securely stashing things like a driver’s license and passport, features that other password managers provide.

Like 1Password, Bitdefender Password Manager warns of password breaches, weak passwords and duplicates as well as scan for leaked passwords. It all shows up in the Security Report.

Unlike 1Password, there’s no Travel Mode. This means that you can’t stash specific passwords and files for when you hit the road. The Password Manager served me well over two weeks of intensive daily use, although it failed me once when Bitdefender’s server infrastructure was unavailable, and so were my passwords.

Chalk it up to growing pains for the new service and everything was back online in a few minutes. The product’s offline version can provide passwords in the event of an internet outage.

Bitdefender Password Manager: Mobile apps

Bitdefender Password Manager offers apps for Android, iOS, iPadOS but not Chromebooks as the company doesn’t officially support this platform. However, it worked on my HP X2 Chromebook tablet.

Bitdefender Password Manager mirrors SaferPass’s interface with icons along the top for Accounts (the password credentials), Generate Password (for on-the-spot use), SecureMe (for starting secure sessions and remotely logging out) and the Security Report. 

The three-line hamburger icon in the upper left leads to the app’s inner workings. In addition to entering an Identity and adding Secure Notes, there’s a place for storing credit card data. The Settings section is for importing and exporting password data as well as for changing auto-fill options for online forms.

There’s also a link to Bitdefender’s Support pages as well as a search bar. A box at the bottom is for getting in touch with Bitdefender’s 24/7 support staff.

Bitdefender Password Manager: Setup

Since most of Bitdefender Password Manager’s work is done online, it is a snap to install. The first step is to create a Bitdefender Central account with an email address and password. Happily, it would not accept a simple (and weak) password. I signed up for a year’s worth of service and got an email confirmation. 

Using my ThinkPad T470, I activated the app, logged-in and the Password Manager category of Bitdefender’s Central Dashboard showed that everything was active.

I loaded the browser extensions, entered my master password and agreed to the terms and license.

The app showed me my recovery key with an option to print it. It’s a good way to have a backup of the service’s log-in info but is second best compared to 1Password’s more inclusive Emergency Kit and use of QR codes.

Setting the password manager up on my Note 20 phone was even easier. I logged in to the Mobile Security app and tapped to install the Password Manager’s browser extensions on my phone. I entered the master password to unlock the vault, followed by creating a PIN and adding my fingerprint to make things even easier.

Nearly done, I now imported my database of passwords. Happily, right after I set up Password Manager, a help area on the right on the Central main screen explained how to import passwords. I used the .CSV format but the program accepts a wide variety of file types, including .XML, .TXT and .FSK formats as well as direct imports from two dozen popular password managers, including 1Password, Bitwarden, Dashlane and Watchguard.

Start to finish, it took me 5 minutes to get it all together and start using Password Manager on a variety of platforms and browsers.

Bitdefender Password Manager: Passkeys

For its first iteration, Bitdefender’s Password Manager does not support FIDO’s open authentication Passkey standard. Its public key, private-key Passkey system has the power to replace passwords for logging into websites, programs and even smart devices. 

To Bitdefender’s thinking, the lack of widespread use didn’t justify including it now. That said, the company’s engineers are working on adding it to the feature mix in an update. Bitdefender is not alone here with many password managers promising Passkey support in the near future.

Bitdefender Password Manager: Security

As is the case with other Bitdefender apps, the Password Manager requires a secure HTTPS connection over the Internet to connect; this entails the use of 128-bit AES encryption. All its records are stored locally and online using the more secure AES-256 algorithm, while other portions use SH512 and PCR cryptographic techniques to secure data.

There’re more layers of security to protect your privacy, starting with the mobile apps blocking screenshots. Bitdefender also promises to never send your master password over the internet and Password Manager can be secured with two-factor authentication. On the other hand, Password Manager is not SOC 2 certified by the AICPA for having adequate privacy provisions.

In addition to using a PIN or the master password, my face and fingerprints were enough to open Bitdefender’s Password Manager. It works with everything from Apple’s Face ID and Touch ID to Microsoft’s Windows Hello biometric authentication schemes.

We all forget things and Bitdefender’s Password Manager can keep you from losing access to your login credentials due to a memory lapse or lost master password. In addition to the expected recovery key for gaining access to a locked out account, the company can revive your passwords without the recovery key by talking to their technical support staff. You will need to prove that you actually are you, though.

The Password Manager goes the extra mile for security by alerting you of weak or compromised passwords in the app; company engineers are working on email notifications as well.

Bitdefender Password Manager: Bottom line

Rather than build a password manager from scratch, Bitdefender chose to work with SaferPass. It may not be perfect, but Bitdefender’s Password Manager is an excellent start with a service that covers the log-in bases well. It not only mixes with other parts of the company’s security suites but is a fast starter with the ability to import log-in details from other password managers or via generic database files. As easy as it is to use, Password Manager protects your privacy with several layers of heavy-duty security, 2FA authentication and has two ways to recover your account if you forget or lose the master password.  

Good for home and away logins, Password Manager works with the major platforms and browsers, although it ignores Linux systems. It lacks a free – though limited – version to use, something that Dashlane provides; there is a one-month Password Manager trial. At $20 a year ($30 after the first year), it is a bargain on its own but is nearly free as part of Bitdefender’s Premium Security and Ultimate Security suites for $160 and $180 to cover 10 users at home with complete protection. 

Overall, Bitdefender Password Manager is a good way to protect your online persona day-in and day-out. While it has its shortcomings, Bitdefender Password Manager is an effective way to secure a stress-free online life and a good value. 

 Passwords are our first line of defence when it comes to our devices, accounts and important documents. If something isn’t password protected, anyone can get their hands on what’s inside.

Just having a simple password isn’t enough, however. If it’s easily guessable, or can be quickly cracked by malicious hackers, then that’s almost as bad as having no password at all.

With more of us than ever working from home, the amount of sensitive devices and documents we have in our houses is increasing. Even if you don’t work from home, you likely have several laptops, tablets and smartphones, alongside personal email, social media and online banking accounts, and that means using strong passwords to protect them all has never been more important.

Ideally, every account and every device you use should have a different password - as if one password gets cracked, at least that means only one device or account is at risk. Each password should also be impossible to guess and extremely difficult to crack.

This means you may be faced with the daunting prospect of tens, if not hundreds, of complex, difficult to remember passwords.

The good news is that password manager tools can help you generate complex passwords and keep them all safe and secure so you can access them on any device, without having to memorise them. Even better news is that you don’t have to spend huge amounts of money on them - for example, Bitdefender Premium Security comes with the powerful Bitdefender Password Manager

Here’s how Bitdefender Password Manager can help keep you completely secure when working from home.

 1. Simplify your online accounts 

Bitdefender Password Manager can collect all of your passwords in one secure location. It works across multiple devices and platforms, including Windows, macOS, Android and iOS, and all major web browsers are supported as well.

You can easily browse through your accounts, and Bitdefender Password Manager can automatically fill in your username and password when logging into websites.

2. Shop safely and securely

Not only can Bitdefender Password Manager auto fill your username and passwords, but it can also do the same for your payment details. 

They’ll be stored and encrypted securely, and you can quickly enter them in whenever you find an online bargain.

3. Check the strength of your current passwords 

Bitdefender Password Manager has a built-in password strength check tool that can analyse how strong your passwords are. The stronger a password is, the harder it is to guess or crack.

If any of your passwords need to be made more complex, Bitdefender Password Manager will tell you straight away, so you can plug up any potential security holes quickly and easily.

4. Generate complex passwords with ease

If you need to come up with a complex password for either existing accounts, or new ones, then Bitdefender Password Manager can help generate secure, complex and unique passwords with a single click.

This means you no longer need to use the same password for multiple accounts, and every password Bitdefender Password Manager generates is completely secure. They are all instantly saved as well, so Bitdefender Password Manager will do all the hard work for you.

5. Easy account recovery

Entrusting all of your passwords, login details and payment methods to a single service can seem risky - especially if you’re using the service to store important work information as well, but with Bitdefender Password Manager, you can be completely confident that your information is safe and secure.

It saves all of your data using the strongest data security protocols such as AES-256-CCM, SHA512, BCRYPT, HTTPS, and WSS, and it’s all encrypted and decrypted locally, so no other third party can get access to it - and only you will get access via a Master Password.

If you forget the Master Password, don’t panic about losing access to all of your passwords, as you can recover your account using a Master Key.

Find out more about how to keep yourself protected with Bitdefender's cybersecurity blog.

Bitwarden and LastPass are two of the best password managers available today. They are also comparable when it comes to their features and the platforms/browsers they support.

However, the recent LastPass hack may be the reason you’re looking for an alternative in the first place. If so, Bitwarden is an open source password manager that even allows you to host your own server instead of using the company’s cloud servers. This can help prevent your passwords from ending up in the hands of hackers but it also gives you a bit more flexibility and customization.

So which password manager should you get and should you use a password manager in the first place? This Bitwarden vs. LastPass face-off is here to help you decide between these two top password managers.

Bitwarden vs. LastPass: Specs

Bitwarden vs. LastPass: Price

Bitwarden and LastPass both offer a free tier for users who want to test out their password managers. However, Bitwarden’s free plan has fewer limitations than what’s on offer from LastPass. With Bitwarden’s free plan, there are limits on 2FA (email and authentication app only) and file sharing with the ability to share vault items with only one other user. With LastPass’s free plan, file sharing is the same but you’re also limited to one device category, so you’ll have to decide whether you want to use its password manager on desktop or mobile, as you can’t use it with both.

When it comes to the paid plans offered by both services, Bitwarden is significantly cheaper for both individuals and families. Its paid plan for a single user costs just $10 per year while its family plan costs $40 per year and can be used by up to six users. Meanwhile, LastPass’ single user plan costs $36 per year while its family plan costs $48 per year for up to six users as well.

Winner: Bitwarden

Bitwarden vs. LastPass: Platform compatibility

Both Bitwarden and LastPass support a wide variety of platforms including Windows, Mac, iOS, Android and Linux. However, LastPass can also be used with Chrome OS by installing the Android app or the Google Chrome browser extension while Bitwarden can only be used with the extension.

As for browser extensions or add-ons, Bitwarden takes the lead here with support for more browsers. While LastPass offers extensions for Chrome, Edge, Firefox, Safari and Opera, Bitwarden supports these browsers as well as Edge, Vivaldi and even Tor.

Winner: Bitwarden

Bitwarden vs. LastPass: Software

While both of these popular password managers offer full functionality through their websites and browser extensions, you can also download their desktop and mobile apps.  

Bitwarden’s desktop app has a menu on the left where you can access all of your passwords or add certain ones to your favorites. They are also organized by types below your favorites and these include Login, Card, Identity and Secure Note. The Send button at the bottom allows you to create file or text links to credentials stored on your computer which you can then copy or share to send to others. You also have the option to select a date on which access to anything you’ve sent will expire. It’s worth noting that you need to select View in the app’s toolbar to access Bitwarden’s password generator.

Unlike Bitwarden that also has a desktop app for Linux, LastPass only has them for Windows and Mac but they can’t be used with its free version. They closely resemble the company’s web vault with your Passwords, Notes, Addresses and other stored information available from the menu on the left. You can view stored passwords as a list or in blocks and they can be sorted several different ways. With the LastPass Windows app, you can store up to 5,000 items but the company notes in a support page that you may see a performance decrease after adding 2,500 or more items.

Both password managers also offer full-featured mobile apps for iOS and Android. Bitwarden and LastPass’ mobile apps allow you to access your stored credentials, auto-fill passwords and create new, strong passwords using their built-in password generators. 

Winner: Tie

Bitwarden vs. LastPass: Form filling

Besides storing your passwords, the best password managers also make it easy to access them when logging in to different sites and services. Bitwarden and LastPass both have an auto-fill feature that can copy passwords stored in your vault and enter them when you need to log in.

With either password manager, you can auto-fill passwords using their browser extensions on desktop or their mobile apps on your smartphone. On Android, Bitwarden and LastPass have a standard auto-fill as well as an inline auto-fill option. The difference being that standard autofill uses a pop-up window while inline autofill lets you choose a password from the space above your keyboard when trying to log in.

Both password managers make it easy to auto-fill your passwords on websites from your browser and when using mobile apps on your smartphone.

Winner: Tie

Bitwarden vs. LastPass: Security

Bitwarden and LastPass both store your passwords using AES-256 encryption inside your vault and they can only be unencrypted once you enter your master password. However, once you’ve logged in and set up a two-step method like your fingerprint, you don’t need to type out your master password each time you want to access one of your stored passwords.

Although both companies undergo regular security audits, Bitwarden’s code is open source while LastPass’ isn’t. This means that anyone can review Bitwarden’s code for security flaws which will then be patched by the company. Another interesting thing about Bitwarden being open source is that you can download its code and host it on your own server instead of in the cloud.

With LastPass, all of your credentials are stored on the company’s cloud servers. Back in December of last year, the company revealed that attackers used information stolen from a previous data breach that took place in August to steal customer data, including backups of their encrypted vaults. We’re still learning more about the LastPass hack but the security implications of the incident are reason enough to choose a different password manager.

