Password managers are a vital tool these days. With all of us signed up for dozens or sometimes even hundreds of online services that require an account, remembering individual passwords for all of them is not feasible — and you definitely shouldn’t reuse existing passwords, as that might cause a domino effect when any of your account details leak thanks to a hacker attack.


The big 2022 LastPass hack made clear that even password managers aren’t always safe. That’s why it’s important to stay up to date with the current state of password managers and to make sure you choose an option that suits you both when it comes to features and when it comes to its security model. We’re here to help you, and with this list, we want to give you a fine selection of the best password managers out there that are a perfect fit for your favorite Android phone.

While you’re at it, you should also get a trusty two-factor authentication app. Even the best passwords can be phished or hacked, so in addition to having an individual password for all of your accounts, you should also protect as many as possible with a second factor other than just the password.

ANDROID POLICE VIDEO OF THE DAY

SCROLL TO CONTINUE WITH CONTENT

1 Bitwarden

broken search

Source: Bitwarden

  • Individual: Free / $10 per year

  • Family of 6: $40 per year

  • 2FA storage and vault unlock support (paid)

  • Optional Android accessibility service to augment regular autofill

  • Platforms: Android, iOS, Windows, macOS, Linux, web, browser extension

Bitwarden is the go-to solution if you want an all-around reliable, secure, and affordable password manager these days. Its free tier offers all the basic features you need. You can store an unlimited number of credentials and use Bitwarden across as many devices as you’d like. It’s also possible to secure your login with a 2FA app. The service is available across all platforms you might use, including even Linux. On Android, Bitwarden is one of only a few password managers that still offers an accessibility autofill option in addition to Android’s native autofill option, which is often a boon to have. Some apps still don’t properly support the native solution years later.

Bitwarden isn’t so great when it comes to desktop autofill, though. The service only supports autofill through its browser extensions, and the Bitwarden desktop app you can install essentially only serves as a vault you can copy and paste information from. If you routinely use desktop apps that you need to sign into, this isn’t convenient. One other downside is that Bitwarden’s interface looks a bit dated compared to other options here, though this should be the least of your concerns when it comes to security.

When it comes to autofill information other than logins, Bitwarden has the basics covered. You can store credit card details, identities (including addresses, social security numbers, phone numbers, etc.), and secure notes.

If you want to use Bitwarden to its full extent, you need to shell out $10 a year. At that price, the service is still one of the most affordable standalone options on this list. The subscription gives you access to 1GB of secure cloud storage, an option to save 2FA secrets alongside your passwords (effectively turning Bitwarden into a 2FA app), and advanced 2FA login options, like with a Yubikey.

Bitwarden is open source, which means that any independent security researcher can examine its code and help fix potential security issues. The company is also regularly audited by third parties. If you still don’t trust Bitwarden with your data, you can use its optional self-hosting solution, which gives you full control over your setup.

2 1Password

1Password illustration showing two phones and a finger using password manager software

Source: 1Password

  • Individual: $36 per year

  • Family of 5: $60 per year

  • 2FA storage and vault unlock support

  • Added security thanks to built-in second factor

  • Platforms: Android, iOS, Windows, macOS, Linux, web, browser extension

1Password could’ve taken the crown in this roundup, but we know that many people will always prefer a free service like Bitwarden when available. That said, 1Password has a lot going for it and surpasses Bitwarden in some areas.

Most importantly, 1Password doesn’t only rely on a master password to decrypt your vault stored on its servers. You always need an additional secret key, which is generated locally on your device when you first sign up for the service. This means that even if somebody obtains your master password, they still won’t be able to decrypt your vault without the key. 1Password urges you to store this key in a safe location. And as long as you have at least one device with an active 1Password login on you, you can easily set up a new device by scanning a QR code, so you’ll likely never have to type out the full 34-character key yourself. If that extra factor is still not enough for you, you can also add a Yubikey or a third-party 2FA app to the mix.

1Password supports all the usual features you’d expect, like biometric unlock, autofill, and search. There is also a customizable home screen, support for 2FA secrets (plus autofill for those), and version 8 looks decently modern, with its Android version already sporting some Material Design 3 elements. 1Password is also capable of proactively warning you about password breaches found on the web and other hazards as part of its Watchtower feature. You can replicate this same feature for free with haveibeenpwned.com, but it’s nice to have it built-in. We need to note that when we tested 1Password on Android, we ran into a few issues like randomly disappearing menu items (the profile button in the top right, in particular), and broken search on foldable phones.

The service additionally lets you store tons of other autofill data and security-related items. You can add identities, documents, bank accounts, crypto wallets, medical records, passport details, reward programs, API and other software keys, Wi-Fi credentials, and more. Other services can store all these kinds of data, too, using custom fields, but 1Password makes these options easy to spot and manage.

1Password also excels when it comes to its desktop app. We can confirm that its accessibility-based autofill system works like a charm on macOS, both on native apps and within browsers. If you still prefer an extension, 1Password has one for every common browser. Should your computer supports biometric unlock, you can use that to access and autofill your passwords, too.

