You need a password manager. Data breaches now happen regularly, and that flood of stolen info has made cracking passwords even easier. Not just the “password12345” variety is at risk—it’s also any that use strategies like variations on a single password or substituting numbers for letters. Even if you’re using unique, random passwords, storing them in a document or spreadsheet leaves you vulnerable to prying eyes.
While paid password managers offer nice extras, a free password manager still protects you from the risks of using weak passwords (or worse, using the same one everywhere). You just have to remember one password to access a single, secure place where all your other passwords are stored.
And because free password managers come in different flavors and styles, you should be able to find one that fits your lifestyle. Even Google’s password manager, built into Chrome and Android, can soon double as a no-cost option after receiving some killer upgrades over the summer months. Down the road, you can always upgrade to a paid service if your needs grow.
Not sure what features you’ll need? Generally, you want a service that offers password generation, autoform filling, two-factor authentication, and allows you to move between different devices -and- device types. For more info, you can read our explanation of what you need to know about password managers.
Best free password manager for most people: Bitwarden
Like several other services, Bitwarden offers a free tier and a paid tier—but its free tier packs in so many features that most individuals won’t need more. You can access the service across an unlimited amount of devices and a multitude of device types, enable basic TOTP two-factor authentication, and fill your vault with as many passwords as you’d like. The free personal plan also allows privacy-minded users to avoid the company’s cloud hosting and instead self-host.
Rivals dole out far less to their free users, and it’s particularly rare for them to grant unrestricted movement between multiple device types. (LastPass and Dashlane begin charging as soon as you want to leave the confines of a single device.) Most competitors are also not open-source like Bitwarden, which prevents their communities from being able to hunt for hidden backdoors or security holes.
The one thing that the free personal plan doesn’t offer is real-time password sharing—but you can partially get around that by signing up for a free two-person org plan instead. It allows unlimited password sharing between the two users, thus allowing both individuals to safely access current passwords for shared accounts. However, the trade-off is that this free enterprise plan does not allow self-hosting.
Bitwarden’s other advantage is that should your needs expand down the road, the transition to a paid plan won’t cost much. A premium personal plan is just $10 per year (compared to $36+ per year for rivals), and a family plan is $40 per year for up to six users (compared to $48+ per year for rivals). And moving up to a paid tier does come with concrete benefits: support for more sophisticated forms of two-factor authentication, evaluations of your passwords’ health (e.g., strength, public exposure, etc.), encrypted file storage, and emergency access for trusted individuals.
Finally, if you decide to move elsewhere one day, Bitwarden allows you to export your passwords—with the option to do so as an encrypted file. But with such a generous and thorough set of features, you’ll likely not want to go elsewhere.
Devices: Windows (official), MacOS (unofficial ports), Linux (unofficial ports), Android/iOS (unofficial ports)
Open source: Yes
Two-factor authentication (2FA): Yes
KeePass may not look like much, but under the hood this desktop-application-based password manager has all the features you could want, particularly if you’re privacy and security minded.
Because the program and its encrypted database file(s) are stored locally on your computer by default, you retain full control over who can access it—unlike a cloud service, where you have to trust that servers are set up correctly and that the employees are trustworthy. Moreover, you don’t even have to install it on your system, but can run it via a portable .exe application kept on a USB stick.
KeePass is also an open-source program, which means that the community can always vet it for any hidden backdoors or just plain old security-crippling bugs. And you can enable two-factor authentication through the use of key files (which augments your master password), plus lock the database file to the Windows account that created it, too.
You’re not just locked to a Windows desktop system, either—because the program is open source, you can find community-created ports of KeePass for MacOS, Linux, Android, and iOS, as well as a boatload of plugins that let you customize it to your taste. With plugins, you can re-create most of the features you’d find in paid cloud-based services, like checking to see if any of your passwords have been found as part of a data dump.
You can also get creative with how you store your database file—for remote access, you can put it on a home server, or if you’re comfortable, a cloud service of your own choosing. (Perhaps you’re more comfortable with how Google safeguards its accounts than a dedicated password manager service, for example.) And should you ever decide to hang up your hat as a DIY password manager administrator, KeePass allows for easy exports of your passwords.
Best free password manager for simplicity: Google, Apple, or Firefox
Password managers within mobile operating systems and major browsers have come a long way. Just a few years ago, we wouldn’t have advised using them at all, but now they’ve shored up their security and features to become a viable (though basic) option.
But basic isn’t bad—when it comes to password managers, the best service is the one that you’ll use. For some people, using a dedicated password manager can be too much to keep track of. In those cases, leaning on Google, Apple, or even Firefox can help upgrade your password security with little extra effort necessary. Their built-in password management tools can do the heavy lifting of creating and remembering unique random passwords across the web, and you won’t need to switch to a different app to make it work.
Of course, you will lock yourself into those ecosystems by doing so, but if you live your whole life within those waters already, you won’t be bothered by that fact. Google probably will appeal to most people, as Chrome is ubiquitous, but those who worry about data privacy can instead turn to Firefox and its pledge to not sell your data. Apple also shares Firefox’s commitment to privacy, but it’s the hardest platform to leave, as the company doesn’t provide an easy method to export passwords. We advise choosing Google or Firefox for the widest reach across devices, and Apple if you own both MacOS and iOS devices (and don’t plan to leave). Microsoft’s password manager in Edge can also be worth a look for people deeply enmeshed in the Windows ecosystem.
The one primary downside to using your Google, Apple, or Firefox account to store passwords is that they’re not as tightly safeguarded as with a third-party service. Even if you secure your account with two-factor authentication (and you absolutely should if you’re storing passwords in it!), Google, Apple, or Firefox tend to be more lax about accessing passwords from a device that’s logged in. Often they don’t ask for reauthentication to use a stored password, unlike most dedicated password managers—and that can be a security hazard on a shared device.
Why bother with a paid password manager if you can use a free one? Paid services provide premium features that enable more control over your passwords and how you secure them. For example, you’ll often gain access to password sharing (handy if your household members all need to know the Netflix password), support for YubiKey and other more “advanced” forms of 2FA authenticators, and alerts that tell you if your password turned up in a data dump. Some paid services even have a signature feature that makes them stand out from competitors—for example, 1Password has a “travel vault” feature that hides some passwords when you’re traveling, as an extra security measure when you might encounter aggressive airport screening or simply lose access to your devices due to theft or lost baggage.
If you need these kinds of features, check out our list of the best paid password managers to see which ones offer the best bang for your buck.