Winner: Bitwarden

Bitwarden vs. LastPass: Two-factor authentication 

Two-factor authentication (2FA) is available with both Bitwarden and LastPass. While the free version of Bitwarden allows you to use 2FA through authenticator apps like Authy or Google Authenticator as well as email, the paid version supports SMS, phone calls and security keys. However, LastPass has its own authenticator app but you can also use both Google and Microsoft’s authenticator apps. It also supports biometric (face and fingerprint) authentication, voice recognition, SMS and one-time passwords for 2FA.

Winner: LastPass

Bitwarden vs. LastPass: Customer support

As using a password manager for the first time can be difficult, Bitwarden and LastPass both have plenty of self-help resources available online in their FAQs and you can also reach out to either company’s community forum for answers to common problems from other users.

While Bitwarden only offers email as a way to directly contact someone at the company for support, LastPass offers 24/7 phone support to its paid customers as well as 24/7 email support to its business customers. 

Winner: LastPass

Bitwarden vs. LastPass: Bottom line

Bitwarden and LastPass both provide a convenient way to store, generate and auto-fill passwords on desktop and mobile. They also support all of the main platforms and have extensions available for all of the main browsers.

When it comes to their free offerings, both password managers have some limitations, like fewer 2FA options and only being able to share vault items with one other user. However, LastPass’ free plan is worse than Bitwarden’s since you can only use the service with either your mobile devices or on desktop — not with both. 

Bitwarden is surprisingly cheap for individuals at just $10 per year and its annual family plan costs just a few dollars more than LastPass’ individual plan. Still though, LastPass throws in a few nice extras like dark web monitoring and 24/7 phone support, so it might be a better choice if you’re less tech savvy.

LastPass’ recent security issues are hard to ignore as one of the main reasons to get a password manager in the first place is to keep your credentials out of the hands of hackers. Fortunately, 1Password is on a par with LastPass in terms of features and pricing, but Bitwarden’s open source nature and the fact that you can host your own server help set it apart from the competition.

Hackers are once again abusing Google Ads to take unsuspecting users to phishing sites but this time, they have their sights set on Bitwarden and other password managers.

With one of the best password managers, you can securely store all of your login credentials in one place and even generate new, strong and complex passwords using their built-in password generators. However, with all of that sensitive data in one place, this makes password managers the perfect target for cybercriminals.

Besides KeePass which stores your passwords locally, most password managers are cloud-based so that you can access your passwords through their websites or mobile apps. Bitwarden and other password managers store your passwords in a password vault where they are encrypted and you need to use your master password to unencrypt them.

Now though, it appears that hackers are using fake ads on Google Search to lead Bitwarden users to convincing-looking phishing sites with the aim of stealing their password vaults.

Why you shouldn’t click on the first results in Google Search

According to a new report from BleepingComputer, Bitwarden users began seeing an ad with the title “Bitward - Password Manager” in Google’s search results when looking for “bitwarden password manager” earlier this week.

They then took to both Reddit and the Bitwarden forums in an attempt to warn others. While some could easily spot that the ad led to a phishing site due to the fact that the domain was “appbitwarden.com” instead of just “bitwarden.com”, many users did end up clicking on it. Doing so redirected them to the site “bitwardenlogin.com”.

This phishing site was carefully designed to look like an exact replica of Bitwarden’s actual Web Vault login page. In its testing, BleepingComputer found that the site did accept user credentials but once they were submitted, it would redirect them to Bitwarden’s official login page. To make matters worse, the phishing site also tried to steal MFA-backed session cookies or authentication tokens to gain full access to a Bitwarden user’s password vault.

Bitwarden isn’t the only password manager being targeted by fake ads though, as MalwareHunterTeam recently discovered that criminals had turned to fake Google ads to target 1Password users.

Ads are an important part of the online ecosystem and without them, we wouldn’t have Google Search, Gmail, Google Docs or any other of the search giant’s online productivity tools. However, you should think twice before clicking on any ads in a search engine as they could lead to phishing sites. Since anyone can buy an ad online, hackers can as well. While Google has strict security checks on its ads, bad ads do manage to slip through the cracks from time to time.

For this reason, you should always scroll past the first results on Google Search as they are usually ads. Bitwarden and other companies’ actual sites appear further down in the search results. Clicking on the first result you see may seem natural but you could be putting yourself at risk by doing so.

How to protect the credentials stored in your password manager

If you use a password manager, you need to make sure you’re taking additional steps to protect the passwords stored in your vault. The first of which is to enable multi-factor authentication (MFA) so a hacker would need your password and something else to access your account.

One-time, SMS codes may be a popular form of authentication but they’re actually not that secure since an attacker could use sim swapping to hijack your codes. Authentication apps like Google Authenticator are a better method and they aren’t that difficult to use. Meanwhile, physical security keys are the best method for protecting your accounts, but they can be a hassle.

At the same time, you want to be sure you’re using the best antivirus software to protect your PC, the best Mac antivirus software to protect your Mac and the best Android antivirus apps to protect your Android smartphone. For those that are very security conscious and more at risk than others, you may also want to invest in the best identity theft protection as these services can help you recover from fraud as well as get back your identity if it’s stolen online.

Password managers are great, but you may not need one now that Google, Apple, Microsoft and other tech giants are pushing passkeys as an alternative to passwords. However, even then, you need to be careful where you click even if you’re on a legitimate search engine.

Now might be a pretty good time to learn how to delete your LastPass account. In case you hadn't heard, LastPass suffered a pretty serious data breach earlier this year. Now it's been announced that the breach was a lot more serious than any of us realized — with users' vaults being exposed to attackers.

While the security around vaults and the passwords they contained is pretty sturdy, users have been advised to change all their passwords as a precaution. Some of you may be seriously considering ditching LastPass altogether, and signing up for another one of the best password managers. 

There are a few things you should know before you delete your LastPass account. The first is that you’ll have to export your vault, and ensure all your passwords and notes don't get deleted forever. The other is that you’ll need to do it all in a web browser, since the mobile app is severely lacking in this area.

Here's how you can export your vault and how to delete your LastPass account for good.

How to delete your LastPass Account: export your vault

If you haven’t exported your vault, or migrated your info to another password manager already, here’s what you need to do:

1. Head to LastPass.com and hit log in in the top right corner.

2. Close all pop-ups that may show up, and click Advanced options in the left menu.

3. Choose Export.

4. Check your email inbox and junk folder for a verification message.

5. Click Continue export

6. Log in again when prompted, and repeat steps 2 and 3

7. Log in for a third time when prompted. LastPass will now produce a webpage with the contents of your vault in plain text

8. Save the contents of your list somehow. This can be as simple as a copy-paste into a Word document, or saving the entire page as a PDF

9. Verify you’ve saved everything, and make a backup somewhere safe and secure.

How to delete your LastPass account

Now you have the contents of your vault saved, it's time to delete your account. Here’s how you delete your LastPass account for good:

1. Head to https://lastpass.com/delete_account.php in your web browser.

2. Click the red Delete button on the right hand side.

3. A pop-up will ask if you can remember your Master Password. Select Yes or No, depending on whether you remember your LastPass master password. We'll cover both outcomes below. Don't worry, you can delete your account either way.

4. Clicking Yes throws up the menu below, warning you this is permanent that that you should export your vault first. Enter your password and click Delete.

5. If you click No, that you don’t know your Master Password, you’ll get the below screen. Make sure your email is correct and click Send Email

8. After seeing this pop-up, head back to your email inbox. Check your junk mail if it’s not there.

9. Click the link that says "permanently delete my LastPass account now".

10. The following page will appear. Click Delete to finish the process

While the process to delete your LastPass account isn't as simple as we'd have liked, it's still a fairly quick process. Once you're finished, and have your vault safely stowed away, be sure to check out our list of the best password managers to find a suitable replacement. Just remember that you should still use a password manager for a variety of reasons, least of all having the extra security of using unique passwords for each account you own.

If you're getting sick of passwords, find some comfort in the fact that almost everyone else is too. That's why the big tech companies are starting to introduce passkey software, which may hopefully eliminate the need to store and use passwords once and for all. The good news is that you can already start using these features on Apple devices and Chrome. We have guides on how to set up passkeys on iPhone, iPad and Mac and how to use passkeys on Google Chrome, if you're interested.

After informing customers that its password manager had suffered a security breach back in August, LastPass has now revealed that the attackers behind the incident also managed to steal users’ vault data.

In his initial security incident notice, LastPass CEO Karim Touba said that “we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.” However, we’re now learning that the cloud storage service used by the company to store archived backups of production data was also breached by the attackers responsible.

From here, the attacker used stolen source code and technical information from LastPass’ development environment to target one of its employees. After obtaining the employee’s credentials and keys, the attacker then used them to access and decrypt storage volumes stored within the company’s cloud storage.

Touba also explained in his latest security incident notice that the attacker “was able to copy a backup of customer vault data from the encrypted storage container.” Although this vault data is “stored in a proprietary binary format,” it also contains unencrypted data like website URLs as well as “fully-encrypted sensitive fields” like website usernames and passwords, secure notes and form-filled data.

Stolen vault data is safe for now

Fortunately, the encrypted fields in this stolen data are secured with 256-bit AES encryption and “can only be decrypted with a unique encryption key derived from each user’s master password” according to Touba.

It’s also worth noting that LastPass doesn’t know its customers’ master passwords, nor is this information stored or maintained by the company.

While it appears that the passwords and other sensitive data stored by LastPass customers in their vaults is safe for now, Touba did warn that the attacker may try to brute force their master passwords in an attempt to decrypt their stolen vault data. However, due to the hashing and encryption methods used by the company, this “would be extremely difficult to attempt” – especially for customers who follow its best password practices.

At the same time, the attacker may try to target LastPass customers through phishing attacks, credential stuffing or other brute force attacks against the online accounts stored in their vaults. Touba also points out in his security incident notice that the company will never call, email or text customers or ask them to click on a link to verify their personal information in an effort to keep them safe from potential social engineering or phishing attacks. LastPass will also never ask you to provide your master password.

Should you delete your LastPass account?

As reported by BleepingComputer, LastPass’ cloud storage breach is the second security incident disclosed by the company this year after it confirmed back in August that an attacker was able to breach its developer environment using a compromised employee account.

If this is a bit unsettling as a LastPass customer, you may be thinking about deleting your account. While LastPass has been one of the best password managers for years now, these recent security incidents show how valuable hacking a company like this can be for an attacker (this is how to delete your LastPass account if you're so inclined).

If you don’t plan on deleting your LastPass account, you should at least pick a new master password, especially if your original one wasn’t complex or unique enough. To do so, you can use a password generator to create an even stronger one.

Other password managers worth considering

For those who feel they can no longer trust LastPass, there are plenty of great alternatives out there including 1Password, Dashlane and Keeper.

1Password costs the same as LastPass per month, Dashlane has an excellent desktop interface and with Keeper, Tom’s Guide readers can get an annual subscription for just $21 thanks to this promotion.

If you’re looking to save some cash, Bitwarden has a totally unlimited free version. While we normally recommend you don’t store your passwords in your browser, Chrome Password Manager is a great free option to hold you over until you make your final decision. 

1Password is an excellent password manager that works on a multitude of devices. It’s easy to set up on an iPhone or iPad and for Android users, it’s easy to install on your Android phone or tablet too. There are versions for macOS Ventura, Windows 11 and Linux along with extensions for popular browsers. Basically, if it's a place where you’ll need a password then there’s probably a 1Password solution.

The problem is that these platforms are starting to abandon the password for the passkey. Luckily, 1Password is prepared, and just announced passkey support coming in 2023.

First reported by 9to5Mac, 1Password will be adding passkey support next year, allowing its users to sign in without a password. The company has even set up an interactive demo for existing users so they can see how the feature will work when it rolls out.

1Password does say that its version will have a couple of advantages over its competitors. Because it's available on so many platforms, 1Password claims its passkeys are the only ones that support multiple devices and allow for cross-platform sync. It will be interesting to see if this versatility gives it an advantage over the likes of Apple, Google and Microsoft.

Apple, Google and Microsoft all abandoning passwords for passkeys 

This was probably a move of necessity for 1Password, as this year began a major shift away from the password. This year, Apple, Google and Microsoft announced that they are teaming up to kill off passwords. Called the FIDO alliance, this organization is dedicated to abandoning insecure passwords for more secure passkeys. 

Unlike passwords, which can be compromised fairly easily through data breaches, passkeys aren’t stored anywhere for malevolent actors to access. Instead, there is a credential stored on your device that nobody can access. This is called a private key.

When you need to log into a site or application, the site will use a public key to request that you authenticate this private key, typically using biometric authentication like Apple’s FaceID. Once authenticated, you are able to log into the site or application just like if you had a password. The one caveat here is that the site or application needs to support passkeys. Otherwise, it won’t matter that your device supports them.

We’ve already seen a peek at what Apple plans to do with passkeys. They announced the feature this year and it is expected to come to macOS Ventura, iOS 16 and iPadOS 16. Similarly, Google has announced how to implement passkeys in Chrome and Android.

Now with 1Password joining the fray as part of the FIDO alliance, it seems it's now a matter of when, not if, passkeys take over passwords. What remains to be seen is if it remains one of our best password managers — or becomes our best passkey manager. 

Google has announced that passkey support will soon be available on both Android and Chrome as part of the search giant’s efforts to usher in a passwordless future.

