Password managers¹⁾ are one of the most important tools for having good password hygiene²⁾. The problem is that selecting a good one can be challenging.

The aim of this guide is to provide my opinion on the best choice for most people. I use a bespoke setup, but the goal is not to convince anyone that my setup is the best setup for most people. Instead, I exclusively give password manager advice for most people.

Most people who haven't yet adopted password managers worry about security. “If I put all of my passwords in one place, isn't that one place really risky? What if that one place gets hacked?” In an ideal world, you have selected a password manager that is mathematically secure and robust enough that you don't need to think about this. My goal is to present only reasonable default choices.

This is not a set of suggestions for technologists. If you have particular needs, I elaborate more on what you should consider in a password manager elsewhere.

1. If you use only Apple devices, or Apple devices and exclusively Windows devices, Apple's built-in password manager is great. You might not believe this, but Apple has spent a substantial amount of time, money, and effort making their password manager one of the most robust password managers. The caveat to this is that you must not lose your iCloud account, and you must keep at least one Apple device or Windows device signed-in to retain access easily. See Make your passwords and passkeys available across devices with iPhone and iCloud Keychain. You should not give your phone passcode to people who would want to access your passwords.
2. 1Password is great. It isn't perfect, but it is great. You must not lose your 1Password Emergency Kit. Provided that you do this one basic thing, you have a great password manager with no caveats.
3. Dashlane is great.
4. If you use Google devices, Google's password manager comes with a huge caveat: it is not secure by default. Google considers security equivalent to all other password managers optional to enable. If you turn on “optional on-device encryption” then it becomes secure by default. Without this, Google employees can read your passwords. On an unrelated note, in 2010, a google engineer was arrested for spying on underage users using administrative access.

These are the best password managers for most people. Pick one of them, and use it!

Passkeys are the next-generation of passwords. All of the password managers above support passkeys. You should only create passkeys using these systems, which are synchronized, so you don't lose them.

This section is for advanced users. By “advanced users” I mean people who care about things like what Argon2id is, PBKDF2 parameters, and security issues and remediation.

I don't use cloud-based password managers or suggest them to security conscious people. The attack I worry about with these is not realistic, but I consider it unacceptable for security professionals or high risk individuals³⁾ to use these services.