Password managers¹⁾ are one of the most important tools for having good password hygiene²⁾. The problem is that selecting a good one can be challenging.

The aim of this guide is to provide my opinion on the best choice for most people. I use a bespoke setup, but the goal is not to convince anyone that my setup is the best setup for most people. Instead, I exclusively give password manager advice for most people.

Most people who haven't yet adopted password managers worry about security. “If I put all of my passwords in one place, isn't that one place really risky? What if that one place gets hacked?” In an ideal world, you have selected a password manager that is mathematically secure and robust enough that you don't need to think about this. My goal is to present only reasonable default choices.

This is not a set of suggestions for technologists. If you have particular needs, I elaborate more on what you should consider in a password manager elsewhere.

1. If you use only Apple devices, or Apple devices and exclusively Windows devices, Apple's built-in password manager is great. You might not believe this, but Apple has spent a substantial amount of time, money, and effort making their password manager one of the most robust password managers. The caveat to this is that you must not lose your iCloud account, and you must keep at least one Apple device or Windows device signed-in to retain access easily. See Make your passwords and passkeys available across devices with iPhone and iCloud Keychain. You should not give your phone passcode to people who would want to access your passwords.
2. 1Password is great. It isn't perfect, but it is great. You must not lose your 1Password Emergency Kit. Provided that you do this one basic thing, you have a great password manager with no caveats.
3. Dashlane is great.
4. If you use Google devices, Google's password manager comes with a huge caveat: it is not secure by default. Google considers security equivalent to all other password managers optional to enable. If you turn on “optional on-device encryption” then it becomes secure by default. Without this, Google employees can read your passwords. On an unrelated note, in 2010, a google engineer was arrested for spying on underage users using administrative access.

These are the best password managers for most people. Pick one of them, and use it!

Passkeys are the next-generation of passwords. All of the password managers above support passkeys. You should only create passkeys using these systems, which are synchronized, so you don't lose them.

This section is for advanced users. By “advanced users” I mean people who care about things like what Argon2id is, PBKDF2 parameters, and security issues and remediation.

I don't use cloud-based password managers or suggest them to security conscious people. The attack I worry about with these is not realistic, but I consider it unacceptable for security professionals or high risk individuals³⁾ to use these services. There are other documented attacks and faults with these password managers.

For advanced users, consider a custom KeePassXC setup, like the one I use. The basic gist could apply to any offline-only password manager, but basically you need your own solution to access your vault from where you need to access it, a backup solution, and probably a plan for how to recover if you need to do that.

I don't really suggest using gopass/password store, because they inherently assume you are okay with the usernames and sites are not encrypted/plaintext. This can be okay for some people. From a purely cryptographic security perspective, KeePassXC is more secure out-of-the-box and can be tuned to be more secure by adjusting Argon2 parameters.

I don't really find it comfortable to use anything using PBKDF2 with a custom iteration count these days. It gets into really odd territory where you have to judge the iteration count and actually care about it. OWASP's Password Storage Cheat Sheet includes suggestions on what to use. But this is a moving target, and it's kind of annoying to track it.

1. LastPass. LastPass has had corporate data breaches and security vulnerabilities that warrant not using it, probably at all.
2. Bitwarden. Bitwarden should not be as bad as it is, but there are routinely security vulnerabilities in this product. If you self-host Bitwarden or Vaultwarden and don't expose to the internet, your risk decreases dramatically because it turns into an offline password manager, but doing these activities requires some work. Vaultwarden also doesn't support Passkeys, which means you're stuck using passwords. I consider this quite bad.