The one password tip everyone needs to know
If you want to keep your passwords secure, there's no substitute for a good password manager.
The single most important thing you can do to make your passwords safer is to use a password manager. Or two.
There are actually several things you need to keep in mind when creating and using passwords, but a good password manager will help you take care of the two most important ones. It will make sure all your passwords are long and strong, and it will also make sure each password is used for only one account.
Why you need a password manager
These days, an eight-character password just won't do. Modern password-cracking tools will make short work of it. It's much safer to have a 16-character password that includes uppercase and lowercase letters, numerals and punctuation marks.
The catch is that you're not supposed to base each password on any word or phrase you can remember. In other words, it's not that safe to take a couple of real words and swap in numbers and punctuation marks for similar-looking letters. You want something that's not easy to remember.
What password managers do
That's where the password manager comes in. It remembers your passwords for you. All you need to remember is the single "master" password that unlocks the password manager.
The master password should also be a long, hard-to-decipher jumble of characters, but at least it's the only one you'll need to know, and most password managers now offer two-factor authentication to help you secure your accounts with them.
Most stand-alone password managers will generate passwords for you based on random gibberish. That's a big improvement over the "remember my password" options in web browsers, which merely save the passwords you already have (and sometimes don't store them securely). A long password of random gibberish is nearly impossible to crack.
Many password managers can also help you change passwords regularly, although security experts don't stress that option much these days. It's actually OK to leave each unique, strong password as it is until there's a reason to change it.
All the stand-alone password managers we've reviewed at Tom's Guide work on Windows, macOS, Android and iOS, and most work on Linux and Chrome OS as well. Each has both a free and a paid version, although most of the free versions limit your account to a single device. (The free versions of Bitwarden and Zoho Vault do not, while the free version of LastPass limits you to either mobile devices or computers.)
Which password managers we recommend
Among widely used password managers, we recommend Dashlane, Keeper, LastPass or 1Password. Dashlane can bulk-change most of your passwords at once, but its paid plans are expensive for what you get. 1Password is best for macOS and iOS users and has a cool "travel mode" that will temporarily delete your passwords when you cross international borders.
LastPass is very flexible and has the best free option of any password manager. Keeper is not as flashy as the rest, but works well and has the cheapest paid version of any of these four.
There's also KeePass, a completely free, open-source password manager that requires a little more work on your part. Unlike the commercial password managers, KeePass doesn't sync your passwords across your various devices over the internet. You have to do that yourself over your local home network.
A new upstart called Bitwarden has a very capable, unlimited free version, and its premium version is only $10 per year.
Local password syncing may be inconvenient, but it gives you much more control over where your passwords are stored, since you don't have to worry that your password manager's online database of user passwords will be breached. (To be fair, we're never heard of that happening to any cloud-syncing, password-management service.)
The one downside of password managers, and how to get around it
The issue of cloud syncing brings up another question: Do you really want to put all your eggs in one basket? Using a password manager creates a single point of failure, because if the password manager is compromised, then all your accounts for which it holds the passwords are also compromised.
The solution might be to use more than one password manager. This wouldn't have to cost much. The free version of Bitwarden does nearly everything the paid version does, and the free version of Zoho Vault does almost as much. You could split your passwords between the two free services, or use the free version of Bitwarden in tandem with a paid password manager.
If you can cough up $12 per platform, you can also use the paid version of EnPass, which offers permanent licenses, not yearly subscriptions. Even if you needed to set up Windows, Mac, Android and iOS machines, that one-time $48 fee would cost less than a year of Dashlane's full premium plan. (The Linux version of EnPass is free.)
You should also realize that some passwords are more important than others. Your Google account password? Super-important. The password you use to access your local PTA website? Not so important.
You could use a paid password manager for your most sensitive accounts (social media, web-based email and anything that handles money, including banks and online retailers) and a free password manager to handle everything else.
Whichever configuration of password manager(s) you use, they all lead to the same result. Next time there's a huge data breach and your co-workers are scrambling to see which of their accounts got popped, you can rest easy in the knowledge that your passwords are safe.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.