Screenshot on a laptop showing the 1Password password manager
Photo: 1Password

Passwords are great, but they have their drawbacks, too.

It’s really hard to come up with a fresh string of seemingly random letters, numbers, and symbols for each online account, as security researchers recommend, and then commit all those strings to memory.

That’s why people tend to reuse the same easy-to-crack passwords again and again, leaving themselves more vulnerable to hackers and identity theft.

Don’t do that, the security experts say. Just sign up for a password manager.

A service like that creates a new, complex password for each of your online accounts, storing the whole lot in a digital vault protected by a single master password. When you decide to access, say, your retirement savings account, the password manager logs you in, much like those universal log-in privileges provided to Facebook and Google account holders.

More on Digital Security & Privacy

The problem is that there’s no easy way to know which password manager to choose. They all sound good, but are they all created equal? Big question, right?

That's why Consumer Reports' Digital Lab has started its own in-depth testing of password managers, carefully evaluating their security measures (how resistant they are to hacking attempts) and their privacy practices (how much data the service itself collects, what it’s used for, and who it’s shared with).

We also factor in usability, examining the features each service offers and how compatible each is with platforms such as Android, iOS, Mac, and Windows. The more options—automatic password generation, automated password-change process, or notifications when one of your passwords has been caught up in a data breach—the better the score.

We found a clear winner: 1Password. Priced to start at $3 per month, it's the only password manager to earn top marks in all three areas of testing in our new ratings. But that doesn’t mean you should halt your search right there. A number of other password managers come highly rated, too, including one free option

Quick Take

1Password Families

Price: $60

Data privacy
Data security
Usability
Unlock Password Manager Ratings

Digital Security & Password Managers

What’s the point of a password manager if it doesn’t keep your passwords safe? Because you’re putting all your eggs in one basket, that basket had better be secure.

Consumer Reports tested password manager apps and websites, looking at a number of criteria and using a variety of tools. Are the password managers resistant to known exploits or techniques hackers can use to take advantage of vulnerabilities? Do they use up-to-date methods to encrypt their data? Do they have strict controls for making sure your master password is robust?

All the services did some things right. They used strong encryption while transmitting data, and either automatically updated their software with security updates or made it easy for consumers to do it themselves.

But there are also clear differences. For instance, most of the password managers could determine if a device had been “rooted,” which may indicate that a hacker has gained administrative control of the device, getting access to secret data and putting passwords at risk. However, two of the services, Bitwarden and Dashlane, don’t have that protection—in either the free or premium versions of their software.

(Note: That last point applies across the board in this story. The premium versions of the services use the same software and privacy policies as their free siblings; they simply offer extra features.)  

We also looked at how much control a password manager exerts over the passwords created by users. And this is one area where 1Password fell short of expectations, allowing us to set a master password as weak as “11111111111.”

Keeper permitted passwords of less than eight characters, which are also considered relatively easy to crack.

While that doesn’t keep us from recommending those products, it does leave it up to you—the user—to create a truly strong password to protect the vault.

Password managers including 1Password, Bitwarden, and Keeper also scored points for notifying users via mobile app, email, or SMS message when the service’s settings had been changed.

All the products we tested use two-factor authentication, a common security measure that requires a password plus a second form of ID—a fingerprint or a code texted to a phone—before granting access to your account from a new device.

But 1Password requires a master password and a code available only through a device you’ve already used to access 1Password. If you don't have the device handy, you have to use another long, complex secret code provided to you by 1Password. That can be a chore. But it enhances the security of the box containing all your credentials.

Quick Take

Keeper Password Manager

Price: $60

Data privacy
Data security
Usability
Unlock Password Manager Ratings
Quick Take

Bitwarden Free

Data privacy
Data security
Usability
Unlock Password Manager Ratings
Quick Take

Dashlane Free

Data privacy
Data security
Usability
Unlock Password Manager Ratings

Privacy & Password Managers

With any product capable of collecting and sharing personal information, privacy is paramount—and password managers are no exception. Mobile apps routinely gather data on user behavior and sell it to third parties for use in targeted ads, for example. Would you want a service paid to secure your log-in info to do the same?

With that in mind, our testers combed through the privacy policies and user agreements for each service, studying their guidelines for data use. We also observed the service’s data transmissions to see where the info was going.

