Using a strong password is critical to the security of your online accounts. However, according to Dashlane, US users held an average of 130 different accounts in 2015. Memorizing strong passwords for this many accounts is impractical. Fortunately, password managers solve this problem.
Password managers address the issue of needing a strong password by taking the memorization out of the equation. No longer do you need to worry about remembering all of your passwords, as the manager stores this information, and it can even be auto-filled when needed. You need only to protect the one database.
The iOS App Store contains several great password managers to choose from. We installed and tested all of the top offerings and have concluded that the following four managers are the best available. Using any of these password managers on your iPhone or iPad will dramatically improve the privacy and security of your online accounts.
A password manager is an app with a database containing your login information for all the various accounts you use. The database is typically encrypted with a master password to prevent unauthorized access. While this master password may be combined with other secret unique information to increase security, you typically won't need to memorize anything more than the master password itself.
The master password is how one part of the typical password dilemma is solved — you only need to memorize one strong password for all your accounts. For example, something like |0%/p9PsZjAiJ4e@ is considered strong because it uses a variety of characters. However, you don't reuse this password — instead, you allow the manager to create strong passwords for all your other accounts.
Once a master password is created, you add the login information for all your accounts into the database. At this point, you'll want to replace the password for each account with a stronger one. Using the "change password" function for each of your accounts, the password manager will create a new passcode. The manager will allow you to choose from various parameters, such as whether to include uppercase or lowercase, special characters, and the overall length of the passcode, to create a strong password that you will never have to memorize.
- Premium Price (Single-User): The price to unlock all features for a single user.
- Premium Price (Family): Value pricing for multiple accounts. All but LastPass provide five user accounts for the listed price, with LastPass including six users. Like the Premium Price, this will unlock all features.
- Free Version Available: Whether or not you can use this service for free for the foreseeable future.
- Total Devices on Free Tier: How many devices can you connect to a free password manager account.
- Total Devices on Paid Tiers: How many devices you can connect with a paid account. All of the services here support unlimited devices with paid accounts.
- Local-Only Mode: This feature provides security in place of convenience. Instead of using the cloud to synchronize the database, your database resides only on your device. This provides more control as to who has access to it and who can view its contents, and it decreases the risks of being hacked.
- Offline Mode: What does the manager allow you to do when not connected to the internet? Can you view your passwords, add new ones, or edit existing entries?
- Cloud Sync: Your database is stored in the cloud, making it accessible across multiple devices. Using the cloud, any modification made on one device will automatically update all the other devices with access.
- Unlock with PIN: Does the manager allow you to access your passwords via a PIN? This is a good option if Face ID or Touch ID fails to register your biometrics. Otherwise, you'll need to input your master password, which is much larger than a PIN.
- Audit Passwords: The manager reviews all login credentials and will recommend changes to passwords. For example, the manager will recommend changing a password if it hasn't been modified in a while (typically three months) or if you use the same password for multiple accounts.
- Bulk Password Changing: The manager allows you to change the password of multiple accounts simultaneously. This feature requires websites to enable support for it to work. Dashlane is the only app to offer this feature.
- URLs Per Password: When you have an account with one company and the login credentials work across all of its sites, which may have completely different URLs, it comes in handy to be able to add multiple URLs to a password entry. Otherwise, you'd have to create a totally different password entry for the different URLs.
- Secondary Login Username: For all your accounts, can you remember if you used your email as the username for each account or a custom name instead? With this feature, you don't have to, because you can input both into the password entry and use one or the other.
- Security Alerts: The password manager alerts you of potential threats to your accounts, such as when big data breaches happen and you have an account that could be compromised.
- Multiple Vaults: Within the app, you can access multiple vaults (databases) to keep things more organized. For instance, a "Personal" and "Work" vault are two good options to use, so you don't have to view work passwords with your personal ones. This is not referring to using two or more accounts.
- Share Passwords: You can extend access to passwords (whether individually or as a group) to other users. Some managers require that the users receiving access already have an account with the service.
- Emergency Access: In the case of your untimely death or incapacitation, loved ones can be assigned access to the database. This way, your online accounts can be managed or deleted depending on the situation.
- Tech Support: The managers on our list provide support through either an online ticket system, email, or web chat. Email is superior as you don't have to keep a page open to wait for a response.
- Enable/Disable Clipboard Timer: A clipboard timer controls how long a copied password remains in your clipboard, ready to paste elsewhere. In all apps, this feature can be enabled or disabled to keep copied items in the clipboard forever.