1Password is not open source, but the company still conducts regular independent security audits. If this is a deal breaker for you, there are enough open source options on this list.

3 Enpass

Enpass hero

  • Individual: $24 per year / $100 lifetime license / included in Google Play Pass

  • Family of 6: $36 per year

  • 2FA storage support and optional keyfile vault unlock

  • Offline password manager with optional cloud storage or Wi-Fi sync support

  • Platforms: Android, iOS, Windows, macOS, Linux, web, browser extension

Enpass takes a different approach to password management than many other mainstream options. Rather than storing your vault on a server provided by the company, Enpass is an offline password manager. To back up your data and sync it across all of your devices, you can use a cloud locker of your choice, including Drive, Dropbox, OneDrive, and even your own NAS. Alternatively, you can skip the cloud altogether and sync between your devices via Wi-Fi only. Enpass says that this makes it inherently more secure than providers with a central location for all user vaults. Instead, a hacker would have to target each user’s Enpass vault and cloud storage account (or local storage) specifically to gain access. Enpass also supports unlocking with a keyfile as a second factor if you want yet another layer of security.

If you’d just like to give the service a try, you can try its demo mode for free and without signing up with up to 10 logins on a single device, with a total of 25 supported if you register. Once you want to add sync to the mix, you need to pay up, though. Enpass’s pricing structure is definitely among the fairest, and there are plenty of options to choose from. You can pay $24 per year as an individual or cough up $100 for a lifetime license without recurring fees. The service is also included in the Google Play Pass, and a group or family of six can get it for as little as $36 a year.

Feature-wise, Enpass isn’t lacking compared to server-based password managers. Its browser extension and its mobile apps support autofill, including 2FA codes, support for an unlimited amount of vaults, devices, items, and security alerts for website breaches. Like 1Password, Enpass also supports a plethora of extra details, like credit cards, bank accounts, notes, identities, licenses, travel documents, and more. The software just doesn’t feel as modern and polished as 1Password, but again, app design should be the least of your concern when it comes to picking a password manager that fits your needs. Also, keep in mind that Enpass is not open source, which might be a deal breaker for some.

4 KeePass / KeePassDX

Keepass logo above its Windows program interface

  • Free and fully open source

  • Tons of different clients to choose from

  • Platforms: Android, iOS, Windows, macOS, Linux, web, browser extension

KeePass is one of the most established and oldest open-source password managers on this list. Rather than offering only one central client for every platform, the open-source nature of this project means that there are different clients to choose from that you like the most for your use case. Like Enpass, there is no central storage place, and you can put the vault file on any hard drive, thumb stick, or cloud storage option you’d like, though KeePass requires more tinkering and trial and error than other solutions listed here.

In addition to a strong master password, the vault can also be protected by a keyfile and/or a hardware key as secondary factors. KeePass also supports all kinds of items you could ever need, including even attachment and 2FA support. The standard offers support for regular logins, Wi-Fi credentials, notes, ID cards, credit cards, banking details, and crypto-wallets. On Windows, the original KeePass application also supports system-wide autofill, which means you don’t necessarily need a browser extension.

KeePass’s open source nature makes it incredibly versatile, and there are tons of clients available for Android, iOS, macOS, Linux, and browser extensions. Depending on which you choose, there are also comfort features like biometric unlock, themed icons for Android 13 and higher, and more. Some apps even offer a keyboard that does the auto-filling for you in case you find Android’s regular autofill service unreliable. You can find all options on KeePass’s download page, but we think that KeePassDX offers a good starting point, linked below.

5 Google Password Manager

The Google Password Manager desktop intro page talking about managing your passwords

  • Free

  • Tight integration with Chrome and Android

  • Platforms: Android, iOS, web, browser

You shouldn’t put all your eggs in one basket, and that couldn’t be more true for your online life. If you’re looking into a password manager for your Android phone, you’re likely already embedded in Google’s ecosystem and might use Gmail, Google Drive, and more services offered by the online behemoth. It might seem intuitive to add passwords to that mix, but we advocate against it. If you ever lose access to your Google account, be it because of a phishing attack or Google blocking your account, you’re going to lose both access to your emails (if you use Gmail) and your passwords. Since most online services require you to authenticate yourself with your email to reset your password, this is a scenario you don’t want to find yourself in.

Things aren’t all bad, though. Google still stores offline copies of your passwords on Chrome for desktop, so if you’re ever locked out of your Google account, you’ll still be able to obtain your passwords and export them to some other place — at least as long as you don’t only have a Chromebook. The autofill service is also one of the most reliable and best integrated on Android, even if Chrome routinely struggles with auto-filling logins on AMP pages.

One thing the Google Password Manager has going for it is convenience. If you have an Android phone and you use Chrome on your computer, you don’t need to worry about an extra app or browser extension to take care of your password management. Instead, everything is neatly and tightly integrated into your core system. Just keep the above pitfall about losing access to your Google account in mind and that switching to a different browser might be a hassle.

