We need strong passwords to protect our accounts, and to be strong, passwords should be at least twenty characters long, complex, highly random, and unique. Got 100+ accounts? Good luck and have fun!

These requirements stem from the nature of passwords themselves, but the are not human-friendly, and as such they’ve caused a lot of misery over the years. It is impossible to follow these recommendations without the aid of tools, which is why password managers have become a practical necessity-- they can generate strong passwords for us when we create accounts or change account passwords, they remember them for us, and they can even enter them into password fields, saving us from typos.

Password managers come in three different categories: built-in to web browsers, third-party extensions or plugins, and standalone applications. To further distinguish them, some are free while others require a paid subscription.

Built-in Password Managers

Virtually all web browsers today offer a built-in password manager and these are an attractive option because they are free and easy to use. You also do not have to install additional software, which means less hassle, and every program introduces a degree of risk, so fewer programs is a good thing security-wise.

It's also easy to synchronize (sync) built-in password managers across devices, which allows you to access your passwords without any additional work. You log into your web browser like other cloud services (you may have to create a separate account depending on the web browser) and the browser syncs your data, settings, and passwords. Some browsers will let you manually export and import passwords if you do not want to create an account, but that significantly diminishes the ease of use.

There are some drawbacks, however, to built-in password managers that are worth considering. They tend to lack features available in extensions and applications, such as controlling password length and complexity, locking your vault manually, and creating and using passwords for applications outside of the web browser.

They have also not been as secure as dedicated password managers in the past, although most of them have made significant improvements on this front over the past five years. Still, because they are part of the web browser, they are more exposed to attacks and are frequently targeted by malicious websites and extensions. It is also worth noting that many do not offer end-to-end encryption. End-to-end encryption means that your data is encrypted before it leaves your device, increasing your security and privacy. Third party password managers, and Safari, offer this but FireFox, Chrome, and Edge do not. which means it’s possible someone could steal your password vault from their network.

Finally, they can be difficult to manage if you switch between browsers frequently or use different browsers on different platforms-- Safari on an Apple devices, Chrome on an Android phone, and Edge on a Windows laptop, for example.

Apple has made improvements in this space recently by integrating Safari with the Password app for both macOS and iOS devices. This lets you easily sync passwords across Apple devices, and lets you use passwords for apps outside of Safari. Apple’s password vault offers strong protection, and end-to-end encryption to preserve your privacy. They also offer password monitoring. If you are fully in Apple’s ecosystem, the built-in password manager for macOS and iOS is a solid option. The only drawback is that it’s password generation is not as strong or as flexible as third party password managers, but it should be strong enough for most use cases.

Extensions (Plug-Ins)

There are lots of third-party password managers on the market: NordPass, ProtonPass, RoboForm, 1Password, LastPass, etc. They are usually installed as a web-browser extension, although some occasionally offer the option to install a separate application as well. Extensions are separate programs that integrate tightly with your web browser to provide additional functionality or features that you access through the web-browser.

Extensions are developed and maintained by a third-party which means you'll have to manually install them on each device, although they often update themselves going forward, which is one less thing to keep track of.

They are popular because they offer a richer feature set and better security than built-in password managers, although that is a general observation and not a hard rule. For example, they often let you set password length and complexity rules, allow you to lock your password vault, and secure it with a separate vault password and/or multi-factor authentication (MFA).

Most vendors offer extensions for all major browsers, which makes it easy to sync passwords between different browsers and across platforms. You can use Firefox, Chrome, Safari, and Edge on as many device as you want, and as long as you've installed the plugin on each of them, your passwords will sync.

There are some drawbacks, however. Most require a cloud account and a subscriptions. Most offer end-to-end encryption, but you should always confirm that before singing up. Some offer a free tier but these typically have restrictions that users find painful or frustrating. They also tightly integrate with the web browser, meaning they share some vulnerabilities with built-in password managers. Still, they offer a good compromise between the convince of built-in password managers and the hassle of standalone applications.

Stand Alone Applications

The three main stand alone password applications are Bitwarden (https://bitwarden.com), KeePassXC (https://keepassxc.org/), and Apple’s Password app. Apple’s Password app is free, comes on all Apple devices, and integrates seamlessly with Safari and most apps. I recommend it for people using only Apple devices. Its biggest drawback is that it doesn’t generate passwords that are as strong as the passwords generated by Bitwarden and KeePassXC, but still its passwords exceed regulatory requirements and will provide adequate protection.

Bitwarden and KeePasXC are separate applications that you run on your device and are separate from the web browser entirely. They give you the most control over password generation and storage and all offer an additional layer of security because they are a separate application from your web browsers, and make it easy to use with different web browsers and apps. They are also free with no core functionality locked behind subscription tiers--although cloud syncing is a separate paid for service you can purchase, but it is not required.

The trade off for Bitwarden and KeePassXC is convenience, ease of use, and the risk of having your passwords out of sync. Autofill, for example, requires additional configuration or some form of browser integration that has to be setup separately. And if you aren't syncing through the cloud, you will be responsible for copying your updated vault to each device.

Summary

Built-in password managers are certainly better than not using a password manager! If you have not being using a password manager or are worried about paying for another subscription they are a good place to start. Get going! You can easily export your passwords and then import them into an extension or application later, if you decide to switch. There are two exceptions. Safari is excellent and most Apple users will have no reason to migrate to a third party password manager, while Firefox’s built-in password manager is known to be insecure, and is not recommended.

Extensions offer enhanced functionality and security compared to built-in password managers, are reasonably easy to use, and great if you use multiple web browsers. But they are not as secure as standalone applications, require you to sync your passwords through another company's cloud services, and often require a paid subscription.

Standalone applications offer the strongest security and are free, but they require a fair amount of effort and are generally not going to be worth the frustration for most business owners, Apple’s Password app being the exception.