- Control Clipboard Timer: The ability to modify the time in which your copied data remain in the clipboard. LastPass and Keeper are the only managers that allow you to increase or decrease the time.
- Self-Destruct: This feature will delete all stored data if the wrong password is entered too many times. Keeper is the only app on this list with this feature.
- Recover Deleted Passwords: Some apps permanently erase data when you perform a "delete" on an entry, while others keep the data in a trash can for further deletion. Either can be good or bad, depending on your philosophy of security.
- Upload Files: All four apps allow you to upload certain file types to secure notes or password entries.
- Upload File Types: The types of files that you can upload to secure notes or password entries, including photos, videos, and files (documents).
- Opens Links In: Which browsers the manager can open links in. While there may be other browsers, such as DuckDuckGo or a manager's own in-app browser, we're focusing on the top three: Safari, Chrome, and Firefox.
- AutoFill in Apps (iOS 12): The ability to use AutoFill to auto-fill usernames and passwords into your iPhone apps and browsers. With iOS 12, managers are now able to utilize native AutoFill, once reserved only for iCloud Keychain.
- AutoFill in Apps (via Extension): Each manager on our list utilizes share sheets to achieve this functionality, and therefore, shares the same list of compatible apps.
- AutoFill Compatible Browsers: The browsers supported by the password manager which can be auto-filled via a share sheet extension.
- Apple Watch Support: Whether or not the manager supports the Apple Watch. Usages can include access to your vault from your wrist or as a tool to authenticate (multi-factor authentication).
- Touch ID: The fingerprint scanner can be used as an alternate way to log in to the vault.
- Face ID: Apple's facial scanner can be used as an alternate way to log in to the vault.
- Encryption: The method used to ensure the security of the database. As of today, the highest standard available is AES-256 encryption. Encryption protects the database by making it virtually unreadable to unauthorized users.
- Multi-Factor Authentication: Using multiple means to authenticate (identify) users. The most common form is using a third-party authenticator, which is an extra app you install that receives an OTP (one-time password) that you enter in addition to your password to prove your identity. Some examples include Google Authenticator, Microsoft Authenticator, and Authy.
- Universal 2nd Factor: Also known as U2F, this is another way of providing multi-factor authentication. U2F is a set of hardware keys (typically USB) which need to be in your physical possession if you want to log in to your database. Since the hardware keys can't be stolen remotely, many feel this provides the highest level of protection.
- Secure Cloud Storage: Encrypted cloud storage that comes with your subscription for uploaded files.
- Bug Bounty Program: The security of a system is heavily dependent on its ability to work as intended all the time. However, even the most well-written code will have bugs and unforeseen errors. To combat this, companies offer a financial incentive to those outside the company to report these errors. Typically, higher rewards attract more white-hat hackers (hackers for the good guys) and higher skilled ones.
- White Paper Available: A technical report on how security and authentication are handled by the software. It provides necessary transparency and allows others to make suggestions to improve security for all.
Password managers have expanded beyond just housing account information. Many, including each one on our list, have an abundance of features that greatly enhance the experience for its users. While Apple has its own iCloud Keychain manager that helps you find and change bad passwords, there's not much more to it than that, so it didn't even come close to any of the options in this article.
Our first requirement for each password manager was the implementation of the latest security tools. Currently, that means AES-256 (Advanced Encryption Standard with a 256-bit key), PBKDF2 SHA-256 (Password-Based Key Derivation Function 2 and Secure Hash Algorithm 2 with 256-bit digest), and salted hashes. Also, your account should be secured using a password, as it provides the best protection. PIN codes are too short and limited in possible combinations, making it easier for unauthorized users to gain access, but most of these apps do have that if you want.
Our next requirement was that each app has some way to auto-fill usernames and passwords into apps and browsers. Without this functionality, managers become somewhat of a hassle, as they add a step (or steps) whenever you want to log in to your account. Luckily, each of the apps on this list supports iOS 12's native AutoFill feature as well as browser extensions.
Another important requirement was the inclusion of an Emergency Access feature. This allows you to establish a list of trusted friends and family members who can access your vault in the case you are unable to do so (for example, when you die). This will save friends and family from having to contact each account provider separately and presenting large amounts of documentation to prove their authorization.
- Don't Miss: What Happens to Your Passwords When You Die?
Finally, the app must be well-designed and easy to use. All options should be properly described, and the layout shouldn't interfere with navigation. Basic tasks, such as adding login information, shouldn't require any assistance from a techy friend. Password managers should be accessible to all users, not just power users.