Passwords saved to your Google account can be accessed via Chrome or under passwords.google.com.

6 Bonus: Spectre

Flowchart depicting how Spectre generates passwords and keeps them safe

  • Free and open source

  • No central location that can be hacked

  • No comfort features, no extra 2FA protection

  • Platform: Web

Spectre, or its predecessor, Master Password, is very different from the other services in this roundup, and it is not for everyone. Rather than storing your passwords anywhere at all, they’re generated on the fly using an algorithm based on your name (or any term that you choose), your master password, and the site URL you’re logging into. For example, if your name is Android Police and your master password is 1234test, then your account password for “google.com” is going to be NasaHakwHito2=. You can verify this yourself on the Spectre web app.

The big advantage compared to any classical password manager is that as long as you remember your name and your master password, you’ll never lose access to your passwords. There is always the chance that a classical password manager goes offline, or your cloud storage provider may accidentally corrupt your vault file, but with Spectre, this can’t happen as there is no central place where your passwords are collected. The project’s open source nature also means that even if Spectre itself goes offline, its algorithm is still accessible.

Now, there are downsides to this system. Spectre inherently doesn’t support extra security via a second factor, and it also isn’t capable of storing any 2FA secrets for your websites. This also means that anyone who gets your name and master password can access all of your services, at least when they correctly guess what you’re signed up for. You additionally can’t have two or more different accounts at the same service, at least not unless you tinker with the easy-to-remember base URL (think “google.com” and “google2.com” for two Google accounts).

Once one of your individual passwords for a service breaches and is out in the open, you’re also going to have to change your master password and, thus, all of your other account passwords, which can be a hassle — especially since Spectre by nature doesn’t tell you how many accounts you have with which login credentials. Spectre also falls short when a website prohibits or enforces the use of a specific set of special characters or a certain length, and your algorithm just happens not to provide these for the URL in question. Last but not least, you also can’t store any other details in Spectre, like credit cards, banking accounts, social security numbers, and so on.

With all this in mind, we don’t recommend Spectre as a standalone solution, but if you want extra peace of mind, it might make sense to generate some of your most important passwords using the Spectre algorithm and then store them in your regular password manager of choice. That way, you have a backup should something ever happen that prevents you from accessing your preferred password manager.

If you’re interested in the inner workings of Spectre, be sure to read the service’s technical paper. And when you opt for Spectre or Master Password, you have to be sure you stick with the same configuration. There are different algorithm versions, different site counters, and different types of passwords (like long, PIN, passphrase, and more).

Spectre is still available as Master Password on Android.

What is a password manager?

In an ideal world, you shouldn’t ever reuse passwords, and you should make sure that all your services are secured with individual and hard-to-guess credentials. Since it’s incredibly hard to remember more than a few excellent passwords, password managers can take over the heavy lifting. They offer a central place to store all your individual credentials for each website you have an account for, and most of them also support storing and autofilling other secret information, like credit cards, address information, and passport numbers.

How do you create a good master password?

Password managers are only as secure as the master password you choose. That’s why it’s vital to create a password you can remember well, but that’s also hard to crack. It’s your main line of defense against hackers trying to access all of your passwords. Some password managers like 1Password also generate a second factor next to your password when you create an account with them, but even then, you should never only rely on this and go for 123password.

Contrary to popular belief, you don’t need to sprinkle many complicated special characters and hard-to-pronounce gibberish that you will likely have a hard time remembering anyway. The classic password XKCD comic makes this dilemma clear.

Instead, we recommend going for the route that the XKCD comic also suggests — a passphrase made up of at least five words, though going for six is a good idea for added peace of mind. Since computers aren’t capable of producing truly random results, you should create your passphrase using a good old dice and the diceware passphrase list and follow these steps to create a six-word passphrase:

  1. Either roll one dice 30 times or roll five dice six times.
  2. Note down the numbers you get on a piece of paper, collected in rows of five.
  3. Compare each of your five numbers against the English
    diceware passphrase list
    and note down the word you got next to the respective numbers. You can also use alternative lists for other languages, if you prefer.
  4. The passphrase is now complete and can be used as your master password.
A sheet of paper with numbers in pairs of five noted down and passphrase list results next to them, with the finished passphrase below it

Creating and using a passphrase might seem too easy to truly work, but if you consider just how many variables you’re introducing with these 30 dice rolls, it will take current tech decades to brute force it — and that’s assuming the hacker knows that you’re using diceware and which list exactly. If you want to, you can also sprinkle in one or two extra symbols once you’ve properly memorized your passphrase, but really, diceware passphrases are good enough on their own.

Better safe than sorry with your preferred password manager

No matter which of the full-fledged password managers you choose from this list, it’s going to make your online life more secure than not having any password manager. If you’re the lazy kind, the Google Password Manager is still a good-enough option, and if you want all the features and some extra polish, 1Password is here for you.

Source link

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here