This article is part of our Best Product Reviews series, a collaboration with Consumer Reports. Shop TODAY and Consumer Reports are editorially independent. If you purchase something through our links, we both earn a commission. Pricing and availability are accurate as of publish time. Learn more about Shop TODAY and Consumer Reports.
Passwords are great, but they have their drawbacks, too.
It’s really hard to come up with random, unique passwords for dozens of accounts, as security experts recommend, and then commit all of them to memory.
Don’t do that, security experts say. Just sign up for a password manager.
A service like this will create a new, complex password for each of your online accounts, storing the whole lot in a digital vault protected by a single master password. When you decide to access, say, your retirement savings account, the password manager can log you in, much like those universal log-in privileges provided to Facebook and Google account holders.
The problem is there’s no easy way to know which password manager to choose. They all sound good, but are they all created equal?
That’s why Consumer Reports’ Digital Lab conducts its own in-depth testing of password managers, carefully evaluating their security measures (how resistant they are to hacking attempts) and their privacy practices (how much data the service itself collects, what it’s used for, and who it’s shared with).
We also factor in usability, examining the features each service offers and how compatible each is with platforms such as Android, iOS, Mac, and Windows. The more options—automatic password generation, automated password-change process, or notifications when one of your passwords has been caught up in a data breach—the better the score.
We found a clear winner: 1Password. Priced to start at $4 per month, it’s the only password manager to earn top marks in all three areas of testing in our ratings. (It just introduced a new feature that lets you generate "masked" email addresses to access new apps and services without divulging your real address, much like the privacy-conscious Sign in with Apple feature.) A number of other password managers do come highly rated, though, including three free options.
Digital Security and Password Managers
What’s the point of a password manager if it doesn’t keep your passwords safe? Because you’re putting all your eggs in one basket, that basket had better be secure.
Consumer Reports tested password manager apps and websites, looking at a number of criteria and using a variety of tools. Are the password managers resistant to known exploits or techniques hackers can use to take advantage of vulnerabilities? Do they use up-to-date methods to encrypt their data? Do they have strict controls for making sure your master password is robust?
All the services did some things right. They used strong encryption while transmitting data, and either automatically updated their software with security updates or made it easy for consumers to do it themselves.
But there are clear differences. For instance, some of the password managers can determine if a device has been “rooted,” which may indicate that an attacker has gained administrative control of it, getting access to secret data and putting passwords at risk. However, five of the services, 1Password, Bitwarden, Dashlane, McAfee, and Norton, don’t have that protection—in either the free or premium versions of their software.
(Note: The premium versions of these services routinely use the same software and privacy policies as their free siblings; they simply offer extra features.)
We also looked at how much control a password manager exerts over the passwords created by users. Bitwarden, Keeper, and McAfee fell short of expectations, allowing us to set a master password as weak and easy to guess as “111111111111.”
All the products we tested use multifactor authentication, a common security measure that requires a password plus an additional form of ID—a code on an authenticator app or sent via email or SMS—before granting access to your account from a new device or a new IP. But Bitwarden, LastPass, and Norton did not enable this by default.
While that doesn’t keep us from recommending those products, it does leave it up to you—the user—to turn on multifactor authentication and to create a long, unique password to protect the vault, even if your password manager doesn’t require it. We strongly encourage you to do so.
1Password requires a master password if you’re on a device you’ve already used to access its service, but if you are using a new device or browser, you have to enter a long, complex secret code provided to you by 1Password. That can be a chore, but it enhances the security of the box containing all your credentials by requiring another authentication factor.
1Password, Bitwarden, and Keeper all provide a lot of documentation to help security researchers and testers, like those at Consumer Reports, understand the design of their products. They also hire third parties to audit their products and make those audits available to the public.
All of the password managers have vulnerability disclosure programs to accept and respond to bug reports from security researchers.
1Password explicitly states that it will not pursue legal action for good-faith security research. Security researchers routinely face legal risks, not just from companies that develop password managers, but those throughout the technology industry. This has a chilling effect on their work, which makes them less likely to report security issues that put consumers at risk.
Keeper Security, which developed its vulnerability disclosure program after taking flak for filing a lawsuit against a tech journalist who had reported on a software flaw, now provides a limited goodwill statement about not pursuing legal action related to security research. None of the other companies claim they will avoid pursuing legal action against security researchers in their documentation.