If you've heard about password managers before this article, it was probably thanks to LastPass, which has been aggressively advertising its services in the last few years. LastPass has lived up to its popularity by creating an app that checks most boxes when it comes to features you'd expect a password manager to have. What makes it number one, however, is the number of features its free version offers. Who says the best things in life aren't free?
- App Store Link: LastPass Password Manager (free, subscription optional)
LastPass was designed for casual users. Its developers worked to ensure the end-user experience was both simple and convenient. Starting with the menu options, each option is well described to ensure no confusion.
LastPass lets you add a wide array of credentials to your database — not just online account information, but also credit cards and driver's licenses. This lets you auto-fill virtually all information that may be requested online. Since LastPass is the only manager on our list to include cloud sync for free, you can access this information on all of your devices, as LastPass has an extension or app for all major browsers and operating systems. Unfortunately, cloud sync is mandatory, so there's no local-only mode with LastPass.
A feature called Secure Notes lets you create small documents that contain bits of information that don't properly fit in any of the above-listed categories. Thanks to LastPass' usage of both AES-256 and PBKDF2 SHA-256, you can be sure this information — as well as any photos you attach — is both secure and private from all unauthorized users. In addition, a paid account gives 1 GB of secure cloud storage to upload file types, while the free account only gives you 50 MB.
Similar to all the other password managers on our list, you can use iOS' share sheet function to auto-fill passwords, in addition to native support with iOS 12's AutoFill feature. When it comes to browser extensions, LastPass supports Safari, Chrome, Firefox, Opera, and DuckDuckGo. And for opening links, you can choose Safari, Chrome, Firefox, Firefox Focus, Opera Mini, and DuckDuckGo.
LastPass lets you control how long information copied from the vault remains in the clipboard. This is important, as data in the clipboard is a common target for hackers. When it comes to offline use, you can only view items, so no adding or editing since LastPass is cloud-based and not local only.
LastPass's Security Challenge feature will audit your passwords and provide a score for their overall strength. LastPass's analysis includes scanning the sites associated with the credentials to ensure their integrity and the strength of your master password. Suggestions are available to improve your score, giving you a measurable goal to achieve. Your improved passwords will be safe with both multi-factor authentication as well as U2F. Just be careful — you can't recover deleted passwords here.
You'll be safe knowing LastPass sends security alerts when detecting compromised data in your vault or vaults. While its online ticket system isn't the best customer service option we've seen, LastPass does make it easy to set up emergency access contacts via the in-app settings, the only app on this list to do so.
As good as it is, LastPass has changed over the years. It used to cost less than Keeper at $23.99 per individual but is now technically the second most expensive service on this list at $35.99 per year. Families pay $48 each year for six licenses, which is less than Keeper's annual charge.
If you don't want to pay a dime, however, you can still use most features for free, including cloud sync with unlimited accounts, PIN unlock, and more. Really, the only features you miss out on are simple sharing to anyone (free accounts can only share passwords with LastPass users), premium multifactor authentication methods, and priority support. Other than those items, LastPass is free to use.
In the past, 1Password was known for its local-based security. Recently, the company has taken its services from stored on devices to stored in the cloud. While convenient for working between multiple devices, some users are upset with this step back in security. Still, 1Password has a lot to offer even the most stringent security needs.
- App Store Link: 1Password - Password Manager (free, subscription after trial)
The cloud-based vault will automatically synchronize your data across multiple devices, but you must yield a certain amount of trust to 1Password, who stores your vault on its servers. 1Password cannot access the information, so there's not a whole lot to worry about, but it's still cloud-based which is always something to think about.
For $3.99 a month — $35.88 a year — you get a lot for your money. And you'd better, as 1Password has no free version past a trial. There's also a family plan for $59.88 annually, with five licenses. Your vault or vaults are automatically synced across all platforms where 1Password is available, and you'll also gain access to 1 GB of secure storage for digital copies of important documents. You can also upload photos to both secure notes and passwords.
1Password provides security alerts with a feature known as Watchtower, which alerts you of security breaches on sites you use and recommends a course of action to correct the situation. However, unlike the other managers on our list, there is no way to audit your password.
1Password also authenticates users in a much different way compared to the other managers on our list. Normally, managers use the master password to create a hash to authenticate you with its servers. A hash is a one-way function that alters data (in this case the master password) to a fixed size. The modification is usually irreversible (hence one-way) so hackers aren't able to derive the master password from the hash.
