1Password Is the Best Password Manager in Consumer Reports' New Ratings
We evaluated 10 services for digital security, privacy, and ease of use
Passwords are great, but they have their drawbacks, too.
It’s really hard to come up with a fresh string of seemingly random letters, numbers, and symbols for each online account, as security researchers recommend, and then commit all those strings to memory.
Don’t do that, the security experts say. Just sign up for a password manager.
A service like that creates a new, complex password for each of your online accounts, storing the whole lot in a digital vault protected by a single master password. When you decide to access, say, your retirement savings account, the password manager logs you in, much like those universal log-in privileges provided to Facebook and Google account holders.
Digital Security & Password Managers
What’s the point of a password manager if it doesn’t keep your passwords safe? Because you’re putting all your eggs in one basket, that basket had better be secure.
Consumer Reports tested password manager apps and websites, looking at a number of criteria and using a variety of tools. Are the password managers resistant to known exploits or techniques hackers can use to take advantage of vulnerabilities? Do they use up-to-date methods to encrypt their data? Do they have strict controls for making sure your master password is robust?
All the services did some things right. They used strong encryption while transmitting data, and either automatically updated their software with security updates or made it easy for consumers to do it themselves.
But there are also clear differences. For instance, most of the password managers could determine if a device had been “rooted,” which may indicate that a hacker has gained administrative control of the device, getting access to secret data and putting passwords at risk. However, two of the services, Bitwarden and Dashlane, don’t have that protection—in either the free or premium versions of their software.
(Note: That last point applies across the board in this story. The premium versions of the services use the same software and privacy policies as their free siblings; they simply offer extra features.)
We also looked at how much control a password manager exerts over the passwords created by users. And this is one area where 1Password fell short of expectations, allowing us to set a master password as weak as “11111111111.”
Keeper permitted passwords of less than eight characters, which are also considered relatively easy to crack.
While that doesn’t keep us from recommending those products, it does leave it up to you—the user—to create a truly strong password to protect the vault.
Password managers including 1Password, Bitwarden, and Keeper also scored points for notifying users via mobile app, email, or SMS message when the service’s settings had been changed.
All the products we tested use two-factor authentication, a common security measure that requires a password plus a second form of ID—a fingerprint or a code texted to a phone—before granting access to your account from a new device.
But 1Password requires a master password and a code available only through a device you’ve already used to access 1Password. If you don't have the device handy, you have to use another long, complex secret code provided to you by 1Password. That can be a chore. But it enhances the security of the box containing all your credentials.
Privacy & Password Managers
With any product capable of collecting and sharing personal information, privacy is paramount—and password managers are no exception. Mobile apps routinely gather data on user behavior and sell it to third parties for use in targeted ads, for example. Would you want a service paid to secure your log-in info to do the same?
With that in mind, our testers combed through the privacy policies and user agreements for each service, studying their guidelines for data use. We also observed the service’s data transmissions to see where the info was going.
Was it provided solely to companies that help apps diagnose crashes and monitor what features are being used? Or did some info go to companies involved in online advertising, too?
Once again, 1Password received an overall Excellent rating in this area. It was the only password manager for which we found no evidence of online trackers in its mobile app. Others incorporated tools that could send user info to data-collection companies such as Google or Facebook.
Here’s a closer look the results of our privacy testing:
User control over data collection. The fact that these services collect user data isn’t surprising. To a certain extent, that data is critical to powering the product. It’s also a way for companies to make money, especially if they’re providing the software free.
At the same time, consumers need to know precisely how their data is treated—and, ideally, have some say in that decision.
Bitwarden, Dashlane, and Norton scored points for providing privacy settings that allow consumers to control how that information is collected or processed. But McAfee offered no such choice. The only way to stop the data collection is to uninstall the service, the company says.
We also looked for reassurance that the consumer data collected is kept to a minimum—essentially limited to the amount needed to provide the service, further reducing any negative impact on user privacy. Only Bitwarden, Keeper, and 1Password state clearly and concisely that they collect by default solely the data necessary to operate the service. Customers must opt into sharing data used for marketing purposes and new product development.
And all of these products, with the exception of Bitwarden and LastPass, agree to provide users with a copy of all consumer data collected on them. With McAfee, though, the offer applies only to European residents and people otherwise covered by Europe’s comprehensive GDPR privacy law. In the case of Dashlane, it applies only to people covered by GDPR or the California Consumer Privacy Act, which went into effect Jan. 1.
Transparency about data sharing. All these services collect data, but some are more clear than others about where that data goes. Once again, 1Password comes out on top. The company uses customer data to provide people with the services they signed up for—and nothing more, it says.
And while all the password managers did provide ample information about how to control targeted advertising, 1Password was the only one with a mobile app that had no discernible connections to trackers.
In comparison, Bitwarden, Dashlane, and Norton say they don’t sell or rent personal data, but they do share it with other parties to complete the services outlined in their privacy policies. Keeper and LastPass make similar statements, adding that they may share data in ways not outlined in their privacy policies, but only after asking for permission.
Are they going to keep my data forever? The longer a company hangs on to data, the more likely it is to be lost, stolen, or shared more broadly. And none of these services clearly spell out how long they retain the data they collect and under what circumstances it may be deleted—aside from agreeing to dispense with it once a user shuts down the account.
Only Norton clearly states that it will delete personal data that’s no longer needed.
Dashlane says it deletes the data only when the user decides to delete the account. Even then, though, the company may retain that personal information for up to a year.
Browsers & Built-In Password Managers
In the course of our testing, we also took a look at the password managers in internet browsers such as Apple’s Safari, Google’s Chrome, and Mozilla’s Firefox.
Like the services referenced above, those can be a big help in wrangling your various log-ins, but they work only when you access accounts through the one browser. If you use another browser or a mobile app, you won’t have access to those passwords.
So while we tested the browsers for security and privacy, we didn’t include them in our final ratings. That doesn’t mean they're not good options for some people, though.
Thanks in part to the fact that they’re nestled into browsers, Chrome, Firefox, and Safari are all great at limiting targeted advertising. And all three provide privacy settings that give consumers some say over how their information is controlled and processed.
Like the best password managers, they also make strong statements about how they limit the use of data they collect.
Mozilla allows users to turn off data collection entirely and even permits people to use the service without setting up accounts. It also clearly states that it collects only the data needed to power its product.
The not-for-profit organization stores your passwords and other personal information on your device, too, which is great for privacy and security. That means it can’t send you a report on your archived data because it doesn't collect the data in the first place.
In comparison, Apple and Google send your data to the cloud but also comply with consumer requests for reports. Our testers say Google’s portability service, “Google Takeout,” is particularly helpful because it lets users select the types of personal data they’d like to download and presents that data in an easy-to-read format.