Privacy and Password Managers
With any product capable of collecting and sharing personal information, privacy is paramount—and password managers are no exception. Mobile apps routinely gather data on user behavior and sell it to third parties for use in targeted ads, for example. Would you want a service paid to secure your log-in info to do the same?
With that in mind, our testers combed through the privacy policies and user agreements for each service, studying their guidelines for data use. We also observed the service’s data transmissions to see where the info was going.
Was it provided solely to companies that help apps diagnose crashes and monitor what features are being used? Or did some info go to companies involved in online advertising, too?
We found no evidence of online trackers in 1Password, Bitwarden, Keeper, McAfee, and Norton’s mobile apps. But Dashlane and LastPassincorporated tools that could send user info to data-collection companies such as Google or Facebook.
Here’s a closer look at the results of our privacy testing:
User control over data collection. The fact that these services collect user data isn’t surprising. To a certain extent, that data is critical to powering the product. It’s also a way for companies to make money, especially if they’re providing the software for free.
At the same time, consumers need to know precisely how their data is treated—and, ideally, have some say in that decision.
We also looked for reassurance that the consumer data collected is kept to a minimum—essentially limited to the amount needed to provide the service, further reducing any negative impact on user privacy. Only 1Password and LastPass state clearly and concisely that they collect by default solely the data necessary to operate the service. Bitwarden, Dashlane, and Keeper have no language regarding minimal data collection.
And all of these products agree to provide users with a copy of all consumer data collected on them. With Dashlane and McAfee, though, the offer applies only to European residents and people otherwise covered by Europe’s comprehensive GDPR privacy law or to California residents and those covered by the California Consumer Privacy Act.
Transparency about data sharing. Some password managers are more clear than others about what data they collect and where that data goes. Once again, 1Password comes out on top. The company uses customer data to provide people with the services they signed up for—and nothing more, it says. It also says it will not sell, rent, or share personal data with any third party.
Dashlane also clearly states that all third parties are contractually obligated to only share personal user information to support the service or device.
Keeper Security says it does not sell, market, or “transact upon” user information outside of its cybersecurity operations, but it doesn’t fully explain those operations and what sort of data-sharing the companies involved in those efforts might do.
Are they going to keep my data forever? The longer a company hangs on to data, the more likely it is to be lost, stolen, or shared more broadly. And none of these services clearly spells out how long it retains the data collected and under what circumstances that data may be deleted—aside from agreeing to dispense with it once a user shuts down the account.
Only Dashlane clearly states that it will delete personal data that’s no longer needed. LastPass does not offer any guidance about deleting outdated or unnecessary data. But you can request that your personal info be deleted, if (and only if) you are a resident of California or the European Union and therefore protected under the provisions of the CCPA or GDPR.
Browsers and Built-In Password Managers
In 2020, we also took a look at the password managers in internet browsers such as Apple’s Safari, Google’s Chrome, and Mozilla’s Firefox.
Like the services referenced above, those can be a big help in wrangling your various log-ins, but they work only when you access accounts through the one browser. If you use another browser or a mobile app, you won’t have access to those passwords.
So while we tested the browsers for security and privacy, we didn’t include them in our final ratings. That doesn’t mean they’re not good options for some people, though.
Thanks in part to the fact that they’re nestled into browsers, Chrome, Firefox, and Safari are all great at limiting targeted advertising. And all three provide privacy settings that give consumers some say over how their information is controlled and processed.
Like the best password managers, they also make strong statements about how they limit the use of data they collect.
Mozilla allows users to turn off data collection entirely and even permits people to use the service without setting up accounts. It also clearly states that it collects only the data needed to power its product.
The not-for-profit organization stores your passwords and other personal information on your device, too, which is great for privacy and security. That means it can’t send you a report on your archived data because it doesn’t collect the data in the first place.
In comparison, Apple and Google send your data to the cloud but also comply with consumer requests for reports. Our testers said Google’s portability service, “Google Takeout,” was particularly helpful because it let users select the types of personal data they’d like to download and presented that data in an easy-to-read format.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2022, Consumer Reports, Inc.