A good password manager is the single most effective step most people can take to improve their digital security. We tested the leading options across ease of use, security model, cross-platform support, and price.
Nearly every significant consumer data breach we cover at breached.news has one thing in common: stolen or reused passwords. The 23andMe breach was caused by credential stuffing — attackers using passwords stolen from other services to walk into accounts at a completely different company. The Colonial Pipeline attack was enabled by a single compromised password on an unused VPN account. The sophisticated Gmail phishing campaign targeting Google users is designed specifically to harvest the credentials of people who've been lulled into trusting email links.
A password manager doesn't solve every security problem. But it eliminates the most common one: password reuse. When every account has a unique, randomly generated password, a single breach can't cascade into a dozen others. The attacker who buys your email and password from a dark web dump tries it at Google, at your bank, at your email host — and gets nothing, because none of those passwords match.
Here's what we recommend, and why.
Most people understand intellectually that reusing passwords is bad. Fewer understand how systematically and industrially that bad habit is exploited.
When a company is breached and passwords are stolen, those credentials don't disappear. They're sold in bulk on dark web markets — often hundreds of millions of records at a time, at prices low enough that organised criminal groups can afford to buy them speculatively. The buyers then run automated tools that test every stolen credential against the login pages of every valuable service they can target: email providers, banks, streaming platforms, social networks. This process — credential stuffing — is entirely automated. It costs almost nothing to run at scale, and it succeeds at a rate that makes it profitable even when only a fraction of accounts are compromised.
The 23andMe attackers accessed 14,000 accounts this way, then used the company's own DNA Relatives feature to harvest data on 6.9 million more. The Colonial Pipeline attackers used one stolen password to access a VPN and shut down fuel supply to the US East Coast for six days.
Both of those attacks would have been stopped — or at least significantly impeded — if the accounts in question had unique passwords that didn't appear in any breach database.
Password reuse is not a minor hygiene issue. It's the primary mechanism by which breaches at one company become breaches at every other company where you've used the same credentials.
The core fear people have about password managers — "what if it gets hacked?" — is understandable but reflects a misconception about how the better ones are designed.
Reputable password managers use zero-knowledge architecture: your vault is encrypted on your device before it ever reaches the company's servers, using a key derived from your master password. What gets stored on the server is ciphertext that the company cannot read. When you access your vault from a new device, the encrypted data is downloaded and decrypted locally using your master password.
This means that even if a password manager's servers are breached — and some have experienced breaches — the attackers get encrypted data that's useless without your master password. The encryption used (typically AES-256 with key derivation functions like PBKDF2, bcrypt, or Argon2) is strong enough that brute-forcing it is computationally infeasible if the master password is reasonably strong.
Some managers (notably 1Password) go further with a Secret Key — a randomly generated string stored only on your devices that's combined with your master password to form the encryption key. This means that even someone who knows your master password and has a copy of your encrypted vault can't decrypt it without also having your Secret Key from a device you've already used.
The practical upside: your vault of 200 unique passwords is meaningfully safer than your memory of 5 reused passwords. The theoretical downside — losing access to your master password — can be mitigated with printed emergency kits, recovery codes, and trusted emergency access contacts. All the major providers have mechanisms for this.
Not all password managers are equivalent. Here's what separates the good ones from the rest.
Browser extension quality. The browser extension is what you'll interact with dozens of times a day. Poor autofill — extensions that fail to recognise login forms, that require manual interaction for every fill, or that break on sites with unusual page structures — is the most common reason people abandon a password manager. Test the extension on the sites you actually use before committing.
Multi-factor authentication support. The password manager itself should support 2FA. The better ones support hardware keys (FIDO2/WebAuthn), not just TOTP codes. This is critical: a password manager is a high-value target, and it should be correspondingly well-protected.
Two-factor authentication generation. Many managers can also store and generate TOTP codes for your other accounts (the kind that rotating apps like Google Authenticator produce). This is a convenience tradeoff — it's slightly less secure than a separate authenticator app, but it's considerably better than not using 2FA at all.
Emergency access. What happens if you die, or are incapacitated? Can a trusted person access your accounts? The better managers have structured emergency access systems that let you designate a contact who can request access, with a delay period in which you can deny it if you're still around.
