By Joe Kissell This post was done in partnership with The Wirecutter , a buyer’s guide to the best technology. When readers choose to buy The Wirecutter’s independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . If you’re not using a password manager, start now. As we wrote in Password Managers Are for Everyone—Including You , a password manager makes you less vulnerable online by generating strong random passwords, syncing them securely across your browsers and devices so they’re easily accessible everywhere, and filling them in automatically when needed. After 15 hours of research and testing, we believe that LastPass is the best password manager for most people. It has all the essential features plus some handy extras, it works with virtually any browser on any device, and most of its features are free. Who should get this Everyone should use a password manager . The things that make strong passwords strong—length, uniqueness, variety of characters—make them difficult to remember, so most people reuse a few easy-to-remember passwords everywhere they go online. But reusing passwords is dangerous: If just one site suffers a security breach, an attacker could access your entire digital life: email, cloud storage, bank accounts, social media, dating sites, and more. And if your reused password is weak, the problem is that much worse, because someone could guess your password even if there isn’t a security breach. If you have more than a handful of online accounts—and almost everyone does—you need a good password manager. It enables you to easily ensure that each password is both unique and strong, and it saves you the bother of looking up, remembering, typing, or even copying and pasting your passwords when you need them. If you don’t already use a password manager, you should get one, and LastPass is a fabulous overall choice for most users. How we picked and tested Although I’d already spent countless hours testing password managers in the course of writing my book Take Control of Your Passwords , for this article I redid most of the research and testing from scratch, because apps in this category change constantly—and often dramatically. I looked for tools that do their job as efficiently as possible without being intrusive or annoying. A password manager should disappear until you need it, do its thing quickly and with minimum interaction, and require as little thought as possible (even when switching browsers or platforms). And the barrier to entry should be low enough—in terms of both cost and simplicity—for nearly anyone to get up to speed quickly. I began by ruling out the password autofill features built into browsers like Chrome and Firefox—although they’re better than nothing, they tend to be less secure than stand-alone apps, and they provide no way to use your stored passwords with other browsers. Next I looked for apps that support all the major platforms and browsers. If you use only one or two platforms or browsers, support for the others may be irrelevant to you, but broad compatibility is still a good sign. This means, ideally, support for the four biggest platforms—Windows, macOS, iOS, and Android—as well as desktop browser integration with at least Chrome and Firefox, plus Safari on macOS. I excluded apps that force you to copy and paste passwords into your browser rather than offering a browser extension that lets you click a button or use a keystroke to fill in your credentials. And, because most of us use more than one computing device, the capability to sync passwords securely across those devices is essential. After narrowing down the options, I tested eight finalists: 1Password, Dashlane, Enpass, Keeper, LastPass, LogmeOnce, RoboForm, and Sticky Password. I tested for usability by doing a number of spot checks to verify that the features described in the apps’ marketing materials matched what I saw in real life. I set up a simple set of test forms on my own server that enabled me to evaluate how each app performed basic tasks such as capturing manually entered usernames and passwords, filling in those credentials on demand, and dealing with contact and credit card data. If my initial experiences with an app were good, I also tried that app with as many additional platforms and browsers as I could in order to form a more complete picture of its capabilities. I did portions of my testing on macOS 10.12, Windows 10, Chromium OS (as a stand-in for Chrome OS), iOS 10, Apple Watch, and Android. Our pick You can access LastPass in a browser extension, on the Web, or in a stand-alone app. Before I get to what’s great about LastPass, a word of context: LastPass , Dashlane , and 1Password are significantly better than the rest of the field. I suspect most people would be equally happy with any of them. What tipped the scales in favor of LastPass was the company’s announcement on November 2, 2016, that it was making cross-device syncing (formerly a paid feature) available for free. Although there’s still a Premium subscription that adds important features (more on that in our full guide ), this change makes LastPass a no-brainer for anyone who hasn’t yet started using a password manager. Even its $12/year premium tier is much cheaper than 1Password or Dashlane’s paid options. LastPass has the