1Password goes a step further using what's known as a two-secret key derivation. As the name implies, a second component, known as the Secret Key, is used to create a hash. The Secret Key is also unique and only known by you, improving the security of the hash.
The Secret Key is a string of characters that is first generated by your device when you initially create an account. This key is stored locally and is inaccessible by 1Password. While you'll never need to memorize the key (as the system automatically retrieves it), its uniqueness is what makes it secure and helps with authentication. This extra security might make up for the fact there's no U2F or bulk password changing.
Sharing passwords is simple, as 1Password turns your credentials into plain text to send to any app or service of your choosing. Emergency access, however, isn't so convenient. 1Password creates an "Emergency Kit," essentially a PDF with your account information. While you can simply send this PDF to anyone you'd like to have access to your account, it's no substitute to the integrated emergency access we see in other apps.
You can roll with iOS 12's built-in AutoFill or opt to use the share sheet extension for apps and browsers. Compatible browsers include Safari, Chrome, and Firefox. As for opening links in 1Password, you can choose between Safari, Chrome, or Firefox.
When it comes time to adding passwords for accounts, 1Password is the only app in this list that lets you add more than one URL for each password entry. This is very convenient when the situation arises, and it also declutters the vault by not having duplicate entries.
1Password's tech support is good, offering emailed correspondence. While you cannot control the clipboard timer length, you can conveniently recover deleted passwords and use PIN-unlocking when Face ID/Touch ID fails. Convenience seems to be the name of the game with 1Password. While convenience doesn't always equal the highest security, sometimes its worth sacrificing a little for ease of use.
Dashlane for iOS attempts to simplify the password manager. Using a new approach, codenamed Project Mirror, Dashlane wants to eliminate incompetence when creating passwords for accounts. While this app does include many of the features we've come to expect with a password manager, it's the Password Changer that places it in a league of its own.
- App Store Link: Dashlane Password Manager (free, subscription optional)
Password Changer is a feature that lets you (almost) instantaneously update multiple passwords without ever leaving the app. Password Changer includes password auditing functionality which analyzes the strength of your passwords and recommends which passwords need to be modified to preserve security. Once the accounts are selected, just tap "Change" in the upper-right of your screen, then Dashlane will automatically change your passwords for you.
Password Changer is one aspect of Project Mirror, Dashlane's ambitious plan to kill the password. Another major component is Critical Account Protection, which provides an in-depth analysis of all accounts associated with your email address, including the type of accounts you have and when they were created. For more information, check out Dashlane's YouTube video below.
Dashlane monitors your accounts to ensure they remain secure and uncompromised. If there is ever a breach in a site, its Security Breach Alerts feature will let you know and make suggestions to protect your data. Multi-factor authentication and U2F will smartly protect your data and passwords, but just know deleted passwords cannot be recovered.
Dashlane is the best option on this list for local-only fans. Even though the paid version supports cloud sync with unlimited devices, you can choose to disable sync via Dashlane's desktop settings. That might make up for the lack of password auditing, self-destruct, multiple vaults, controlling clipboard timer length, and the ability to only share passwords to Dashlane members.
On the bright side, you can enable emergency access contacts, so long as you do so from the desktop settings. PIN unlock is also an option when biometrics fail. You also get tech support via email and web chat. In addition to native iOS 12 AutoFill, Dashlane utilizes the same share sheet functionality to auto-fill. However, browser extensions include only Safari and Chrome. In the app, you can choose to open links in Safari only.
One thing Dashlane has that no other app on this list does is the option to input a secondary login username. The other password managers only give you a spot for one username per password, but if you're not sure if the username is your email address or a regular one, it could cause some issues. Not with Dashlane.
The two glaring omissions in comparison to the other managers on our list are the lack of multiple vault support and family pricing. Multiple vaults are only available to Dashlane business accounts, and without any family pricing, you must pay the single-user price each for normal use.
Without a family option, you miss out on the typical savings associated with bundled accounts, and Dashlane's single-user pricing is also the highest on this list. At $59.99 a piece — $119.99 for Premium Plus — families are better off paying the additional fee for LastPass' family tier, which provides six accounts.
You can go with the free account to save some money, but it will come with restrictions, mainly the 50 password limit Dashlane sets and only one Local-Only device. If you can survive on that little amount of passwords, can make do without the 1 GB of secure cloud storage, and can live on one synced account, you should be able to get away using Dashlane free, especially since Dashlane lets you attached photos, video, and Files app files to secure notes.