Family sharing. Shared vaults for household passwords — WiFi, streaming, utilities, emergency contacts — are significantly more useful than texting passwords back and forth. Most premium plans include this.
Travel mode (1Password-specific). The ability to temporarily hide vaults from your device is a niche but genuine feature for anyone who crosses borders or enters situations where they might be compelled to unlock their device.
Cross-platform consistency. You'll use this on desktop, mobile, and in browsers. A manager that works brilliantly on iOS but is clunky on Windows — or vice versa — will create friction that erodes the habit.
Price: $3/month (individual), $5/month (families, up to 5 users)
1Password has been the benchmark for password managers for years, and it maintains that position in 2025. The interface is clean and logical across all platforms — iOS, Android, macOS, Windows, and Linux — and the browser extensions are among the most reliable in the category when it comes to detecting login forms and filling correctly. The mobile apps are particularly polished; using them on iOS with Face ID is seamless.
The underlying security architecture reflects serious engineering. 1Password's Secret Key system means your encrypted vault requires both your master password and a randomly generated 128-bit key stored only on devices you've already authorised. If 1Password's servers were breached tomorrow, the encrypted vault data sitting there would be useless without a device-local key that the attackers don't have.
Watchtower is 1Password's breach monitoring feature — it checks your saved credentials against HaveIBeenPwned's database of known breach data and surfaces accounts with compromised, reused, or weak passwords. It's integrated into the main interface rather than buried in settings, which means you're more likely to actually use it.
Travel Mode is genuinely unique: you can designate specific vaults as "safe for travel," hide all others with a single toggle, and restore them once you're through a border crossing or other security checkpoint. For journalists, activists, or anyone who crosses international borders regularly, this is a real feature that solves a real problem.
The family plan at $5/month for up to five users is competitive — it includes shared vaults, guest access, and the ability to manage family members' recovery options.
The one significant limitation: there is no free tier. A 14-day trial is offered, but after that it's a paid subscription. For users who need a genuinely solid option without a cost, Bitwarden is the answer.
Price: Free (unlimited passwords, unlimited devices), $10/year for premium
Bitwarden is the strongest argument against paying for a password manager. The free tier is genuinely functional in a way that competitors' free tiers typically are not: unlimited passwords, unlimited devices, and sync across all of them. There's a limit on vault sharing (one other person on the free plan), but for most individual users, the free offering is complete.
The premium tier adds advanced two-factor authentication options (hardware key support, Duo integration), encrypted file attachments, vault health reports with password strength analysis, and the integrated TOTP authenticator — all for $10 per year. That's less than most competitors charge per month.
Crucially, Bitwarden is open-source. Its code is publicly available on GitHub and has been independently audited by third-party security firms. For users who want to be able to verify that their password manager is doing what it claims — rather than taking it on faith — this transparency is significant. Security through obscurity is not a security model; Bitwarden's security doesn't depend on its code being secret.
For the technically inclined, Bitwarden also supports self-hosting: you can run your own Bitwarden server and store your vault there rather than on Bitwarden's infrastructure. Most users won't want or need this, but the option exists and it's documented.
The interface is more utilitarian than 1Password's. There's less polish on the onboarding experience, and the browser extension can occasionally be less graceful about detecting non-standard login forms. For users willing to accept some rougher edges in exchange for a genuinely excellent free product, the value proposition is unmatched.
Price: $4.99/month (premium), free tier available (limited to one device)
Dashlane consistently scores highest in user experience testing, and it's easy to see why. The setup wizard is genuinely guided rather than just tolerated — it walks new users through importing passwords, generating replacements for weak or reused ones, and configuring 2FA with enough hand-holding to be accessible to people who wouldn't describe themselves as technically confident. Most password managers assume a baseline of comfort with the concept; Dashlane treats onboarding as something worth investing in.
The autofill is among the most reliable in the category — it works correctly on a wider range of sites than most competitors, including unusual page structures and multi-step login flows that trip up other extensions.
Breach monitoring is built prominently into the dashboard rather than hidden in settings. Dashlane proactively alerts you when saved credentials appear in breach databases and provides a clear action path for changing those passwords. For users who want the manager to stay on top of their security posture rather than requiring them to remember to check, this is genuinely useful.