Even if you use one of the best password managers to generate strong, complex passwords for each of your online accounts, you can still get hacked. This is because many online services use two-factor authentication (2FA) to further secure your accounts.

The problem with 2FA or even multi-factor authentication (MFA) is the fact that hackers can use SMS-based man-in-the-middle attacks to steal the one-time passcodes sent over text to login to your accounts. This can be done by bribing someone at your wireless carrier through a process known as SIM swapping.

By bringing passkeys to Android and Chrome, Google aims to further secure your online accounts in a similar way to how Apple did by adding passkey support to iOS 16 and macOS Ventura.

What are passkeys and how do they work?

For those unfamiliar, passkeys are unique digital keys that are a safer and more secure alternative to traditional passwords since they can’t be reused and are stored in an encrypted format on your devices.

Since they aren’t stored on a web server in the cloud, if a company falls victim to a data breach, your passkeys won’t be exposed. Unlike with security keys, you don’t have to bring an additional device with you as they are stored securely on your phone or computer.

Passkeys are based on public key cryptography in which a secret private key is stored on your devices while a public key is stored on a web server. As hackers can’t easily gain access to your private key, your devices and accounts are much more difficult to hack.

You can try Passkeys in Google Password Manager

According to a new blog post from Google, the Google Password Manager backs up and syncs passkeys on Android. If you happen to have two Android devices – say one of the best Android phones and one of the best Android tablets – the passkeys created on one device are also available on the other. 

Passkeys in Google Password Manager are also always end-to-end encrypted. When a passkey is backed up, its private key is backed up using an encryption key that can only be accessed from your devices. While this helps protect passkeys from hackers, it also prevents Google from accessing them. 

If you want to use passkeys in Google Password Manager, you will need to set up screen lock on your Android device first. This is done to prevent others who may have access to your smartphone from using one of your passkeys. 

When it’s time to sign in, you can use your saved passkeys along with your fingerprint, face or screen lock. Likewise, you can also use passkeys on your Android device to sign into a site on Chrome with your desktop or laptop. In this scenario, you need to use your phone to scan a QR code on your computer to securely sign in.

New phone, no problem

As passkeys are stored on your phone, what happens when you want to upgrade to a new device? Fortunately, when you set up a new Android device, your end-to-end encryption keys are securely transferred when you move the rest of your apps and data to it.

It’s worth noting that in some cases such as when an older device is lost or damaged, you may need to recover your end-to-end encryption keys from a secure online backup according to Google. To do this, you will need to provide the lock screen PIN, password or pattern from another device that has access to those keys. If you need to restore passkeys on a new device, you will need to be signed into your Google Account and an existing device’s screen lock.

Google has also made it more difficult for hackers to try and brute force your lock screen PIN or pattern. After 10 incorrect attempts to use screen lock on an existing device, it can no longer be used. However, you can still use screen locks from your other existing devices.

Moving to a passwordless future

Google moving away from passwords is nothing new. In fact, Google, Microsoft, Apple and other tech giants are members of the FIDO Alliance and the World Wide Web Consortium (W3C) which have been working to help drive adoption of secure authentication standards for years now.

However, with the introduction of passkeys on Android, Chrome, iOS and macOS and with Microsoft planning to bring them to Windows in the near future, the password as we know it may finally be dead.

Remembering your passwords can be a pain, especially if you follow security advice and use unique passwords for every account. However, there is a solution — by using one of the best password managers, not only do you no longer have to remember each of your passwords, but you can also generate strong and complex passwords using them.

It may seem simpler to just use easy-to-remember passwords or reuse passwords for multiple accounts, but this puts both you and your online accounts at risk from hackers and scammers. This is because if a hacker gains access to one of your passwords, they could then use it to log into every account that uses this password.

We've tested many different password managers, and the best one on the market is 1Password. It allows you to store an unlimited number of passwords and includes a number of extra features to keep you safe online.

However, this guide also contains recommendations for those looking for something specifically — for example, the best free password managers, or the best password manager with extra security and privacy features.

The best password managers you can buy today

The best password manager overall

1Password is competitively priced, easy to use, and comes with all the features you’ll need in a password manager. From core functions like autofilling passwords across an unlimited number of devices to premium security monitoring, 2FA, and passkey support, 1Password is a full-featured password manager with plans for both individuals and families.

With support for Windows, Mac, ChromeOS, and Linux on desktop as well as both iOS and Android, you’ll be able to use 1Password to store and sync your passwords on whatever device you’re using. Likewise, 1Password also offers browser extensions for Google Chrome, Safari, Firefox, Brave, and Microsoft Edge.

While 1Password doesn’t offer a free tier like some of its competitors, this isn’t a deal breaker, as most of these free plans come with significantly fewer features and loads of limitations. This password manager does have a few unique features too, like Travel Mode, which lets you temporarily hide logins, as well as the ability to restore recently deleted records.

1Password is a top-notch password manager with built-in security, and in testing, I found it easy and intuitive to use. I also liked how its passkey support is more advanced than its competitors and how you don’t have to pay for extras like a VPN that you may not necessarily need.

Overall, 1Password is a great choice if you want an excellent password manager that works across all platforms.

• Read our full 1Password review

The best free password manager

Bitwarden offers a whole lot of value for the price, regardless of whether you stick with its free plan or upgrade to one of the paid ones. At the same time, this password manager is highly secure, open source, and many premium features are available on its free tier.

Bitwarden has apps for Windows, Mac, and Linux on desktop as well as for iOS and Android on mobile. One other thing that sets this password manager apart from the competition, besides its low cost, is that it also offers browser extensions for Vivaldi, Tor, Brave, and DuckDuckGo in addition to more popular browsers like Chrome, Safari, Firefox, Edge, and Opera.

Even if you only sign up for the free version of Bitwarden, you still get unlimited syncing for as many passwords as you want, along with autofilling, secure note storage, and sharing. Of all the password managers I’ve tested, Bitwarden’s free plan has the fewest limitations.

However, upgrading to this password manager’s premium plans won’t set you back that much at all. Bitwarden’s premium plan costs just $10 per year, while its family plan is only $40 per year for up to six people. You also get access to secure cloud storage, priority support, advanced 2FA options, and health reports, which show if your passwords are weak or have been exposed in a data breach.

Bitwarden does offer quite a lot with either its free tier or its premium plans, but it isn’t the most intuitive password manager to use, especially with features like its autofill function. However, it does the basics really well and has the cheapest premium tier of any password manager I’ve tested.

• Read our full Bitwarden review

The best password manager for security

Keeper is another competitively priced password manager ($20.98 per year for Tom's Guide readers) with a strong emphasis on security and a consistent user experience across platforms. It has a simple design, which makes it easy to use, and Keeper matches most of the features found in its top two competitors: 1Password and Dashlane.

Keeper works across Windows, Mac, and Linux on desktop as well as on iOS and Android on mobile. However, there are also browser extensions available for Google Chrome, Safari, Firefox, Opera, and Microsoft Edge.

Unlike 1Password, Keeper does have a free tier, but it likely won’t be useful for most people as it’s limited to just one mobile device. As for its paid plans, you can pick between either an individual or family plan, and the latter supports up to five people. Instead of making you pay more for features you might not need, Keeper lets you add dark-web monitoring and additional cloud storage space as part of its Plus Bundle. There are other add-ons too, like the one for priority support, which you can add to either the individual or family plan.

Keeper has expanded the number of built-in templates for storing other types of sensitive data, and 20 new ones were recently added to its password manager.

I was also a big fan of the service’s offline mode, which creates an encrypted copy of your vault and stores it locally for when you need to access your passwords but don’t have internet access.

Keeper falls slightly short of 1Password, but it’s definitely worth considering if you’re looking for a secure password manager that’s easy to use.

• Read our full Keeper review

The best password manager for iPhone

NordPass is a password manager with a simple, intuitive design from the company behind NordVPN — the best VPN on the market. It’s still a relatively new password manager compared to the competition, but it has added a number of new features like a web vault, a standalone browser extension, and biometric login support across all platforms in an effort to catch up.

NordPass is available for Windows, Mac, and Linux on desktop, and while there isn’t an official ChromeOS app, you can use its web vault on a Chromebook. It also works on both iOS and Android on mobile devices, and there are browser extensions for Chrome, Safari, Firefox, Edge, Brave, and Opera.

In addition to its individual and family plans with support for up to six people, there’s also a free tier. NordPass free allows you to store an unlimited number of passwords, and it also comes with autofill capabilities, passkey support, secure notes, and multifactor authentication.

However, I discovered during testing that the free tier only allows you to stay logged in on one device at a time, which is frustrating. NordPass’ paid plans are a bit more expensive than the competition, but frequent discounts can cut the cost of a subscription significantly. In fact, Tom's Guide readers can save an extra 55% and get an extra 6 months free when they sign up for NordPass' two-year plan here.

In addition to more robust password management, upgrading to one of NordPass’ premium plans also gets you security monitoring for your passwords, secure online storage, passkey sharing, and Emergency Access capabilities. NordPass has come closer to competing with 1Password and Keeper with its recent updates, and its free tier is one of the best after Bitwarden.

If you want a password manager with a consistent user experience and all the premium features you could need, NordPass is certainly worth considering.

• Read our full NordPass review

The best password manager on a budget

Like NordPass, Bitdefender Password Manager is another relatively new offering, but it’s also backed by a security company. As such, it’s integrated into Bitdefender Antivirus and the company’s other products with seriously strong encryption to protect your credentials and your privacy.

Bitdefender Password Manager has apps for Windows and Mac on desktop and for iOS and Android on mobile. There are also browser extensions for Chrome, Safari, Edge, and Firefox. One thing that sets it apart from other password managers is that if you forget your master password, Bitdefender can recover your entire account for you.

While Bitdefender doesn’t offer a free tier of its password manager, it does give you a discounted rate during your first year of service. Bitdefender Password Manager costs $20 for the first year for its individual plan and goes up to $30 upon renewal. There’s also a shared plan for up to four people that costs $40 for the first year and then $60 after that.

Bitdefender Password Manager is a reasonably priced password manager from one of the biggest names in online security. Several layers of heavy-duty security protect your privacy while 2FA keeps your account and your passwords safe from hackers.

If you already use Bitdefender to secure your PC, then signing up for the company’s password manager makes sense, especially as it’s one of the cheapest premium password managers we’ve tested.

• Read our full Bitdefender Password Manager review

The best password manager for privacy

Proton Pass is a solid password manager with a simple interface that covers all of the basics with some unique premium features.

Like NordPass, it’s also offered by a company known for its VPN service, though Proton released its secure email service Proton Mail before launching Proton VPN. Proton Pass is another relatively new password manager and is constantly being updated with new features and functionality.

Proton Pass is available for Windows, Mac, Linux, and ChromeOS (via Android) on desktop as well as for Android and iOS on mobile. There are also browser extensions for all of the main web browsers, including Chrome, Safari, Firefox, Edge, and even Brave.

There are two paid tiers as well as a free version of Proton Pass. Pass Plus is for individuals, while Pass Family covers up to six users. While the paid options are relatively affordable when you commit to an annual subscription, the service’s free tier is quite good, and I found it to be almost on par with Bitwarden during testing.

Free users get access to unlimited logins across unlimited devices, password auto-filling, passkey support, and basic password health alerts. However, they also get 10 hide-my-email aliases for creating new online accounts, but the free tier doesn't come with credit card storage or secure item sharing.

In a similar way to NordPass, your Proton account works across all of the company’s other services, which include a VPN, encrypted email, and secure cloud storage. Its hide-my-email aliases are a standout extra feature, but you also get dark web monitoring to easily check if your credentials are being misused online.

If you already use one or more of Proton’s other services, Proton Pass is an easy choice, and if you’re on the fence, you can always sign up for the free tier first to try out this password manager before signing up for a paid subscription.

• Read our full Proton Pass review

How to choose the best password manager for you

Most of the best password managers have the same essential functions, but things differ when you get to their extra features.

Some of them, such as Dashlane, 1Password, and Keeper, alert you about the latest data breaches, sometimes for an extra price. Many password managers can also offer to save your personal details, credit card numbers, and other frequently used information so that they can quickly fill out online forms for you. (This is much safer than letting retail websites save your credit card information.)

LastPass once offered an excellent, unlimited free service tier, but that baton has since been passed to Bitwarden, which also has a $10 annual premium plan that covers most of the basics.

1Password’s Mac and iOS apps have generally been kept more up-to-date than the company’s Android and Windows applications. It may be the best choice if you exclusively use Apple devices, but the other password managers work just fine across all platforms.

We also tested and reviewed a number of other password managers that didn't quite make the cut for this guide, but are certainly worth considering if you want even more options. They include Zoho Vault, True Key, Myki, RoboForm, Blur, and KeePass.

The biggest decision, though, is whether you want your passwords to be stored locally on your own computers and mobile devices or in the cloud on someone else’s servers. There are pros and cons to each approach, though.

▲Back to the top

Cloud vs. local management

When it comes to picking the right password manager for you, it’s worth considering whether you want your saved passwords to be stored in the cloud or locally on your devices.

For instance, 1Password still gives you the option to store and sync your “vault” of passwords and other sensitive information locally. However, the company still prefers that you use its cloud servers instead.

By default, Bitwarden syncs passwords on its own servers, but it does provide very detailed instructions on how to shift this function to servers you control instead.

