How we test password managers
Password managers make it easy to save, create, and manage passwords, payment card information, and other sensitive data. Although all password managers seem to offer the same basic features, they’re not all the same, and thorough testing is necessary to help separate truly outstanding password managers from those that don’t deserve any attention.
It’s imperative to research password managers diligently before installing and using them because they are meant to protect some of the most sensitive information you own. So, if you intend to keep your online banking password, social security number, or home security system code away from prying eyes, choosing a reliable password manager is a big responsibility.
When we review password managers on Cybernews, we rigorously analyze every provider to ensure our recommendations are reliable and authentic. During our tests, we focus on overall functionality, security and encryption features, autofill and password-sharing, pricing, customer support, and the general user experience.
Below, you’ll find detailed explanations of the methodologies we use and the password manager features we test to help you make informed decisions when reading our reviews.
Why should you trust Cybernews reviews?
At Cybernews, we hold ourselves to a higher standard of accountability. We aim to produce content that is both credible and authentic. To maintain these standards, we focus on a few key areas:
- Transparency and expertise. Our researchers maintain transparency in our review process, clearly outlining the criteria, methodology, and sources used. All affiliations are disclosed upfront to uphold transparency and accountability. Our research team comprises seasoned professionals with vast experience in cybersecurity, software testing, and information technology.
- Independent research. We conduct various in-house tests and evaluations to get hands-on experience with the products we review. Additionally, we consult reliable third parties like dedicated cybersecurity testing labs to corroborate our findings. We follow strict testing protocols covering performance, security, usability, and value for money. Our methodologies are designed to comprehensively assess each product’s capabilities.
- Continuous improvement. We are committed to ongoing refinement of our review process based on readership feedback and industry developments. Our goal is to provide valuable, up-to-date content that enables users to make informed decisions, cultivating trust over time. We stay in line with the latest developments in the cybersecurity landscape, ensuring that our reviews reflect the most current trends, threats, and advancements in security software.
- Consistency and reliability. We maintain consistency in our review process, applying the same standards and criteria to all products tested. Users can rely on our reviews to provide consistent and reliable information, enabling them to make decisions confidently over time.
What password manager features do we test?
Password managers are quite basic in terms of how they function. Users expect them to generate and store passwords or other sensitive information, as well as enable autosave and autofill functions for easy input. However, there are a few additional areas we focus on when testing password managers:
- Security and encryption
- Autosave and autofill
- Password sharing
- Plans and pricing
- Customer support
- User experience
To make it to our list of the best password managers, a provider must meet our criteria related to security, features, pricing, customer support, and the overall user experience. Let’s go over each criteria and how we test them at Cybernews.
Security and encryption
Our password manager research begins by gathering information about different security features made available to users. Down to its core, a password manager is a security tool, which is why testing security capabilities is our top priority.
When testing password manager security features, we pay extra attention to the following attributes:
- Encryption algorithms
- Password hashing
- Two-factor authentication
- Multi-factor authentication
- Compliance and no-logs policies
In addition to these points, we also look into the providers' past and present reputation – have any data leaks occured? How were the issues resolved? What is the providers’ approach to security audits?
Encryption
Password managers are as strong as the encryption algorithms they employ. Therefore, when reviewing different providers, we check the available encryption. At this time, AES-256 is considered the golden standard as it uses a 256-bit length key, which is virtually unbreachable. Another reliable encryption option is XChaCha20; however, it’s not yet widely adopted by password managers.
During the review process at Cybernews, we always check if encryption is reliable – if it’s not, we do not continue testing the password manager, as it simply cannot meet our basic standards.
Password hashing
Password hashing is a cryptographic process that helps convert passwords into irreversible, fixed-length strings of characters. In short, passwords are scrambled and are unreadable, which is crucial in case of an emergency, such as a data breach.
Common hashing algorithms include Argon2 and SHA-2:
- Argon2 is a highly secure and customizable hashing algorithm. It’s also resistant to brute-force and side-channel attacks. Perhaps most famously, Argon2id is used by NordPass.
- SHA-2 (Secure Hash Algorithm 2) is a family of cryptographic hash functions known for their widespread use and strong security properties. Well-known variants: SHA-256 and SHA-512.
During the review process, we make sure password managers ensure strong password hashing; otherwise, they cannot serve the most basic function of a reliable password manager – password protection. Tools with a weak password hashing function do not go through to our in-house testing phase.
Reliable two-factor authentication (2FA) and multi-factor authentication (MFA) are crucial for any password manager for two key reasons:
- Extra layer of security. 2FA and MFA prevent unauthorized parties from brute-forcing (guessing) their way into your password manager vault by requesting a secondary identification. For example, a one-time password sent via text (2FA) or a fingerprint authentication (MFA).
- Protection against data breaches. Phishing attacks and data breaches could leave your master password exposed. With 2FA or MFA enabled, thieves cannot exploit the breached master password.
During in-house tests, we try different 2FA and MFA methods to see how functional and convenient they are to use. For example, how quickly a one-time passcode is sent via a text message, or how many biometric data points (e.g., fingerprint, iris, or face recognition), the password manager enables using.
