Russ Harvey Consulting - Computer and Internet Services

Password Managers

Essential for managing your passwords

You Need a Password Manager | Don't Use Browser Password Managers
Bitwarden recommended | Password Safe | Reviews

All trademarks, company names or logos are the property of their respective owners.

A computer keyboard is overlaid with a padlock.

You Need a Password Manager

We simply have far too many passwords to manage them without a password manager. No one can remember all their passwords.

Humans simply have too much difficulty creating and remembering long, strong and unique passwords.

Password managers associate usernames and passwords with specific web pages.

 

This makes it hard for password managers to betray you to bogus websites by mistake, because they can't put in anything for you automatically if they're faced with a website they've never seen before.
Naked Security

LastPass No Longer Recommended

I no longer recommend LastPass because of lax reporting of the 2022 LastPass breaches.
LastPass user? See your options. | Bitwarden recommended

Don't Let Your Browser Store Passwords

While web browsers have built-in password managers, all are vulnerable to being hacked.

Unscrupulous websites can use malicious scripts and hidden login fields to track and gather information from your browser's password manager.

Chrome Especially Vulnerable

There are serious security deficiencies in browser password managers — any browser, but particularly Google Chrome.

Experts tell us that relying on Google Chrome (or any browser) to manage your online passwords is a seriously bad idea.
PCMag
If you currently use or have used browsers to save your passwords, you may have noticed that you don't frequently need to log back into your browser. Although this can seem as being convenient, it also poses a major security concern.
Keeper
Zero-knowledge encryption is the reason dedicated password managers can keep your data safe without ever having access to your master password. "Google's password manager doesn't use zero-knowledge encryption," stated Lurey. "In essence, Google can see everything you save. They have an 'optional' feature to enable on-device encryption of passwords, but even when enabled, the key to decrypt the information is stored on the device."
PCMag

Return to top

Computer or Mobile?

Most current password managers recognize that people want to access their passwords on multiple devices which usually includes both computers and mobile devices.

Some password managers require you to purchase their premium plan to obtain access on both. Others work on only one device. Bitwarden doesn't.

Providing cross-platform and multi-device access means that your data is going to be stored in the cloud which complicates security.

Configure It Carefully

Whichever password manager you choose, take care in setting it up and choosing the master password.

Choosing a Master Password

Provided that your password is decent (at least 15 characters) and the number of PBKDF2 iterations (a salting of the hashed password) is very high, then the likelihood of your data being decrypted by brute-force is relatively small.

You should NEVER reuse any password but especially not your password manager's master password.

See Passwords: Your Electronic Signature for more information about creating and remembering strong passwords.

Moving to a New Password Manager

There can be many reasons that you wish to move to another password manager.

Password Breaches

If you're using LastPass, I recommend moving to another password manager, especially if your master password was weak. Essentially, LastPass can no longer be trusted to keep your passwords safe.

Norton LifeLock also suffered a breach of up to 925,000 accounts. Their promises to protect you against cybercrime is meaningless since they can't even protect your personal data within their systems.

Cybercriminals are increasingly targeting password manager companies because they hold the sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted.

 

In this highly competitive landscape, cybersecurity practices, transparency, breaches and data exfiltration can influence the future of these password manager companies.
Tech Republic

Exporting & Importing Passwords

All password managers have some method of exporting and importing passwords.

CRA and Password Managers

While password managers work for most sites, one of the most glaring exceptions is the Canada Revenue Agency (CRA) site. Their people will tell you NOT to use a password manager (i.e., you must manually enter your username and password).

I discovered that the data in the location bar (or address bar) on my browser was an unbelievable 2005 characters!

Not only is the CRA one of the most sensitive sites you can visit (it contains access to all your tax files including some of your most sensitive personal information) but the agency should have the expertise to manage decent security.

Return to top

Bitwarden

I strongly recommend Bitwarden for your password manager. Not only does it provide a great free version, but the cost of upgrading to premium is relatively inexpensive compared to other commercial password managers.

Bitwarden has and always will be a free and open source product. One of our goals since the beginning has been to create a free password manager that is not crippled by "free trials" and truly offer a quality product at no cost. This goal remains at the top of our priorities.

Bitwarden is my recommended replacement for LastPass.

All vault data is encrypted by Bitwarden before being stored anywhere. Bitwarden is a zero knowledge encryption solution, meaning you are the only party with access to the keys required to decrypt the vault data.
Bitwarden

Free

Core features included with every Bitwarden account:

Free organizations provide for 2 users, 2 collections.

Premium

Add premium features for only US$10/year:

Families

Up to 6 users for only US$40/year:

Bitwarden also offers business plans.

Bitwarden Send

Transmit data securely to anyone, even non-users, with end-to-end encryption.

Bitwarden Two-Factor Authentication

Bitwarden now requires two-factor authentication be enabled. They will default to sending authentication codes to the email address used for your Bitwarden account, but there are other methods.

Using two-step login (also called two-factor authentication, or 2FA) to protect your Bitwarden vault prevents a malicious actor from accessing your data even if they discover your master password by requiring authentication from a secondary device when you log in.
Bitwarden

Bitwarden's documentation about two-step login includes information about how to set up two-step authentication, alternative authentication methods (may require Bitwarden Premium), and what to do if you lose access to your authentication method (hint: be prepared in advance):

Be sure to store the recovery code in a safe but accessible place. Storing it electronically on your computer could make it vulnerable to if your computer is lost or compromised.

Bitwarden Emergency Access

Bitwarden Premium emergency access allows users to designate and manage trusted emergency contacts, who can request access to their vault in cases of emergency.

Only premium users, including members of paid organizations (Families, Teams, or Enterprise) can designate trusted emergency contacts, however anyone with a Bitwarden account can be designated as a trusted emergency contact.

 

Setting up emergency access is a 3-step process in which you must Invite a user to become a trusted emergency contact, they must Accept the invitation, and finally you must Confirm their acceptance.
Bitwarden

See Bitwarden's “Emergency Access” page for the details.

Downloads & Learning More

Download options include

Beware of Fake Downloads

Be sure to only download Bitwarden from bitwarden.com.

Getting Started

There is documentation on the Bitwarden Help pages. Look for the menu on the left and click on the help item you want.

I strongly recommend that you disable the login website icons because of the privacy risk:

Because a request for an icon contains the hostname of the website stored in your vault, it is important to understand that this feature will "leak" otherwise cryptographically protected information to Bitwarden servers and/or CDN endpoints and be visible in your local cache.

Getting Help

Resources

Tools

Return to top

Password Safe: Offline Alternative

Realize that ANY cloud-based password manager (or service) is subject to the same vulnerabilities: world-wide access to online servers.

The alternative is a secure password manager which resides only on ONE computer.

If that is your choice, I recommend Password Safe.

Password Safe is open source and free (no license requirements, shareware fees).

Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Twofish algorithm.

Return to top

Reviews

I recommend Bitwarden, but you might like to do more research, especially if you aren't completely convinced that Bitwarden is for you.

About Reviews

Realize that, like all software reviews, products change over time. Depending upon when the review takes place, you may find one product favoured over another.

Reviews of Password Managers

These are some reliable reviews

Are You Still Using LastPass?

Steve Gibson's initial support of LastPass was one of the main reasons I felt I could recommend LastPass.

Following the 2022 LastPass security breaches he's now moved to Bitwarden as have most of the security folks I follow.

Learn more about the LastPass security breach.

Return to top

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/passwordmanagers.html
Updated: February 22, 2025

Copyright © 1996– | Privacy | Navigation | RHC Design