Syncing your passwords locally does provide a security advantage, as none of this data needs to reach the internet. For those who want to maintain total control over their passwords, this is the way to go.

The downside here is that it can be a hassle to synchronize these passwords on all of your devices. Some services will allow you to do so over a local network, such as a Wi-Fi network or on your own server. Alternatively, you could also put your password vault on a USB flash drive and physically move it from one computer to another.

Cloud-based password managers are far more convenient as these services keep encrypted copies of your vault on their own servers. This ensures that all of your devices will be synced, and transmissions between your devices and a company’s servers are encrypted.

Although small, the risk is that one of the cloud servers – even one that you control using Bitwarden – could be breached and your passwords could be leaked into the wild.

If a password manager is doing its job correctly, it’s storing all of your passwords in an encrypted format and only storing your master password as a “hash” that is the result of an irreversible mathematical process.

Whether it’s local or cloud-synced, a password manager puts all of your eggs in one basket, so to speak, unless you use more than one password manager. For most people, though, the demonstrable benefits of using a password manager far outweigh the disadvantages.

How we test the best password managers

To see how well the best password managers stack up, we put them through extensive testing while conducting our reviews. This involves trying out their desktop apps, mobile apps, and browser extensions on a variety of smartphones, tablets, computers, and web browsers. However, we also look at the support options available to see whether or not each service has useful setup guides for each platform.

In our latest round of testing, we used a 2020 MacBook Air running macOS 12.7.6 Monterey, an iPhone 15 Pro running iOS 17.6.1, and Google Chrome as our primary browser.

From here, we added our credentials from several popular sites to each password manager. We then tested out their autofill capabilities as we went about our normal web browsing. This way, we could see whether or not a particular password manager is easy to use in your day-to-day life.

For more on our testing procedures, check out our how we test page.

LastPass and 1Password are two of the best password managers available today. They are also comparable in price, features and compatibility, especially since 1Password released a full-fledged Linux version.

However, LastPass does have a leg up with its free tier. While it has most of the basic functionality you could want, it now limits syncing across device types (computers, smartphones and tablets) to its premium plan. Still though, 1Password’s user experience on Apple devices and its design improvements on other platforms put it in close proximity to the competition.

So which password manager should you get and should you use a password manager? This LastPass vs. 1Password face-off is here to help you decide between these two top password managers. 

LastPass vs. 1Password: Specs

LastPass vs. 1Password: Price

LastPass and 1Password cost essentially the same amount per year — about $36 — for individuals who are looking for all the premium features each password manager has to offer. 

A family plan will set you back a little more with 1Password, which charges $59.88 per year for up to five people (and $12 for each additional login after that). That's compared to $48 per year for up to six users with LastPass.

What's more, you can save on those monthly fees with our LastPass coupon codes.

Where LastPass has a real edge, though, is with its free tier. Unfortunately, that free tier isn't quite the deal it used to be, as customers on this plan are now limited to syncing data only among computers or only among mobile devices. 

But the value of LastPass's free tier is still high for users looking for password management basics at no cost. It includes unlimited password storage, one-to-one sharing, a password generator, automatic password saves, automatic form filling, secure note storage, multi-factor authentication and the LastPass Authenticator mobile app.  

1Password does not have a free option, but it does have a trial period of two weeks. LastPass' free tier lets you use the premium functions for a month.

Winner: LastPass

LastPass vs. 1Password: Platform compatibility

With the addition of 1Password's full support for Linux on desktop, the two password managers are roughly comparable in terms of compatibility with major platforms. 

To use the LastPass browser extensions, as LastPass recommends, you must be running Windows 8.1 and above, "the two most recent major macOS versions" (currently includes 10.15 Catalina and later), Chrome OS or one of the most common distributions of Linux.

Supported browsers include Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari and Opera. You can also download a Windows or Linux "universal installer" mini-app that will put the extension on every browser you have installed.

There are two types of LastPass browser extensions. The first is the regular kind you can find in your browser's extensions library. (Brave and Vivaldi can use this Chrome extension and SeaMonkey the Firefox one.)

The second type of extension, available for Chrome, Firefox, Safari and Opera, has a "binary component" that can log you in (and out of) LastPass on other desktop browsers and supports Windows fingerprint login. 

To get the "binary" extensions on Windows and Linux, use the universal installer. On Mac, the desktop app gives you the Safari binary extension, but there's a separate installer for the Chrome one.

Chrome OS can use either the regular LastPass Chrome browser extension or the LastPass Android app. The "binary" Chrome browser extension is not supported in Chrome OS.

On mobile, LastPass is available for iOS 13 and up. Full support with automatic form-filling requires Android 8.0 Oreo or later, but the app will run on Android 5.0 Lollipop and later.

The LastPass desktop app works on supported versions of Windows and macOS, although LastPass would rather you stick to the browser extensions. The Windows desktop app is only available in the Microsoft Windows Store.

1Password's options are a little less complicated, but just as robust. Its desktop app works best on the most up-to-date operating systems. It currently requires 64-bit Windows 10 or Windows 11. On macOS, you will need 10.13 High Sierra or later.

In May 2021, the 1Password Linux desktop app officially moved out of beta; it supports most major Linux distributions. Chrome OS uses the 1Password Chrome extension.

There's also 1Password X, aka 1Password in the Browser, a browser extension that does not require the companion desktop app. It works on Brave, Edge, Google Chrome (including Chrome OS) and Mozilla Firefox as well as Safari on Mac. 

It's not as full-featured as the 1Password desktop apps, but it does have Dark Mode and biometric-login support for Windows Hello, Touch ID on Macs and comparable Linux biometric-login systems.

There are also 1Password command-line interfaces for Windows, Linux, macOS/Darwin, FreeBSD and OpenBSD. 

The "classic" 1Password browser extensions for Brave, Chrome, Edge and Firefox that require a 1Password desktop app are also still available. On mobile, 1Password requires iOS 12.2 or later and Android 5.0 Lollipop.

Winner: Draw

LastPass vs. 1Password: Software

While both password managers offer full functionality via their websites and browser extensions (especially with the updated 1Password X), users have the option to download desktop apps as well. 

1Password's desktop version is minimal, but in a good way — it's unlikely to overwhelm you with options. The current app has just four main sections in the left toolbar to help you manage your account: Vault, Watchtower, Categories and Tags.

The Mac version installs a dropdown menu directly into the Mac menu bar, a third way to access your 1Password vault along with the desktop app and the browser extensions. A more modern design, similar to the look of the new Linux desktop app, has now arrived on Windows and Mac.

On the LastPass side, the desktop app has six primary and five secondary sections, making it a bit more like the web experience. While the macOS version is fairly robust, the Windows desktop app is no longer being developed and has some significant limitations. 

In our experience, the pairing of the LastPass browser extension with the web app is almost all you'll ever need.

Importing passwords from other password managers, both stand-alone and browser-based, is a breeze in LastPass, which supports imports from nearly 30 different platforms. Meanwhile, 1Password imports passwords directly from only a few other password managers, including LastPass and Dashlane.

If LastPass or 1Password doesn't support direct imports from a particular platform, then you have to export your password list from the other platform to a comma-separated-values (CSV) file (i.e., a spreadsheet's data table), which 1Password or LastPass can then take in.

Winner: Draw

LastPass vs. 1Password: Form filling

Both LastPass and 1Password offer robust form-filling — including logins, addresses and credit card information — on both desktop and mobile. 

LastPass' form-filling function on mobile devices works via a Safari browser extension for iOS 8 and above and as a built-in app feature for Android 8.0 Oreo or later. 

1Password users can turn on autofill for mobile browsers and apps in their iOS or Android settings. Full support for autofill requires the latest version of iOS and Android 8.0 or later. 

Winner: Draw

LastPass vs. 1Password: Cool features

LastPass previously had a handful of unique features that are no longer available, but one handy function that still exists is the ability to recover your account if you lose your master password. (With 1Password and many other password managers, you're out of luck.) 

There are several ways to do this, but the most secure is to generate a one-time recovery password on a device on which you already have LastPass installed. 

1Password's cool feature is Travel Mode, which is especially useful and potentially a lifesaver for frequent travelers who often face border controls. Travel Mode lets you denote Vaults as "Safe for travel" or "Remove for travel."

Once you toggle Travel Mode on, your "Remove for travel" vaults are deleted from your device until you turn Travel Mode off. This prevents anyone with access to your device — such as a border guard — from discovering your sensitive data when the device is powered on. 

Travel Mode requires the full 1Password desktop client app for Windows, Mac or Linux. The 1Password X/1Password in the Browser stand-alone extensions haven't gained it yet.

1Password also offers "masked" email addresses through a partnership with webmail provider Fastmail. You can sign up with a website using a "masked" address that will then redirect to your real address, but all the website will have is the masked one. The catch is that you have to subscribe to Fastmail as well as to 1Password.

1Password has a secure sharing service called Psst! as well. You can select any item you've already saved in 1Password — a password, credit-card number, passport information, etc. — and create a secure link where that information will be temporarily displayed. 

You can share that link with anyone you like, or with specific people, but none of them have to be 1Password subscribers. The link expires after a time of your choosing, ranging from after the first view to as long as 30 days.

LastPass also has a secure sharing service for items saved in its Vault, but the recipients need to be LastPass users as well.

Winner: 1Password

LastPass vs. 1Password: Security

Most password managers, including LastPass and 1Password, use powerful 256-bit AES encryption, and both password managers' vaults are unlocked on your device only after you've entered your master password. 1Password adds an extra layer of security with a 34-character Secret Key that works alongside your master password. 

LastPass paying users get to use the Security Dashboard, which analyzes all your stored passwords for weakness and whether any have been compromised in data breaches. There's a very similar feature in 1Password called Watchtower.

Both LastPass and 1Password have built-in password generators, offer 1GB of secure online storage and let you securely share passwords with others.

Both platforms are Service Organization Controls (SOC 2) compliant, meaning they have carefully documented security policies and undergo regular audits. (Here are our tips on how to protect your online passwords.)

However, LastPass recently suffered a data breach during which time, hackers stole customers' backups which is why many users of the service have begun to look at 1Password and other password managers as an alternative to the service. 1Password on the other hand, has never experienced a data breach.

Winner: 1Password

LastPass vs. 1Password: Two-factor authentication 

Both LastPass and 1Password support two-factor authentication via authenticator apps (which use time-based one-time passwords, or TOTPs) and physical security keys. Neither sends 2FA codes via text message; trust us, that's a good thing.

LastPass' free plan works with authenticator apps like LastPass Authenticator, Google Authenticator, Microsoft Authenticator, Duo Security or Transakt. Those with a LastPass premium subscription can also use hardware authenticators such as Yubico's YubiKey, a fingerprint sensor or a smart-card reader. 

The platform also offers a multifactor authentication feature called Grid, a chart you can print out to generate security codes manually. 

1Password's options are a bit more limited, perhaps because this layer of security wasn't originally built in. Currently, its 2FA function is compatible with Authy and Microsoft Authenticator as well as physical U2F security keys like YubiKey and Google's Titan key. 

Winner: LastPass

LastPass vs. 1Password: Bottom line

LastPass still has a slight price advantage over 1Password with its free tier, though that option's limitations when compared to Bitwarden's unlimited free tier makes LastPass' value proposition a bit less attractive. 

LastPass has a leg up when it comes to importing passwords from other platforms, although few customers will use that function more than once. Meanwhile, 1Password still offers the most convenience for Mac users.

Because LastPass and 1Password now cost the same for all premium features, it's hard to ding 1Password's pricing. LastPass does have the edge when it comes to 2FA options, as well as the ability to recover your account if you lost your password. But it's hard to beat 1Password's unique Travel Mode, which could make 1Password essential for frequent international travelers.

Plus, with LastPass having lost a lot of its unique functionality and 1Password having caught up on design and compatibility, the two platforms are now much more similar than they are different. LastPass still has a slight edge, especially for Windows users, but 1Password is closing the gap quickly.

Following LastPass' recent security issues though, 1Password appears to be the better choice for now.

Storing your passwords using one of the best password managers can make them more difficult to steal, but what happens when hackers go after a password management company instead? 

As reported by BleepingComputer, LastPass has disclosed that it was targeted by a cyberattack two weeks ago after rumors of the attack began circulating online. The news outlet found out about the breach after speaking with insiders last week who said the company was “scrambling to contain the attack”.

If you’re a LastPass customer, you may be wondering if your passwords and other sensitive data are still safe. Fortunately, customer passwords weren’t exposed as the hackers responsible only managed to steal the company’s source code along with proprietary technical information.

LastPass confirms it was hacked

In a new security advisory released on Thursday, LastPass CEO Karim Toubba explained that the company “detected some unusual activity within portions of the LastPass development environment” two weeks ago.

The company immediately began an investigation and so far, no evidence has been found that any customer data or encrypted password vaults were accessed by the attacker behind the breach.

The attacker was able to gain access to LastPass’ development environment by using a single compromised developer account. Once inside the company’s systems, they “took portions of source code and some proprietary LastPass technical information”, according to Toubba.

Although all of LastPass’ products and services are operating normally, the company has deployed containment and mitigation measures. It’s also working with a cybersecurity and forensics firm to conduct an expanded investigation into the incident.