broadest platform support of any password manager I saw. Its autofill feature is flexible and nicely designed. You can securely share selected passwords with other people; there’s also an Emergency Access feature that lets you give a loved one or other trusted person access to your data. An Automatic Password Change feature works on many sites to let you change many passwords with one click, and a Security Challenge alerts you to passwords that are weak, old, or duplicates, or that go with sites that have suffered data breaches. LastPass works on macOS, Windows, iOS, Android, Chrome OS, Linux, Firefox OS, Firefox Mobile, Windows RT, Windows Phone—even Apple Watch and Android Wear smartwatches. (Sorry, no BlackBerry, Palm, or Symbian support.) It’s available as a browser extension for Chrome, Firefox, Safari, Internet Explorer, and Microsoft Edge, and it has desktop and mobile apps for various platforms. Upgrade pick for Apple users 1Password offers Mac and iOS users features not found in LastPass, plus a more-polished interface. If you’re a Mac, iPhone, and/or iPad user with a few extra bucks, and you’d like even more bells and whistles in your password manager, 1Password is well worth a look. 1Password has a more polished and convenient user interface than either LastPass or Dashlane. It’s also a little faster at most tasks; it has a local storage option if you don’t trust your passwords to the cloud; it gives you more options than LastPass for working with attached files; and it can auto-generate one-time tokens for many sites that use two-step verification—LastPass requires a separate app for this. 1Password is, however, more expensive than LastPass and doesn’t work on as many platforms: Windows and Chromebook users, especially, are better off with LastPass. This guide may have been updated by The Wirecutter . To see the current recommendation, please go here . Note from The Wirecutter: When readers choose to buy our independently chosen editorial picks, we may earn affiliate commissions that support our work.
Excerpt from:
The best password managers
An anonymous reader writes: As if 2016 wasn’t shitty enough for Yahoo — which admitted to two separate breaches that saw 500 million users’ and then 1 billion users’ details stolen by hackers — the New York Times reports that a billion-user database was sold on the Dark Web last August for $300, 000. That’s according to Andrew Komarov, chief intelligence office at security firm InfoArmor. He told NYT that three buyers, including two prominent spammers and another who might be involved in espionage tactics purchased the entire database at the aforementioned price from a hacker group believed to based in Eastern Europe. It’s lovely to know that it only costs $300, 000 to be able to threaten a billion people’s online existence — which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes. Yahoo also doesn’t yet know who made off with all the data from the attack in 2013, which is said to be the largest breach of any company ever. Read more of this story at Slashdot. 
Prominent technology blog TechCrunch — which is often cited on Slashdot — has become the latest victim of the OurMine hacking group. The notorious group gained access to Seattle-based writer Devin Coldewey’s account, and posted the following message earlier today: “Hello Guys, don’t worry we are just testing techcrunch security, we didn’t change any passwords, please contact us.” The post was then promoted as a ticker, the top banner in red and as the main story on TechCrunch’s front page. BetaNews adds: The OurMine website says that the group offers “top notch vulnerability assessment”, so it’s possible that the hack was little more than a PR stunt touting for business. It did not take TechCrunch long to notice and remove the story (and presumably change a series of passwords…) but the site is yet to issue a statement about what has happened. Read more of this story at Slashdot. 
Lorenzo Franceschi-Bicchierai, reporting for Motherboard: There’s an oft-repeated adage in the world of cybersecurity: There are two types of companies, those that have been hacked, and those that don’t yet know they have been hacked. MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well. It’s unclear when the data was stolen from MySpace, but both the hacker, who’s known as Peace, and one of the operators of LeakedSource, a paid hacked data search engine that also claims to have the credentials, said it’s from a past, unreported, breach. Read more of this story at Slashdot. 
itwbennett writes: Trend Micro has released an automatic update fixing the problems in its antivirus product that Google security engineer Tavis Ormandy discovered could allow “anyone on the internet [to] steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction.” The password manager in Trend’s antivirus product is written in JavaScript and opens up multiple HTTP remote procedure call ports to handle API requests, Ormandy wrote. Ormandy says it took him 30 seconds to find one that would accept remote code. He also found an API that allowed him to access passwords stored in the manager. This is just the latest in a string of serious vulnerabilities that have been found in antivirus products in the last seven months. Read more of this story at Slashdot.