Only password managers with plenty of functional 2FA and MFA options are considered for our top-rated product lists.
Compliance and no-logs policies
When researching password managers, we check if password managers undergo regular security audits by reputable third-party security firms. These audits assess the robustness of the password manager’s security measures and identify any vulnerabilities.
We also check if a password manager adheres to strict privacy standards – the provider must not sell user data to third parties and must be transparent about data collection practices.
Finally, we check if the password manager complies with relevant data protection regulations and industry standards. Examples of certifications we look for include SOC 2 (Service Optimization Control), ISO 27001 (Information Security Management), and GDPR.
During the research phase, we thoroughly analyze privacy policies and refer to trusted third-party audit reports to check how the password managers we test fair in terms of compliance.
Our top password manager recommendations always support a zero-knowledge architecture to ensure that they do not have access to the users’ master passwords and the information stored in the vaults.
Additional features
Although security attributes are, undeniably, the most important when investigating password managers, there are plenty of other features to test:
- Passkey support. Passkeys enable you to generate and manage unique recovery keys. They act as backup in case the primary authentication method (e.g., a master password or biometric authentication) is unavailable or forgotten. When we test this feature, we create passkeys ourselves and check how functional the feature is – from creation to account recovery.
- Password generator. Although it’s expected for password managers to come with built-in password generators, not all of them do. During in-house testing, we check what types of combinations (e.g., passwords, passphrases, or PINs) a generator creates. We also assess what attributes (e.g., length and types of characters) are available when creating passwords to make sure users can create the most complex and strong combinations. Finally, we check the interface of the password generator to assess whether or not it’s user-friendly.
- Password strength. When testing password managers, we always look at features that help users assess their passwords. For example, NordPass’ equivalent of this feature is called Password Health. When we check such features, we look at what types of password issues they identify (e.g., weak, reused, or old passwords) and what kinds of solutions they offer. First, we input weak and duplicate passwords to check if the password manager identifies issues at all. Next, we attempt to fix the flagged passwords to see how easy it is to do.
- Dark web monitoring. If a password manager offers this feature, we check how effective it is at helping users monitor their personal information for any signs of compromise on the dark web. To test the feature, we use mockup credentials that have been breached in the past. First, we check if the password can identify the security threat. Second, we check how it alerts the users about it. A strong password manager will provide an easy solution.
- Travel mode. Some password managers enable you to add extra protection to your sensitive data while traveling, as that’s when devices are most vulnerable. Once the feature is enabled, you can temporarily hide specific vaults to ensure that data is completely inaccessible. During in-house testing, we assess how easy the feature is to use, and whether it truly hides the chosen data. The ease of use is of particular importance when testing this feature.
- VPN. Some password managers offer VPNs for premium plan users. It is a useful addition to offer enhanced security, protection on public Wi-Fi networks, and anonymity. When we test VPNs, we primarily focus on speeds and performance. For more details on how we rate and review VPNs, check out the how we test VPN products page.
Autosave and autofill
One of the most important features for any password manager is the autofill. It enables inputting login credentials and other sensitive information straight from the password manager vault in just a few clicks. The autofill functionality serves these main purposes:
- Convenience. Autofilling passwords is quick and easy, which encourages users to adopt better habits related to password creation and use overall.
- Better habits. If users do not need to remember every password they use, they are more likely to create stronger and more complex passwords. This works hand in hand with integrated password generators.
- Improved security. When users rely on password generators to create complex passwords and on password managers to store them in encrypted vaults, they are instantly lowering their chances of facing password-related cyberattacks, including brute-forcing or phishing.
During our in-house tests, we check if the password manager effectively identifies newly created accounts on the web and apps and suggests saving new items in the password vault.
We also test how easy and convenient it is to manually add new items and fill in the information in the password manager application. We do this by checking if the password manager application and browser extension can provide the correct login credentials via autofill and if we ever experience missed login suggestions or account mismatches.
When reviewing password managers, we always rate applications with an efficient autofill functionality higher because it makes password managers less vulnerable to various cyberattacks.
In short, when we test autosave and autofill functions, we look at how smooth and secure the processes are. This information helps us towards the overall ranking of the best password managers.
Password sharing
When testing the password sharing functionality, our main priority is to check how easy it is to share confidential information with users who use the same and different password managers.
Some password managers allow sharing credentials only with users who are subscribed to the same provider, which is very inconvenient. Others provide the possibility to use one-time links or to add expiration dates for the links to the shared information.
Password sharing is especially important among coworkers who need to share passwords safely without compromising the entire organization’s security. Therefore, during hands-on testing, we check whether it’s possible to place temporary or limited access to shared passwords.
How convenient the password manager is at importing data from other password manager providers or web browsers is also very important. The more password import options a password manager offers, the easier the application is to use.
Plans and pricing
While researching password managers, we also test all available plans to assess which applications offer the best value at different price points. We primarily focus on free and base plans to see what services users get for free or at the lowest prices. Some of the key areas we look at include:
- Subscription length
- Subscription cost
- Number of devices covered
- Features
The criteria are then measured based on the overall price-to-value ratio.