Why your passwords are still safe

In addition to being one of the best password managers, LastPass is also one of the largest and the company says its services are used by more than 33 million people and 100,000 businesses worldwide.

Although your passwords are certainly safer when stored inside a password manager, there is always the chance that if a company like LastPass or 1Password is hacked, cybercriminals could gain access to your stored passwords.

The reason your passwords are still safe after this breach is due to the fact that LastPass stores all customer passwords inside encrypted vaults that can only be decrypted by using your master password. In an FAQ at the bottom of its security advisory, LastPass explains that no master passwords were compromised as a result of the incident. 

At the same time, the company doesn’t store nor does it have knowledge about your master password. This is because LastPass uses Zero Knowledge architecture which ensures it can never know or gain access to its customers’ master passwords. Likewise, none of the data stored inside customers’ encrypted vaults was compromised during the breach.

Normally, after a data breach, companies recommend that users change their passwords but in this case, LastPass says that users don’t need to take any action at this time. The company also plans to keep users updated on the findings of its investigation once they become available. 

Working from home, or remote work, means you need a home office space that helps you put your best foot forward at school, job, small business or side gig. The options for working at home continue to improve, with sharper webcams, clearer microphones and Wi-Fi mesh routers that eliminate any dead zones. 

We’ve tested dozens of great products to help people work better from home over the past year, and the Tom’s Guide Awards is here to celebrate the best of the best devices and services to make you as productive (and comfortable) as possible.

And check out all the winners of the Tom's Guide Awards 2022.

Best monitor

Best monitor: Apple Studio Display

If you’re a Mac user, the Apple Studio Display is a killer home office monitor. Like the Pro Display XDR, the Studio Display offers useful features for creative professionals, including a range of reference modes and P3 wide color gamut support. But it also has unique features that any Mac user can enjoy, like a killer (for a monitor) six-speaker sound system and a 12MP ultrawide camera that supports Apple's Center Stage feature, courtesy of an onboard A13 Bionic chip. If your home office is Mac-centric, this is one of the most compelling monitors for your setup. 

Best Wi-Fi router

Best Wi-Fi router: Asus RT-AX86U

The right Wi-Fi router can make all the difference in a full house especially when gaming and the Asus RT-AX86U is a powerhouse that delivers great speeds and loads of customization. Besides Wi-Fi 6 support, we were really impressed with the built-in security software and lifetime updates as this means you can rest easy knowing your router is running the latest software. The design of the Asus RT-AX86U also caught our attention as the device is raised up vertically as opposed to lying flat. Three antennas help it broadcast a strong wireless signal that can pass through walls and ceilings while vents at the top and bottom of the router help keep it cool. The 1 Gbps and 2.5Gbps Ethernet ports provide excellent speeds from your modem, four gigabit downstream Ethernet ports let you connect all of your devices and a pair of USB 3 ports let you add multiple external hard drives to your home network. Asus also rounds out the package with two years of warranty protection and support.

Best mesh system

Best mesh system: Netgear Orbi WiFi 6E (RBKE963)

If you want to blanket your whole home with a strong Wi-Fi connection and you’re willing to spend a bit more to do so, the Netgear Orbi WiFi 6E (RBKE963) checks all the boxes when it comes to one of the best mesh routers. Available in either a two-pack or three-pack, this quand-band mesh system from Netgear ships with support for Wi-Fi 6E and can cover up to 12,000 square feet, making it an ideal choice for larger homes. We were equally impressed with the number of Ethernet ports available as the base unit as well as both satellites each have four to make it easy to connect wired devices. Of all the mesh routers we’ve tested, the RBKE963 had the best performance and the setup process was also a breeze using either the Orbi app or through a browser. The Netgear Orbi WiFi 6E (RBKE963) is a future-proof upgrade that you’ll be able to reliably use for years to come.

Best webcam

Best webcam: Anker PowerConf C200

Logitech has been the go-to brand for the best webcams for years, but thanks to the pandemic, it’s seen a lot of new competition. The best new webcam we’ve seen is the Anker PowerConf C200, which has a number of great features at a low price. It retails for around $60, yet has a 2K webcam, stereo mics, and an adjustable field of view — all things not easy to find at this price. It was sharp and clear in all lighting conditions and our callers could hear us well. Best of all, when we didn’t want to be seen or heard, the C200 has a built-in privacy shutter. If you want to outfit your home office with a great webcam at a great value, this is it.

Best wireless charger

Best wireless charger: Belkin Boost Charge Pro 3-in-1 Wireless Charging Pad with MagSafe

Among the growing range of 3-in-1 wireless chargers, Belkin's made the best wireless charger we've come across in the past 12 months. It's ideal for users who reduce the number of cables on their desk or nightstand, but without compromising on speed or design. Belkin offers space for your iPhone, wireless earbuds and Apple Watch (either flat or in Nightstand mode) on the silicone pad, but it's flat enough that you can fit it easily under a monitor, or pack it up to take it with you on your travels. You also get full iPhone MagSafe and Apple Watch wireless charging speeds too thanks to the included brick, which saves you having to find your own compatible charger like many rival charging pads make you do. It ensures you have everything you need to keep your devices topped up, your cables at a minimum and your desk looking stylish. 

Best ring light

Best ring light: Logitech Litra Glow

Streamer's fatigue isn't just about the exhaustion of sitting still for hours on end. The ring light you use can be an absolute terror on your eyes, but that's where this not-a-ring ring light comes in. Adjustable and customizable with many brightness and warmth settings (which you can save as presets), we love the Logitech Litra Glow because it just won't hurt your eyes. To test it out, we worked all day with it on, and just ... got used to it. Oh, and it comes with its own monitor mount, so you don't have to worry about using a stand or GorillaPod mount. Who would have guessed the definition of "a great ring light" wouldn't come in a ring shape like the other best ring lights?

Best antivirus software

Best antivirus software: Norton 360

Although Microsoft Defender has improved significantly in recent years, one of the perks about upgrading to any of the best antivirus software solutions like Norton 360 is all of the extra features on hand. Besides excellent malware protection, Norton’s offering also packs in parental control software, online storage, a password manager, webcam protection, an unlimited VPN and more. We found these extras to be quite useful and they help justify Norton 360’s more expensive price. You can also add identity theft protection by subscribing to Norton 360 with LifeLock Select instead. We were also impressed with Norton 360’s ability to protect a single computer or even an entire household’s devices. You’ll be hard pressed to find another paid antivirus product that provides a one stop-shop for your digital security and privacy in the way that Norton 360 does. 

Best password manager

Best password manager: 1Password

Instead of having to remember all of the strong, complex passwords for each of your online accounts, one of the best password managers like 1Password simplifies things as you only have to remember your master password. While Mac users have loved the service for a long time now, we’ve been very impressed by the progress the company has made when it comes to improving its Windows app as well as its more recent Linux app. 1Password’s stand-alone browser extensions are available for Chrome, Edge, Safari, Firefox and Brave and now also support biometric authentication for additional security. Travel Mode is another interesting 1Password feature as it allows you to hide sensitive data when visiting other countries. Likewise, the service’s Psst! data-sharing feature lets you send a temporary link to anyone to share your passwords even if they’re not a subscriber themselves. More importantly though, Watchtower checks for weak, compromised and duplicate passwords and you can even have 1Password automatically change your passwords for you.

Best standing desk

Best standing desk: Vari Electric

Standing desks are great for any office, home or otherwise, because it keeps you from sitting down all day, which has been shown to lead to numerous health problems. There are lots of great standing desks, but what made the Varidesk stand out *ahem* among the best standing desks was its great design; not only was it the best-looking standing desk we tested, but it was also far easier to assemble than every other model. If you’re working from home and don’t have someone to help — or you’re the type for whom IKEA furniture is like trying to build the pyramids — this could make a huge difference.

Best VPN

Best VPN: ExpressVPN

Based on our own extensive testing of the best VPN services out there, ExpressVPN has earned and retained the top spot for quite some time now. The company has over 3,000 servers in 160 locations spread across 94 countries around the world, making it perfect for bypassing region blocks. We also like the fact that ExpressVPN’s open-source Lightway protocol is able to deliver blazing fast speeds without compromising your security thanks to the inclusion of AES-256 encryption. Besides apps for desktop and mobile, there’s also support for smart TVs and game consoles as well as apps for routers. Being able to easily reach ExpresssVPN’s support team is another big plus for us with live chat available 24/7 and experts available to walk you through even the most complex configurations. Although it isn’t the cheapest VPN out there, Tom’s Guide readers can get an extra three months free when they sign up for an annual subscription.

Google just announced several updates to its Password Manager service in a blog post. Google has been working for some time to compete with the best password managers but has often lacked features that the other managers have offered. With this latest update, Google hopes to make their platform stand above the third-party options. 

Google Password Manager: New features 

The biggest update to come with this update is the ability to add passwords directly to the app. Previously, users had needed to add their password when prompted by Google to save their password after already logging into a webpage. Now, users can simply go into the password manager and manually add passwords for their most commonly used log-ins.

Additionally, Google announced that Android users can create a shortcut for their homescreen that allows them to launch Google Password Manager instantly. iOS users get something, too. Google will now allow iPhone users to generate passwords for their iOS apps when you set Chrome as your autofill provider.

Google Password Manager: Is it consistent across devices? 

Google says that with these new updates users will have “a simplified and unified management experience that's the same in Chrome and Android settings.” While this may change, at the time of this writing that is not quite the case.

The Chrome for Windows 10 and Android Google Password Managers are very similar, but with a notable exception. The Chrome on PC Password Manager will not let you add passwords manually from the Google Password Manager site. Instead, users need to go to chrome://settings/passwords, where they can then add as many passwords manually as their heart desires. 

Google Password Manager: How to add a password on Chrome for Windows 10 

• Go to chrome://settings/passwords
• Scroll down to Saved Passwords and select add
• Enter the URL, username and password for the password you wish to add
• Click save

And that’s it. The password will now show up in your saved passwords list across your devices.

Google Password Manager: How to add a password on Android

You have to jump through a couple of hoops to access Google Password Manager. But once you are actually in Google Password Manager on Android the process is very simple. There will be a "+" icon next to your saved passwords. Just hit that icon and enter in the log-in information you wish to save.

You can make accessing Google Password Manager even simpler on Android by setting up a shortcut on your phone’s homescreen. To add this shortcut, click the gear icon in the top right corner of Password Manager. This will open your settings for Password Manager, and you will see a section that allows you to add a shortcut. Just tap that, and you are done.

Until Google releases a standalone app for Password Manager, it will be tough to justify using it over a third-party application. I personally use Bitwarden, which has the best free tier of any password manager. However, it is nice to see Google focusing on this important aspect of digital security.

It's March 2022, there's war in Eastern Europe, the COVID-19 pandemic seems to be winding down — and the world's most commonly used passwords haven't changed in years. They're still the worst passwords you could possibly use.

These poorly-thought-out passwords include gems like "123456", "password" and "qwerty" (the first six letters on a standard English-language keyboard). Other winners are "111111", "123456789" and the mildly ingenious "1q2w3e" (a fun little finger dance on a keyboard — try it yourself).

This list isn't taken from a single source. All appear on a list of the 20 passwords most commonly found in dark-web lists compiled from data breaches, per Lookout via a recent CNBC article. They're also on NordPass's list of 2021's 200 most common passwords  and its 2020 list as well. You can also find them on CyberNews's top 10 list of 2022.

Going back further, the same passwords appear on a massive password list compiled by security researcher Ata Hakçıl in mid-2020, a somewhat smaller list put together in 2019 by the U.K.'s National Cyber Security Centre and HaveIBeenPwned.com and Keeper Security's list of 2016's 25 most common passwords. Most are on SplashData's lists of the 25 most common passwords from 2011 through 2019.

The most recent lists of lousy passwords

Only the rankings among these seem to change. Here's the Top 10 list that Lookout sent us a month ago (we're waiting for information about how it was compiled), plus the 11-20 entries that Lookout gave CNBC:

1. 123456
2. 123456789
3. qwerty
4. password
5. 12345
6. 12345678
7. 111111
8. 1234567
9. 123123
10. qwerty123
11. 1q2w3e
12. 1234567890
13. DEFAULT
14. 000000
15. abc123
16. 654321
17. 123321
18. qwertyuiop
19. Iloveyou
20. 666666

Here's NordPass' 2021 Top 10:

1. 123456
2. 123456789
3. 12345
4. qwerty
5. password
6. 12345678
7. 111111
8. 123123
9. 1234567890
10. 1234567

And CyberNews' early-2022 entry:

1. 123456
2. 123456789
3. qwerty
4. password
5. 12345
6. qwerty123
7. 1q2w3e
8. 12345678
9. 111111
10. 1234567890

Needless to say, this is sad. It shows that many people just can't be bothered to protect themselves online. If you're using any of these terrible passwords, or anything that even looks like them, stop doing so immediately. 

How to use passwords correctly

It takes just a little effort to come up with good, strong passwords. For example, if you take four random words of five letters or more and string them together in every possible way, you'll end up with 24 strong, hard-to-guess but easy-to-remember passwords. 

Let's review the three cardinal rules of passwords.

— Make every password long and strong. Each password should be at least 16 characters long. Ideally, they should include capital letters, digits and punctuation marks, but if they're 20 characters or more you can probably get away with all lower-case letters. 