Pricing aside, Dashlane provides a user-friendly experience that even your grandparents would be comfortable with. The Password Changer is a game changer in the password manager market, providing an enormous convenience that makes it hard for you not to be secure. As Dashlane continues to implement more of Project Mirror, this app will only get better.
Keeper isn't the prettiest or most perfect app on our list. Nonetheless, it has all the major features you would want in a password manager, and then some. f only the free version had some of its premium cousin's features, Keeper could be number one on this list.
- App Store Link: Keeper Password Manager (free, subscription optional)
With Keeper, pricing is fair. The premium price is the second cheapest option at $29.99 a year. Its family pricing, however, is the highest at $59.99 a year, and it only gives you five accounts whereas LastPass gives away six. A free version of Keeper is also available, but you're limited to one device per account with no cloud sync. That does mean free accounts essentially have Local-Only mode, a plus or minus depending on if you prefer higher security or more convenience.
Keeper does a great job of letting you know the strength of your passwords when manually adding login information. When inputting passwords, a colored bar appears below to reflect the strength of that password. To eliminate any confusion, the colors match the same schemes as traffic lights, with red meaning weak and green meaning strong.
Under the DNA feature, Keeper includes a multitude of authentication options. Choices range from Touch ID, which adds convenience, to Apple Watch (paid only) and OTP, which improve security. Your Apple Watch can act as a multi-factor authenticator, providing an additional tool to properly identify you. Keeper also supports Google Authenticator for app-based authentication.
You can also increase security by using Universal 2nd Factor, which requires you to have a device (typically a USB drive) in order to access the vault. However, Keeper doesn't support PIN unlocking, the only app on this list to omit such a feature, which could be looked at higher security or less convenience.
To make up for it, you can both audit your passwords and set up emergency access contacts via Keeper's web app. You won't receive security alerts unless you pay for the BreachWatch add-on, and multiple vaults are only available to business subscribers.
Unique among the password managers on our list, Keeper includes a feature known as Self-Destruct, which automatically erases any local vault on the device after several failed login attempts. When using the premium version, this isn't a huge deal, as a copy is saved on the cloud — but for free accounts, five incorrect attempts can erase the only copy of your vault. While this feature does increase security, the heavy consequence makes its overall worth somewhat debatable.
Also, unlike the other password managers, Keeper offers some level of interface customization. The background can be altered using a small list of preinstalled choices. It isn't much, but it's something.
Key to Keeper's success is the ability to control how long items are stored in the clipboard. This is a relatively new addition to Keeper, so we hope to see the feature pop over to other apps as well.
Aside from native AutoFill support, Keeper supports extensions for auto-fill in Safari, Chrome, Firefox, Opera, and DuckDuckGo. It also supports attaching photos and video to password entries and allows you to view, add, and edit items while offline. As for opening links, you can use Keeper's in-app solution or Safari, Chrome, Firefox, and Firefox Focus.
Keeper is unique on this list, as it is the only service to offer free secure cloud storage. That said, you only get six uploads in total, but each upload on iOS can be as large as 10 GB. Additional storage plans can be purchased as add-ons to a paid subscription. 10 GB comes standard with a family plan.
If you're looking for a cash reward for a bug bounty, you're out of luck. While Keeper, like the other apps on this list, partners with Bugcrowd, it offers "Kudos Points" in lieu of cash. Kudos Points, unlike cash, has no value outside of Bugcrowd. Bug squashers can be proud of their point tallies, but, sadly, that's about all, so there's less incentive for outside help.
Keeper is a great password manager. While it's missing some features found in other apps, such as security alerts and bulk password changing, its other features more than make up for the gaps — only at a cost.
Every iOS user should be using a password manager in this day and age. We, as human beings, can't be expected to memorize strong unique passwords for each of our many accounts, and we can't be expected to change them every 90 days as recommended. With a password manager, none of this is a problem.
On the iPhone, LastPass is the best option. It offers an extensive list of features that are unmatched by the other managers on our list, especially when it comes to free versions. 1Password may come in a close second, but its lack of free features really places LastPass ahead of the game.
That being said, there are benefits to all of these apps. For example, you might find Keeper's UI off-putting, preferring the look of LastPass, Dashlane, or 1Password. Or, local mode might be important, in which case Keeper and Dashlane will be your only choices. It really just comes down to what you prioritize most in a password manager, and which of the four here meets those priorities best.
What do you think of our list? Which password manager do you plan to use on your device? Let us know in the comments below.
This article was produced during Gadget Hacks' special coverage on smartphone privacy and security. Check out the whole Privacy and Security series.