Was it provided solely to companies that help apps diagnose crashes and monitor what features are being used? Or did some info go to companies involved in online advertising, too?

Once again, 1Password received an overall Excellent rating in this area. It was the only password manager for which we found no evidence of online trackers in its mobile app. Others incorporated tools that could send user info to data-collection companies such as Google or Facebook.

Here’s a closer look the results of our privacy testing:

User control over data collection. The fact that these services collect user data isn’t surprising. To a certain extent, that data is critical to powering the product. It’s also a way for companies to make money, especially if they’re providing the software free.

At the same time, consumers need to know precisely how their data is treated—and, ideally, have some say in that decision.

With the exception of LastPass and McAfee, all of the products we tested clearly disclose what types of user data are being collected.

Bitwarden, Dashlane, and Norton scored points for providing privacy settings that allow consumers to control how that information is collected or processed. But McAfee offered no such choice. The only way to stop the data collection is to uninstall the service, the company says.

We also looked for reassurance that the consumer data collected is kept to a minimum—essentially limited to the amount needed to provide the service, further reducing any negative impact on user privacy. Only Bitwarden, Keeper, and 1Password state clearly and concisely that they collect by default solely the data necessary to operate the service. Customers must opt into sharing data used for marketing purposes and new product development.

And all of these products, with the exception of Bitwarden and LastPass, agree to provide users with a copy of all consumer data collected on them. With McAfee, though, the offer applies only to European residents and people otherwise covered by Europe’s comprehensive GDPR privacy law. In the case of Dashlane, it applies only to people covered by GDPR or the California Consumer Privacy Act, which went into effect Jan. 1.

Transparency about data sharing. All these services collect data, but some are more clear than others about where that data goes. Once again, 1Password comes out on top. The company uses customer data to provide people with the services they signed up for—and nothing more, it says.

And while all the password managers did provide ample information about how to control targeted advertising, 1Password was the only one with a mobile app that had no discernible connections to trackers.

In comparison, Bitwarden, Dashlane, and Norton say they don’t sell or rent personal data, but they do share it with other parties to complete the services outlined in their privacy policies. Keeper and LastPass make similar statements, adding that they may share data in ways not outlined in their privacy policies, but only after asking for permission.

Are they going to keep my data forever? The longer a company hangs on to data, the more likely it is to be lost, stolen, or shared more broadly. And none of these services clearly spell out how long they retain the data they collect and under what circumstances it may be deleted—aside from agreeing to dispense with it once a user shuts down the account.

Only Norton clearly states that it will delete personal data that’s no longer needed.

Dashlane says it deletes the data only when the user decides to delete the account. Even then, though, the company may retain that personal information for up to a year.

Quick Take

LastPass Free

Data privacy
Data security
Usability
Unlock Password Manager Ratings
Quick Take

Norton 360 Deluxe

Price: $96

Data privacy
Data security
Usability
Unlock Password Manager Ratings
Quick Take

McAfee True Key

Price: $20

Data privacy
Data security
Usability
Unlock Password Manager Ratings

Browsers & Built-In Password Managers

In the course of our testing, we also took a look at the password managers in internet browsers such as Apple’s Safari, Google’s Chrome, and Mozilla’s Firefox.

Like the services referenced above, those can be a big help in wrangling your various log-ins, but they work only when you access accounts through the one browser. If you use another browser or a mobile app, you won’t have access to those passwords.

So while we tested the browsers for security and privacy, we didn’t include them in our final ratings. That doesn’t mean they're not good options for some people, though.

Thanks in part to the fact that they’re nestled into browsers, Chrome, Firefox, and Safari are all great at limiting targeted advertising. And all three provide privacy settings that give consumers some say over how their information is controlled and processed.

Like the best password managers, they also make strong statements about how they limit the use of data they collect.

Mozilla allows users to turn off data collection entirely and even permits people to use the service without setting up accounts. It also clearly states that it collects only the data needed to power its product.

The not-for-profit organization stores your passwords and other personal information on your device, too, which is great for privacy and security. That means it can’t send you a report on your archived data because it doesn't collect the data in the first place.

In comparison, Apple and Google send your data to the cloud but also comply with consumer requests for reports. Our testers say Google’s portability service, “Google Takeout,” is particularly helpful because it lets users select the types of personal data they’d like to download and presents that data in an easy-to-read format.