— Never reuse a password, because that makes the damage from data breaches much worse. If one account of yours is compromised in a data breach, then every account with which you use the same password and username should also be considered compromised.

— Don't use personal information in your passwords. You may love your pet, but don't use its name in your password. Don't use your own name, your hometown, your birth year, or the names of any of your loved ones. "FluffyMcKenzie69" may be long and contain upper-case letters and digits, but it's still not a great password.

We strongly recommend doing two other things which are slightly inconvenient but will make your online accounts much safer.

— Set up two-factor authentication on every online account that allows it. This requires you to enter a one-time code or plug in a USB security key when you're logging in from a new device, but it also means that crooks who steal your passwords won't be able to log in.

— Use a password manager. These programs and online services remember your passwords for you, and also help you generate new ones. All you need to remember is the password for the password manager. Most of the best password managers have both free and paid service tiers, and a few are entirely free.

Editor's (sad) note: On March 1, 2022, the Myki company announced that it had been bought and that all Myki software will stop working on April 10, 2022. 

Obviously, we can no longer recommend Myki as a password manager. We hope that Myki's new owner, JumpCloud, continues to use Myki's intriguing approach to password management and considers making a consumer version.

Myki offers password management for free — completely free for personal use. It does all the basics, including unlimited syncing across devices, without making you choose between a no-cost and a premium tier. There's no family plan, though, so Myki only really works for individual users. 

Myki's approach to security is different from that of the other best password managers, as all of your data is stored locally on your devices rather than on the company's servers. 

Your password vault syncs between the desktop and mobile apps with only a temporary relay through the cloud. That means that while there is a browser extension, Myki has no web vault that you can access from anywhere. 

Some of Myki's features were a bit buggy in our testing, and it didn't provide the smoothest overall user experience. As free password managers go, Bitwarden's no-cost tier is a better choice for most people. 

But Myki is a solid option for the security-conscious user who doesn't want personal information stored online, and we're eager to see Myki develop further.

Read on for the rest of our Myki review.

Myki: Costs and what's covered

Myki is completely free for consumers. There's only one plan, with no premium or family upgrades. This is unique among commercial password managers — even those, like Bitwarden, that offer full-featured, no-cost accounts also have paid tiers. 

Myki does offer a few small customizations like custom tags that users can purchase separately ($2.99 each) or as a $9.99 package, but none add important functions. 

Myki's consumer plan comes with basic features like the storage and syncing of unlimited passwords, identities and payments across devices; autofill; secure sharing; and two-factor authentication. There's also a basic security dashboard, which lets you know if your logins are weak or compromised. 

There aren't any bells and whistles with Myki, but again, it's free. The greatest value may be in Myki's approach to security, which we'll get into more below. 

Myki supports Windows 8 and up and macOS 10.12 and up. Linux installers come in the .deb, .appimage, Snap and pacman formats, supporting Debian, Ubuntu, Linux Mint, Arch Linux and many other distributions. 

Browser extensions are available for Chrome, Firefox, Safari (packaged with the macOS app), Opera and Edge. Mobile apps support iOS 10.0 and higher and Android 5 and up. 

I tested Myki on a 2020 MacBook Air running macOS 10.15.7 Catalina, an iPhone XR and Google Chrome.

Myki: Setup

To set up Myki, you'll need to download the desktop app. There is no web vault because of Myki's offline security model. As with many password managers, you can also create your account in the mobile app, but you'll need the browser extension on your computer to import credentials from another service or browser.

You'll enter your phone number, which is used for verification, followed by a six-digit PIN code. Unlike every other password manager we know of, there's no master password with Myki.

Before you enter your vault, you'll be prompted to install the browser extension — you can skip this step initially, but the extension is the only way to batch-import passwords from other services — and then select an import option.

Myki supports imports from Chrome and a handful of other password managers as well as via CSV. If you don't want to import during setup, you can return to this option later in the extension under the Advanced Settings menu (four horizontal lines).

On mobile, download the app and click through the intro screens to enter your phone number. If you've already set up Myki on your computer, you'll be prompted to add this device to your existing account.

Tap that option, open your desktop app and select Paired Devices from the left-justified menu. Tap Add an App and enter the pairing code from your phone in the pop-up. (If you're pairing mobile to mobile, there's an option to scan a QR code instead.)

Finally, you'll create a second six-digit PIN for each mobile device. This could easily be the same as your desktop PIN, but Myki doesn't automatically make the code universal. Once you're logged in, you can enable biometrics, found in Settings > Authentication Settings on desktop and More > Authentication Settings on mobile.

My vaults synched quickly and automatically upon login.

Myki: Desktop

You need both the desktop app and the browser extension to maximize Myki's features, as there are certain functions that are allowed only in one or the other. As noted, there is no web-only vault because data is stored locally on your devices. 

The Myki desktop app is basic, with a left-justified menu bar where you can navigate between your vault items: passwords, payment cards, notes, two-factor authentication, ID cards (documents) and identities (names and addresses). This menu also has paired devices and settings. 

To add an item, simply tap the plus button at the top next to the search bar. Each item type has pre-populated forms, although you can add custom fields as a paid upgrade. 

Interestingly, while you can view and copy items in the Myki desktop app, you can't launch a website directly, so you'll likely spend more of your time in the browser extension. The extension also has a left-justified menu bar with options to view your vault, the password generator, your settings and additional features (importing, etc.).

The vault tab shows all your items by default, though you can sort by category using the drop-down menu or find individual items using the search bar at the top. You can edit individual items, copy information or launch sites from each listing.

There are also granular autofill settings that you can customize by item. When you launch a website from the extension, Myki will automatically pop up a list of possible credentials to select from, no hotkey or icon click needed.

Myki's password generator will create passwords of up to 200 characters. You have to copy and paste from the generator into the password form field when creating a new account, after which Myki will ask if you want to add the login to your vault.

Finally, the browser extension settings allow you to customize form filling, 2FA and backup scheduling. While importing is handled in the browser extension, exporting, backing up and restoring are possible only in the desktop app settings.

Myki: Mobile apps

Myki's mobile apps are arguably more full-featured than the desktop and browser-extension combination, as the mobile apps include the security dashboard and sharing functionality. 

The bottom navigation toolbar has options for recently viewed items, item categories, your connected device list and additional settings. There's also a centered plus button for adding items from any screen. 

Tap the Categories icon to select the vault section you want to view. There's also a search function on the main categories page. To add an item, tap the plus sign and select the category.

Under the More section, you'll find a long list of additional functions. The Security Dashboard shows your weak, reused, old and at-risk passwords, plus an overall security score. There's no call to action directly from this report, although you can click through each item to get to the website and change your password within the Myki app.

The Sharing Center shows you items you've shared and items shared with you, and you can tap the plus button to select an item to send to another Myki user.

This is also where you'll find the password generator, with which you can create and copy new passwords, as well as account and device settings, wearable settings for Apple Watch and in-app chat support. As with the browser extension, you'll be redirected to your desktop app to back up and restore items.

During testing, the password autofill feature didn't work in my mobile browser. You'll have to select Myki as your preferred password manager in your phone settings, and then it will automatically be presented as an option above your keyboard when autofilling.

However, my app was unable to match the correct login or find it in my vault when I searched — a major flaw that required me to go back into the Myki app to copy my credentials. The support team told me that a bug fix was in the works for this problem.

Myki: Security

Myki's security setup is unique among similar password management tools, as vaults are stored completely offline on your local devices rather than on company servers. This means that if central servers were compromised in any way, there's no data for hackers to steal.

Information is end-to-end encrypted using AES-256 when synching between your mobile devices and the browser extension on a desktop. If a device is offline, your encrypted data will be held briefly on Myki's server while waiting for a connection and wiped quickly if the target device isn't reached. 

As a relative newcomer, Myki doesn't have a history of compliance or security audits of its consumer password manager. A Myki representative told us they expect to have an audit completed soon.

There is no two-factor authentication for your Myki vault, but you can use the app as an authenticator for 2FA on other websites. Myki will autofill your username, password and 2FA code, if enabled.

With Myki's biometric authentication, you don't need to enter a master password or PIN to access your vault — though you can opt to use your six-digit PIN instead of biometrics. The platform supports Face ID, Touch ID on iOS and macOS, Windows Hello, Android fingerprint readers and Pixel 4 Face Unlock.

Myki also has a feature called Paranoid Mode, which requires you to approve every autofill request and then enter your PIN or biometrics, a helpful option if other people have access to your computer. While it does not lock the browser extension, it does require the same approval to view or copy passwords.

Myki password manager review: Bottom line

Myki combines the basics of password management and monitoring with a strong security approach, all for free. For users who don't trust a third party to safely store their data, Myki's offline model may be an attractive feature. Myki relies on a PIN code rather than a password, and it has a unique Paranoid Mode feature that universally requires approval for every vault access request. 

You also get an unlimited number of devices on your free account, which is a better deal than offered by the no-cost tiers from the likes of Keeper, LastPass and Dashlane. That said, Myki isn't the only free option available, and because there are some buggy features in Myki's apps, Bitwarden's free tier may be a better choice for many consumers.  

Updated with note about planned shutdown of Myki apps on April 10, 2022. This review was originally published in January 2022.

Sometimes you shouldn't use a password manager — if that password manager happens to be the one built into your desktop web browser.

That's because desktop web browsers, despite their best efforts, tend to do a lousy job of safeguarding your passwords, credit-card numbers and personal details, such as your name and address. 

Web browsers are fairly easy to break into, and lots of malware, browser extensions and even honest software can extract sensitive information from them.

Instead, you should save passwords in a stand-alone password manager, or even just write them down in a book. You should then purge at least all your passwords for sensitive accounts — anything to do with money, shopping, webmail or social media — from your web browsers. We'll show you how below.

Top password managers

Crossing a red line

For the past couple of years, for example, a particularly nasty piece of malware has been making the rounds. It's called RedLine and it steals passwords and other sensitive data from most browsers on Windows, including Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and Brave.

As security firm Proofpoint observed in its initial writeup of RedLine in March 2020, the malware "steals information from browsers such as login, autocomplete, passwords, and credit cards." 

"It also collects information about the user and their system such as the username, their location, hardware configuration, and installed security software," the report added. "A recent update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets."

Most recently, RedLine has been spotted posing as a bogus Windows program that tracks the spread of the Omicron variant of the COVID-19 virus. Like earlier versions of RedLine, this strain is likely being distributed via email.

Password stealers are not uncommon

RedLine runs on Windows, but Mac browsers aren't immune to password stealers. Cross-platform malware called XLoader steals passwords from Macs and PCs alike. Hacks exist for Apple's Keychain password manager, which is used by Apple's Safari browser if you log into Keychain across multiple Macs. 

Because Chromium-based browsers such as Chrome, Edge, Brave and Opera share the same underpinnings, you can download and run free software to get information from them on macOS, Windows or Linux. Free software to extract passwords from Windows browsers has been around for at least a decade.

You don't even need to have malware or a malicious browser extension running to have your passwords stolen. If your desktop web browser automatically fills in form fields with saved passwords — and several do by default — then websites can read those auto-filled passwords without having to do anything devious to your machine.

How to deal with passwords saved in your web browser

So what should you do with all those passwords and other information you've been letting your browser remember and save? 

The most obvious step is to use a stand-alone password manager. You have to pay for some of the best password managers, but others are free to use. They're not totally immune to malware, but they're a lot safer to use than web browsers for saving your passwords. 

Like web browsers, most stand-alone password managers will offer to save passwords as you enter them. They also let you save credit-card numbers and address information as well as passwords. It's also easy to export passwords saved on your browser in a form that can be imported by a password manager.

You could also write down passwords and other sensitive information on a piece of paper or in a notebook and keep that locked up at home. There's no shame or harm in taking that route, and there's no risk of malware stealing the pages.

How to stop your web browser from saving your passwords

Following are further steps you need to take to purge your passwords from your web browser. 

In most cases, the Settings menu is found by clicking on the three dots or lines in the top right corner of the browser window. In Opera, you access Settings by clicking the Opera icon in the top left. As for Safari, it does things its own way.

Brave: Settings > Advanced > Autofill. Toggle off "Offer to save passwords."

Chrome: Settings > Autofill. Toggle off "Offer to save passwords."

Edge: Settings > Profiles > Passwords. Toggle off "Offer to save passwords."

Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck "Ask to save logins and passwords for websites."

Firefox also gives you the option of designating websites for which the passwords will never be saved.

Opera: Settings > Advanced Settings > Autofill > Passwords. Toggle off "Offer to save passwords."

Safari doesn't have a specific setting to stop password saving, but it will stop asking if you take the steps below to stop auto-filling passwords.

How to make sure your web browser doesn't autofill your passwords

Brave: Settings > Advanced > Autofill. Toggle off "Auto Sign-in."

Chrome: Settings > Autofill. Toggle off "Auto Sign-in."

Edge: Settings > Profiles > Passwords. Edge won't let you turn off autofill, but it lets you choose whether to automatically fill in passwords or to first prompt you for the device password (your Windows account login) before autofilling. If you select the latter option, you can further choose whether to always ask for the device password or to ask only once per browsing session.

Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck "Autofill logins and passwords."

Opera: Settings > Advanced Settings > Autofill > Passwords. Toggle off "Auto Sign-in."