In addition to overviewing what subscriptions are available, we also look for the best possible deals. For example, we check if the longest subscription is the one that offers the best price to users.
One more point we consider is the free trials and money-back guarantees. These features help us determine how providers treat users who are not happy with the services after testing them. If a provider offers a fuss-free money-back guarantee, it signals that they are confident about the effectiveness of the product.
Customer support
Like with any other service we review, we look into what customer service options are available to the users of password managers. This includes not only what channels are available but also whether you need to provide your contact information to reach the support agents and if the customer support is for premium users only.
The main support channels we look for are:
- 24/7 live chat. When testing live chat support, we check whether it’s fully operated by a bot or if questions are addressed by a real support agent. When communicating with an agent, we measure how fast they address the issue and also how quickly and efficiently issues are resolved. The golden standard is to have issues resolved in under 10 minutes. We also check what information is collected from users who want to receive support via live chat. Finally, we look into 24/7 availability. If a provider offers 24/7 support, users are more likely to resolve their issues quickly.
- Email support or ticketing system. When we test email and ticketing system support, we first check what information is collected about users. If more than the basic contact information is requested, we then look into how the provider stores personal data. We also pay attention to the efficiency of this type of support – how fast the tickets/questions are addressed, how effective the provided solutions are, and how professional the overall assistance is. Ideally, support via tickets/email is provided within 24 hours.
- Knowledge base. Detailed articles, how-to guides, instructions, video tutorials, and other support material should always be offered to password managers’ users. When testing this support method, we pay attention to how easy it is to find an answer or how useful and up-to-date the information is.
- FAQs. For users who are looking for quick answers to basic password management-related problems, an FAQ section can be very useful. When assessing this support method, we check how easy it is to find the FAQ section, what questions are answered, and whether users have the option to add their own queries.
By testing different support options, we can easily compare different password managers and determine which ones offer better customer support.
User experience
While security features are undoubtedly the most important to assess when testing password managers, the overall user experience shouldn’t be ignored either. Therefore, when we test password managers, we always pay attention to the following questions:
- How smoothly does the password manager perform?
- How fast are new items synced between applications on different platforms?
- What options are provided for importing/exporting passwords?
- Is the software modern and pleasant to use?
- What items can the user add to the password manager vault?
Password managers must provide easy-to-navigate account recovery options for us to deem them user-friendly. It’s also important to note that some recovery options may be considered weak. For example, if it’s easier to gain access to the account via a recovery option (e.g., a poorly stored key) than via the original access point (e.g., master password), the password manager could be prone to attacks. Therefore, we test all available recovery options.
When assessing password managers for user-friendliness, we also pay attention to cross-platform compatibility. If a tool is available to the users of Windows, macOS, Linux, Android, and iOS users, as well as all major web browsers, we are confident that it will be accessible to the majority of users. If one or several of the popular platforms aren’t covered, accessibility becomes questionable.
Finally, during our hands-on testing, we pay attention to the interface of each password manager. Although this may not seem to relate to the overall functionality, easy-to-use and navigate interfaces enable users to employ all available security measures and take advantage of all benefits. Therefore, it’s an important aspect during the testing phase.
What tools we use for testing
To assess password managers, we test them on popular operating systems:
- Windows. We test using a Virtualbox VM with Windows 11 (10GB RAM, 120GB dynamic HDD, and 2 CPU cores) installed on a Lenovo ThinkPad T14s Gen2 device (AMD Ryzen 5 PRO 5650U processor, 16GB RAM, 256GB SSD, Windows 11 Pro OS). Alternatively, we use the Virtualbox VM with Windows 11 (20GB RAM and 4 CPU cores) installed on Lenovo ThinkStation (AMD Ryzen Threadripper PRO 3945WX 12-core processor, 3.99 GHz, 64 GB RAM, 3TB SSD).
- macOS. We test using the Apple M2 Pro Ventura OS virtual machine (8GB RAM, 268GB storage) set up on Apple M2 Pro Sonoma OS with 10 Cores, 16GB RAM, and 500GB of SSD storage.
- Android. We test using Android 11 installed on a Nokia 6.2 (model TA-1198) device. Specifications: 64GB internal storage, 4GB RAM, CPU Octa-Core (4x1.8 GHz Kryo 260 Gold & 4x1.6 GHz Kryo 260 Silver).
- iOS. We test using iOS 15 installed on an iPhone 7 (model MN8X2) device. Specifications: 32GB internal storage, 2GB RAM, CPU Quad-core 2.34 GHz (2x Hurricane + 2x Zephyr). We also test on iPhone 13 with the newest available OS.
Our researchers
At Cybernews, our team of security researchers and technology experts reviews and evaluates password managers. They analyze each product using real-life tests and in-depth security research.
Our research team regularly tests these products to account for any changes. They focus on security and privacy features like encryption algorithms as well as safe password sharing and storing. They also assess customer support and user experience to ensure the tools are both secure and user-friendly.
We keep our reviews up-to-date to maintain high standards. If you notice any inconsistencies, please contact us here.
Your email address will not be published. Required fields are markedmarked