The free tier is meaningfully limited: it caps at a single device, which is a significant constraint for anyone who uses both a phone and a computer. It's suitable for evaluation, not long-term use. The premium plan at $4.99/month is competitive.
One area where Dashlane has lagged: its underlying architecture changes have been ongoing, and some technical users have noted that the app's performance can be inconsistent on certain platforms. But for users who prioritise ease of use over maximum technical depth, Dashlane remains one of the best introductions to the category.
Price: Free (limited), $4.99/month (Pass Plus), or included with Proton Unlimited
Proton Pass is the password manager from Proton, the Swiss company also behind ProtonMail and ProtonVPN. It launched in 2023 and has matured quickly into a credible option — particularly for users who are already in the Proton ecosystem or who have specific reasons to care about where their data is stored and under what legal jurisdiction.
The Swiss jurisdiction matters in practice: Switzerland has some of the strongest data privacy laws in the world and is outside both the EU and US legal frameworks that allow intelligence agencies to demand data from companies. Swiss companies can still receive legal process, but the threshold is meaningfully higher, and the transparency requirements are more stringent.
Proton Pass is open-source and has been independently audited — the audit report is publicly available. The architecture uses end-to-end encryption consistent with Proton's broader suite. The free tier offers unlimited passwords across unlimited devices, which compares well with the competition.
What it adds beyond standard password management: hide-my-email aliases. Proton Pass can generate unique email aliases for each service you sign up for, routing emails to your real address but keeping it hidden from the service. This limits data broker exposure and means a breach at one company doesn't expose your real email address to be stuffed against others.
The browser extension and mobile apps are solid, if slightly less polished than 1Password. The product is newer and some edge cases around autofill are still being smoothed out. But for users who want a privacy-first, open-source option from a company with a strong track record — and who may already be using Proton for email — it's a compelling choice.
Choosing a password manager is the easy part. The first two weeks of actually using one are where most people stall. Here's a practical path through it.
Step 1: Install and create your account. Install the app on your primary device and the browser extension in whatever browser you use most. Create your account with a strong master password — this is the one password you'll need to memorise. Make it long (a passphrase of four or five unrelated words works well: "correct-horse-battery-staple" is the classic example), not short and complex. Write it down on paper and store it somewhere physically secure, separate from your computer. If you lose it, your vault is gone; the company genuinely cannot recover it for you.
Step 2: Import your existing passwords. All the major managers can import passwords directly from Chrome, Firefox, Safari, and most other browsers. Go into your browser's password settings, export the passwords to a CSV file, import that file into the manager. This takes five minutes and moves your existing passwords into the vault immediately. Don't start from scratch — import first.
Step 3: Enable two-factor authentication on the password manager itself. Before doing anything else, protect the vault. Go into the security settings and enable 2FA. If you have a hardware key, register it. If not, use an authenticator app (not SMS). Store your backup codes somewhere secure.
Step 4: Start with your most important accounts. Don't try to fix everything at once. Start with email, banking, and anything connected to your primary email address (because whoever controls your email can reset most other accounts). For each of these, have the manager generate a new, unique password. Update the password in the account, save it in the manager. Repeat for ten accounts and you've already meaningfully reduced your risk.
Step 5: Use the audit tools. After a week or two of regular use, run the built-in audit (Watchtower in 1Password, breach reports in Bitwarden Premium, the dashboard in Dashlane). The tool will identify reused and weak passwords and show you which accounts need attention. Work through them in batches — it's tedious but it's finite. Once done, maintenance is automatic.
Step 6: Extend to your whole household. Once you're comfortable, set up a family plan and get the people you live with onto the same system. Shared vaults for household accounts — home WiFi, streaming services, utility accounts — are far more useful than texting passwords around. And you'll stop being the person who gets called when someone can't remember the Netflix password.
The transition takes a few weeks to feel natural. After that, it becomes invisible infrastructure — and you'll be meaningfully safer for it.
VPNs are marketed as essential privacy tools. The reality is more nuanced: they solve specific problems well, and are often irrelevant for the threats most people actually face. We break down when a VPN helps — and when it doesn't.