Safari: Safari (in menu bar) > Preferences > select Autofill tab. Uncheck "User names and passwords" and "Credit cards." You can also go to Preferences > select Passwords tab and uncheck "AutoFill usernames and passwords," but that won't affect saved credit-card numbers.

How to export your browser passwords

Your browser can export a list of saved passwords as a comma-separated-values (CSV) file, which you can open with Excel or another spreadsheet program. Stand-alone password managers can also import CSV files.

Brave: Settings > Advanced > Autofill. Click the three stacked dots opposite "Saved Passwords," then select "Export passwords."

Chrome: Settings > Autofill. Click the three stacked dots opposite "Saved Passwords," then select "Export passwords."

Edge: Settings > Profiles > Passwords. Click the three horizontal dots opposite "Saved passwords," then select "Export passwords."

Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and click "Saved Logins." You'll be taken to a new tab entitled "Firefox Lockwise" that will list all your saved passwords. In the upper right of the tab, click the three horizontal dots and select "Export Logins."

Opera: Settings > Advanced Settings > Autofill > Passwords. Click the three horizontal dots opposite "Saved passwords," then select "Export passwords."

Safari: File > Export > Passwords, then click "Export Passwords." You'll have to enter the password you use to log into the Mac to save the CSV file. (Note: This works only on macOS Catalina 10.15 and later.)

How to delete your browser's saved passwords

Finally, you'll want to delete the passwords saved in your web browser. 

Brave: Settings > Advanced > Autofill. Click the three stacked dots next to each password entry, then select "Remove."

Chrome: Settings > Autofill. Click the three stacked dots next to each password entry, then select "Remove."

Edge: Settings > Profiles > Passwords. Click the three stacked dots next to each password entry, then select "Remove."

Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and click "Saved Logins." You'll be taken to a new tab entitled "Firefox Lockwise" that will list all your saved passwords. In the upper right of the tab, click the three horizontal dots and select "Remove All Logins." 

If you'd rather remove only some passwords in Firefox and keep others, you can select each entry individually in the left-hand navigation column on the Firefox Lockwise page, then click "Remove" in the upper-right part of the entry displayed in the main part of the page.

Opera: Settings > Advanced Settings > Autofill > Passwords. Click the three stacked dots next to each password entry, then select "Remove."

Safari: Safari (in menu bar) > Preferences > select Passwords tab. You'll have to enter your macOS password or use Touch ID to see the contents of the tab. Once you do, you can select each password entry individually, or shift-click to select multiple entries. Then click "Remove" at the bottom left of the window.

Which passwords to delete, and one more crucial step

It might be OK to let your browser remember passwords that don't really matter — for example, those that get you access to websites in which no financial transactions are involved. After all, some websites just want you to register your name and email address so they can send you spam later on. 

But if there's a credit-card number tied to the account, or anything that involves money, be it an online store or a bank account, then get that password out of your web browser. The same goes for passwords for social-media and webmail accounts.

Whatever you do, don't reuse your passwords. If you do, then you expose yourself to credential-stuffing attacks. That's when crooks take passwords exposed in data breaches, phishing attacks or browser hacks and try using them on other accounts that you may have signed up for. 

Put it this way: If one account gets hacked or otherwise compromised, then all the other accounts on which you've used the same password should be considered compromised as well.

RoboForm is one of the oldest password managers out there, and after 20 years remains a solid competitor in the market. 

RoboForm has raised its yearly subscription price since we last reviewed the service, to $24/year from $20/year, but other password managers have too, and RoboForm remains one of the cheaper paid options among the best password managers.

The standalone desktop app remains a poor experience on RoboForm, but the website interface, mobile apps and browser extensions have gone through a significant redesign that gives the service a much more modern feel. RoboForm still remains among the best at form-filling. 

Overall, RoboForm's paid plan is no-nonsense and effective and will manage your passwords and personal information without much flash or fuss. It doesn't offer much more than the Bitwarden free tier, and you can get newer features with the Keeper paid plan, but RoboForm is a dependable option that shouldn't disappoint you.

Roboform: Costs and what's covered

RoboForm offers a free tier and a paid subscription called RoboForm Everywhere. The latter is one of the cheaper paid offerings among password managers at $23.88 per year for a single user. You can bring down that cost by 10% with a three-year plan ($64.44) or by 16% with a five-year plan ($99.50).

A family of up to five users can be covered for $47.75 a year. Again, you can save 10% with a three-year plan ($128.85) or 16% with a five-year plan ($199.00). At the time of this writing, Tom's Guide readers got a 30% discount off the one-year individual and family plans.

RoboForm has a reasonably good free tier, with the ability to save unlimited passwords, generate strong passwords, autofill web forms, audit your passwords and be alerted of compromised ones, send passwords securely, receive emergency access to another RoboForm user's account, log in to desktop applications and manage bookmarks. 

The biggest advantage of paid accounts is the ability to sync your passwords and other items across all of your devices, which is crucial for most users.

Additional perks for paying users include cloud backup, a secured shared folder, two-factor authentication (2FA) support, the ability to grant emergency access to another RoboForm user, web access to your data and priority 24/7 support. In January 2022, it added a 2FA authenticator/code generator to its desktop apps, and that feature is coming soon to the RoboForm mobile apps.

RoboForm still offers a local-only storage option, a valuable option for users who don't wish to, or are not allowed to, store their data in the cloud. Enabling it simply requires turning off automatic sync. Just be aware that the mobile apps lack the ability to turn off automatic syncing.

Support for Windows goes all the way back to Vista. The Windows universal installer will add browser extensions to Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Microsoft Edge, Opera and Windows applications, and updated versions of the browser extensions were rolled out in March 2021.

Mac users must be running macOS 10.13 High Sierra or later, and the Mac installer includes browser extensions for Apple Safari, Google Chrome and Mozilla Firefox.

RoboForm offers similarly extensive support on mobile, going all the way back to iOS 13 and Android devices running Android 5 Lollipop. Linux users have standalone extensions available for Mozilla Firefox and Google Chrome. Chrome OS is supported via the Google Chrome browser extension. 

For this review, I used RoboForm on a 2017 MacBook Pro 15 running Windows 10 and macOS 10.14 Mojave, an iPhone 7 Plus, and a Google Pixel 3. Google Chrome was my primary browser across all platforms but testing on macOS and iOS was also done with Safari.

RoboForm: Setup

To get started, just navigate to the RoboForm downloads page. It will recognize the device that you are browsing from and recommend the correct version. The universal installer for macOS and Windows will also install the full-featured browser extensions for all supported browsers. 

Now you need to create your account, which requires just an email address and a master password. RoboForm requires that the master password be at least 8 characters long with a minimum of 4 non-numeric characters. As with most password managers, there is no way to recover this master password if you lose it.

If you were already using some other method of password management, either in your browser or with another stand-alone password manager, you should import your data.

RoboForm supports imports from 1Password, Dashlane, LastPass, NIS, Xmarks, KeePass, Keeper, Enpass, Password Boss, Zoho Vault, True Key and Sticky Password, as well as generic CSV files. It will also import from any browser that supports the RoboForm extension on that platform, including on Chrome OS and Linux.

Finally, you can install RoboForm on the rest of your devices and your data will immediately sync between them as soon as you enter your RoboForm master password. 

RoboForm on the desktop

RoboForm gives you four different ways to access your account on the desktop: the standalone app, the browser extension, the menu bar and the website. The functionality is largely the same among the four, which is an improvement; the last time I reviewed RoboForm, the website was a read-only experience.

The standalone desktop app has the worst user interface and user experience of the four. There is nothing to it visually, with just the eight sections of the app displayed in the left column. 

If you click on a section, you get two additional columns with the relevant data to the right. The Security Center is the lone exception, as it has a slightly more modern tabbed interface. 

The standalone app is both sparse and often confusing, as there are few explanations for even the relatively limited features of the app. The ability to unlock the RoboForm desktop app using Touch ID on a Mac is nice (and you can also do this by double-clicking the side button on your Apple Watch), but until RoboForm modernizes the interface, you will be best served by ignoring the standalone app whenever possible and interacting with the service through any of the other three options.

The website interface is quite well done, with a modern interface at the top level that is far easier to use than the desktop app. All the important sections of the app are accessible here. While things get a little less pretty when you drill down — pop-up menus for adding new items look dated — everything worked as expected.

One thing you cannot do in the web app, or in the standalone app for that matter, is generate a new password. That must be done via the menu bar or browser extension, where it is prominently featured. The password generator works very well and offers extensive options to tweak the characteristics of the password, so I just don't understand why RoboForm fails to make it available everywhere.

Likewise, generation of one-time-use 2FA codes must be done in the RoboForm browser extension. 

Identities is where you add personal information used to auto-fill form fields. It includes fields that show RoboForm's age, such as "AOL Name" and "Pager," but the form-filling itself works well.

The Contacts section in RoboForm seems out of place, and it's so rudimentary that I can't imagine anyone using it. The Safenotes makes more sense, as many people would want some encrypted text, but turning this section into safe storage for any kind of file would vastly increase its utility.

Emergency Access lets you designate a friend or family member, using their email address, as someone who will be given access to your account in the event that you cannot access the account. You choose how long the Emergency Access contact needs to wait before getting access, and you can deny their access should you regain yours during that waiting period.

While the use case for Emergency Access is if you are either incapacitated or dead, it is also a potential lifesaver should you forget your master password. Emergency Access was at one time obscured in the RoboForm interface, with the menu bar being the only way to access it, but has since been brought into the browser extensions and been added to the primary navigation bar. 

Security Center is the final section. It audits the security level of your passwords and singles out any reused passwords. In May 2021, it began importing lists of compromised passwords from Have I Been Pwned, a non-profit online tracker of passwords and email addresses exposed in data breaches.

Next to every compromised password, RoboForm provides a link to the website in question so that you can quickly log in and change the password. 

RoboForm calculates password strength using the open-source tool Zxcvbn, which detracts points for dictionary entries, common names and common passwords. This is different from the quotas for lowercase letters, uppercase letters, digits and symbols (LUDS) that most password-strength estimators rely on. RoboForm claims Zxcvbn offers a more accurate depiction of how hard it would be to crack a given password.

RoboForm mobile apps

RoboForm has massively overhauled its mobile apps since the last time I reviewed them, and the apps now have a clean, modern look. Virtually everything from the desktop interface has made its way to mobile, and form-filling is now supported on both iOS and Android, making for a much more complete experience.

The apps, which are nearly identical between iOS and Android, display the four main sections across the bottom of the screen with Start, ID, Browser and Tools.

By default, you launch into the pinned section of the Start screen. You can pin any item in your vault here by just long-pressing it and tapping "pin." The other three sections in Start are Logins, Safenotes and All.

Everything is displayed in a grid view, with logos for websites when available. You can switch to a list view that puts logos on the left and text to the right. Tapping on a login will log you into that site immediately. 

The next section is ID, which contains all the content you would find in Identities on the desktop. It displays full-width rectangular grids with distinct graphics for the data types. If you have multiple identities set up, you can switch between them by tapping the name at the top of this screen, and you can set up a new identity here as well.

RoboForm's mobile browser is perfectly adequate. It displays a little red dot over the Form Fill button in the bottom right if you have relevant stored information available for the page you are viewing. But there's no reason to use it unless you're using an older version of iOS or Android that doesn't support form-filling in all browsers.

The final section is Tools, which contains the Password Generator, Sharing Center, Security Center and Emergency Access. Everything is well laid out and the icons are nicely done. 

RoboForm: Security

Like most password managers, RoboForm uses AES-256 encryption to secure your data on its servers. Your data is never decrypted unless it's by your master password on your own devices.

RoboForm has expanded its support for two-factor authentication. While you still can't use dedicated hardware, like a YubiKey, RoboForm now supports TOTP-based mobile authenticator apps such as Authy, Google Authenticator and Microsoft Authenticator. It also now has an authenticator of its own built right into the desktop browser extensions.

You can opt to receive a one-time password via email or SMS, but those are considerably easier than authenticator apps for a hacker to attack.

RoboForm review: Bottom line

RoboForm may not be able to go toe-to-toe with the top password managers on features, but it is among the most affordable password-manager options and is certainly the strongest in the sub-$25 a year range. 

Particularly in light of the redesigned website and vastly improved mobile apps, I think RoboForm is a viable choice for budget-conscious buyers that aren't particularly swayed by the higher-end features offered by the likes of LastPass, Keeper or Dashlane.

Updated to add new placement of Emergency Access and password generator, greater importing capabilities, Apple Watch application unlocking, and Edge browser-extension features. This review was originally posted in July 2020.

Enpass was once famous for having no subscription model, choosing instead to sell permanent licenses for its software. But in November 2019, Enpass introduced its first subscription while retaining many of the free/one-time options that have appealed to customers who would rather keep password data local, or sync it how and where they choose.

Subscription or not, Enpass' pricing is still very low, with strong free desktop options, limited free mobile apps and an appealing one-time-fee option for all platforms.  

Enpass is certainly not one of the flashiest or most feature-packed password managers, but it handles the basics just fine, and at a great price. If you want more features and a sleeker interface, try LastPass or Dashlane instead.

• What are the best password managers?
• The best identity-theft protection services to keep your personal data private
• Best antivirus for Windows, free and paid

Enpass: Costs and what's covered

The Enpass desktop applications for Windows, Mac and Linux are very functional and entirely free. The mobile apps for Android and iOS offer freemium service, storing only up to 25 items for free. 

Unlocking the premium version of the mobile apps costs $15.99 for 6 months or $23.99 for a year. That's still far less that the cost of LastPass' individual premium subscription plan, but it's no longer the cheapest paid subscription we've encountered — Bitwarden's is just $10 per year.

You can opt for a permanent software license for all platforms for $79.99 instead of paying a yearly subscription fee. That should cover all your Android, iOS, Linux, Mac and Windows devices forever, for just $20 more than one year's subscription of Dashlane Premium.

The full service in the mobile apps allows unlimited passwords, account backup, a password generator, a password audit, autofill and online syncing through your choice of third-party cloud service.

Enpass supports Mac OS X 10.14.6 Mojave or later (including Apple Silicon devices), 64-bit Windows 10 version 1903 and later, and some Linux distributions (CentOS 8 and Ubuntu 18.04 or later officially supported, but other modern distros should work). Chrome OS support is through the browser extension. Supported browsers include Apple Safari, Google Chrome, Opera, Mozilla Firefox, Microsoft Edge and Vivaldi. (There's no Internet Explorer extension.)

The Enpass desktop application must be open and running for the Enpass browser extensions to work, however. This isn't true of most other password managers.

Enpass remains focused on customers who would rather keep data local, or sync it how and where they choose.

You can also install Enpass on a USB key and use it as a portable application across desktop machines. The Linux executable is different from the Mac and Windows one, but you can set up a single USB drive to be used across all three platforms.

Mobile support is equally comprehensive, including iOS 12.5 and up and Android 6.0 Marshmallow or later. (BlackBerry support was discontinued in November 2017, and Windows Phone has also been discontinued.)

For this review, we used Enpass on a laptop running Windows 10 and macOS 10.12 Sierra, an iPad Pro 12.9, a Samsung Galaxy S8+ and a Google Pixel. Google Chrome was our primary browser across all platforms, but we also tested using Safari on macOS and iOS.

Enpass: Setup

Installing Enpass from the company’s website was quick and easy. However, Mac users should be aware that if you want to use iCloud as your syncing service, you'll need the version of Enpass from the Mac App Store.

Because Enpass doesn't store your content on its servers, you won't need to create an account with the company. The initial setup is as simple as downloading the installer and creating a master password.

There is no way to recover your Enpass master password if you forget it. Unlike LastPass or Keeper, Enpass offers no account recovery options, so make sure your master password is strong but memorable.

If you used another password manager previously, or have passwords saved in your browser, you can import that data into Enpass. The program can pull credentials from more than 20 different services, so you will probably be covered. While Enpass didn't sort my items into categories such as "social media," "email" or "banks" upon import, the credentials all came over cleanly.

As with KeePass and some other DIY password managers, you can select a third-party cloud service if you want to sync your Enpass data using the internet. I chose Google Drive, but users can also sync their data through Microsoft OneDrive, Dropbox, Box, iCloud or the open-source ownCloud/WebDAV protocol. The initial sync on Google Drive took approximately 30 seconds for my roughly 300-item vault.

As of August 2021, Enpass offers local syncing of devices as long as they're all all connected to the same Wi-Fi network. Configuring Wi-Fi sync is a bit complicated, but once it's all set up it should run smoothly.

An odd quirk of Enpass is that you need to get the program's browser extensions yourself from the internet. Most password managers either build this functionality into the installer or make it part of the guided setup process.

Enpass on the desktop

The Enpass desktop application most closely resembles a File Explorer window. I'm not fond of this look, preferring the web-first design of Dashlane or LastPass, but the Enpass interface is functional, and likely familiar to most users.

You can unlock your Enpass vault using Touch ID fingerprint recognition on the MacBook Pro, which is a feature some high-end password managers don't yet support. Enpass also supports Windows Hello on compatible devices, including on Windows 10 Mobile.

Because Enpass doesn't have as many features as its competitors do, its no-frills interface doesn't get cluttered. The left-hand column displays categories of items you can save in the password manager. You can drag and drop multiple items at once, and it took me just a few minutes of work to sort through the 300-plus items I had imported.

Enpass lets you store a remarkably expansive variety of information besides the standard logins and credit cards. The program offers more than 50 customized templates, ranging from software licenses to voter identification cards. 

The program can even fill online forms automatically with these details. However, it would be nice if Enpass let you attach an image of actual documents or cards, something LastPass supports.

You can add new items to any category by clicking the "+" button in the upper-left corner of the desktop interface and selecting the type of item you would like to add. You can also add folders to the left-hand column. This section will appear below Categories after you create your first folder, and will group any like items together.

Password Audit identifies problematic passwords and puts them into categories: "weak," "identical" or "old." There's also a password generator, but finding it isn't easy — it's the icon near the upper-right corner that looks like a spinning combination lock. The generator can even tweak the length and components of new passwords, with toggle switches for pronounceability and ambiguity.

The Enpass browser extension is basic, but works. It mostly just displays your most recently used logins; you can search your entire vault for more, but there's no option to edit items directly from the extension. The password generator is the only other feature present in the extension.

The desktop version of Enpass lets you share passwords with others, but there's a warning that neither of the two options for this procedure are very secure. 

The bad option exports an encrypted set of credentials that anyone with Enpass software can unlock. The worse option simply exports your credentials in plain text so that anyone can read them. (Other password managers let you designate individual users who can unlock your encrypted, exported credentials.)

Enpass mobile apps

The mobile version of Enpass was more modern, intuitive and pleasant to use than its desktop counterpart. Both the iOS and Android apps support biometric logins, so you won't have to enter your master password more than once if your devices have fingerprint readers or facial recognition; otherwise, you can set up a PIN unlock.

Due to Enpass' limited feature set, the mobile apps have almost complete feature parity with the desktop application. You can add new items, view existing items or edit any item. The password generator is right on the editing screen (a feature that ought to be on the desktop application), and also available in the main menu with full customization options.

On iOS, the Safari extension lets you use autofill capabilities. Native autofill support came with Android 8 Oreo, but those on Android 7 Nougat or earlier need to install the Enpass keyboard via the Android accessibility menu, then add the keyboard via the language-and-input settings option. You can then reach the Enpass keyboard by tapping the keyboard icon in the lower-right corner of the screen.

Enpass: Security

The Enpass software uses the same AES-256-bit encryption as other password managers to safeguard your data on your device or in a third-party cloud server. The fact that the Enpass company doesn't host any of your data may appeal to security-conscious users. Most other password managers begrudgingly offer an offline option, but it's the Enpass' default.

Enpass is certainly not one of the flashiest or most feature-packed password managers, but it handles the basics just fine at a great price.

Enpass doesn't offer two-factor authentication (2FA), which is arguably unnecessary as it doesn't store your data online. But it does offer time-based one-time passwords (TOTP), which offer similar security. Yet TOTPs are harder to set up than 2FA, and many users may not make the extra effort.

Enpass says that it uploads your data only in encrypted form to Dropbox, OneDrive and the rest. The downside is that once your data is uploaded, its security lies in the hands of a third-party service that may not have been designed with password managers in mind.

MORE: What to do if your Social Security number is stolen

Enpass review: Bottom line

Enpass isn't the right choice for power users, or for families or teams who want to share passwords. But those looking for a dead-simple solution at an affordable price may want to take a look.

For the annual subscription fee of $24 per year, or a one-time purchase of $80, you'll get a full desktop-to-mobile syncing password manager that is both more secure and more convenient than saving your passwords on Post-It notes, or in your browser. 

Updated with addition of local Wi-Fi sync option and new operating system requirements. This review was originally published in December 2017.

Despite it no longer offering a free tier, LastPass remains one of the best password managers, which also makes it a likely target for hackers. A number of users reported that they received warnings that their LastPass master passwords have been compromised, though as in many other cases of this ilk, it appears to be the result of them having re-used passwords, or having their passwords exposed elsewhere.

First appearing in Hacker News, it seems that a number of these attempted breaches originated in Brazil and other parts of the world; due to the unusual origin of these requests, LastPass blocked these attempts and then emailed the legitimate customers, warning that their passwords may have been compromised. 

In a statement to Android Police, LastPass owner LogMeIn said:

"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."

Even if hackers were able to breach LastPass itself, it's highly unlikely that they'd be able to access users' master passwords. That's because LastPass's servers don't store your master password. Instead, they store a "hash" of the master password, which means the master password you type in is run through an algorithm on your device and the result of the algorithm is compared to what LastPass has previously stored.

What to do if your LastPass master password has been compromised

If you received a warning from LastPass that someone attempted to log into your account — or if you want to make it more difficult for hackers to break into your account — there's a few steps you should take right away. 

• Change your LastPass master password to one that you don't use elsewhere.
• LastPass users can minimize the risk of compromise by enabling two-factor authentication in their Account Settings > Multifactor Options.
• Because many of these unauthorized login attempts seem to be coming from Brazil or South Africa, restricting logins to only specific countries should block some of the attempts. Go into Account Settings, click the "Show Advanced Settings" button on the bottom of the Settings window, scroll down and select "Only allow login from selected countries" and then check off the country where you live and those countries that you may frequently visit. Click "Update" when done.
• If you're worried about failed login attempts to your account, go into Advanced Options from the main menu's navigation bar, then select "View Account History." That will let you view all login attempts, successful or not, over a specific date range. You'll want to look for login attempts from unfamiliar IP addresses that don't match those that you normally use. The IP addresses you normally use will be the vast majority of the successful logins, and those IP addresses that don't match should stand out.

While it's good to know that no accounts were compromised, it's an important reminder as to why having unique passwords are so critical. Using the same password too many times can be a major vulnerability. Now would be a good time to make sure that all your passwords are unique and secure. Web browsers like Google Chrome, Firefox and Microsoft Edge all have features that can warn you if any of your passwords have been breached and can suggest new passwords as well.

December is traditionally filled with epic price lows, but it's not just hardware that receives major discounts. Currently, you can get one of the best password managers at an all-time price low. 

For a limited time, Keeper is taking 50% off all Unlimited and Family plans. After discount, you can get a Keeper Unlimited 1-year plan for $17.50 (was $34.99) or a Keeper Family (five users) plan for $37.49 (was $74.99). Those are the lowest prices we've seen all year from Keeper. 

Keeper is one of our favorite password managers. In our Keeper password manager review we found the service to be dependable, inexpensive, and very secure. Although Keeper has a free tier, we recommend upgrading to the paid plan as it offers everything in the free plan plus syncing across unlimited devices on all platforms, secure record-sharing, priority 24/7 support, and emergency access for family members in case you are ever incapacitated.

Keeper relies on AES 256-bit encryption to secure data on its servers and on your devices. Your data is only ever unencrypted on your device after you enter your master password. That means if Keeper's servers were to ever be hacked, your data would remain secure.

In terms of features, we like Keeper's Security Audit which gives you an overall security score based on all your passwords and color-codes each one red, yellow or green. The Keeper mobile app also does an excellent job of bringing over most of the functionality from the desktop and web interfaces to your mobile.

LastPass, our top choice among the best password managers, is offering big discounts on all new subscriptions.

Through Cyber Monday (Nov. 29), LastPass is taking 25% off its Premium, Families and Enterprise plans for new customers. You'll pay $27 for the first year of a Premium subscription, $36 for the first year of a Families subscription and $54 for the first year of an Enterprise subscription, saving $9, $12 and $18, respectively.

LastPass' free tier now limits you to just mobile devices or just computers, but not both. Yet the premium plan is still inexpensive, and gives you unlimited device syncing plus dark-web monitoring, online file storage and support for physical 2FA security keys.

Thanks to its browser-based interface, LastPass works with every major platform: Windows, Mac, iOS, Android, Linux and Chrome OS. It supports biometric face and fingerprint readers on most of these platforms as well, and will generate strong, unique passwords for you right in the browser extension. It even monitors the "dark web" for unauthorized use of your personal data.

Despite the free tier no longer being what it once was, LastPass is still our favorite password manager. At $27 for the first year, this is a deal too good to pass up.

The holidays are coming and if you plan on taking advantage of multiple Black Friday deals in the coming days, we've found an excellent sale for you. One of the best password managers you can buy is currently on sale. 

For a limited time, Keeper is taking 30% off all multi-year plans. After discount, you can get a Keeper Unlimited 3-year plan for $73.48 (was $104.97). Or for greater savings, you can get Keeper Family (five users) for $157.48 (was $224.97). Two-year and one-year plans are 20% and 10% off respectively. 

Keeper is one of our favorite password managers. In our Keeper password manager review we found the service to be dependable, inexpensive, and very secure. Although Keeper has a free tier, we recommend upgrading to the paid plan as it offers everything in the free plan plus syncing across unlimited devices on all platforms, secure record-sharing, priority 24/7 support, and emergency access for family members in case you are ever incapacitated.

Keeper relies on AES 256-bit encryption to secure data on its servers and on your devices. Your data is only ever unencrypted on your device after you enter your master password. That means if Keeper's servers were to ever be hacked, your data would remain secure.

In terms of features, we like Keeper's Security Audit which gives you an overall security score based on all your passwords and color-codes each one red, yellow or green. The Keeper mobile app also does an excellent job of bringing over most of the functionality from the desktop and web interfaces to your mobile.