Why you can trust ZDNET
:ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission.Our process
'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
A good password manager will create, store, and apply strong and complex passwords across the board, thereby securing your accounts. I've used a password manager for years and wouldn't be able to juggle all my online accounts without it.
However, since your password manager is home to the sensitive login details for all your accounts, you need to protect the password manager itself from any potential compromise. Breaches against such services as LastPass and Norton LifeLock show that password management vendors are certainly not immune from cyberattack. Though such breaches may not have directly exposed login passwords, they do leave users of these services more vulnerable.
To protect yourself and your password information, there are steps you should take on your own to safeguard your account.
Devise a strong master password to defend your account from unwanted access.
Activate biometric authentication for the password manager on your PC and mobile device.
Enable two-factor authentication to prevent someone from signing into your password manager account should it ever be compromised.
We'll look at each step in more depth below. To go through the different steps, I'm using RoboForm as an example, but the overall process should be similar for any of the major password managers.
1. Create your master passphrase
When you first set up your password manager, you'll be asked to devise a master password. That password should be strong and complex as it's the key line of defense for all your login details, both on your own devices and in the cloud.
But you will need to enter your master password from time to time, so you also want it to be one that's memorable and not too difficult to type. That's why I recommend using a passphrase instead of a password. Consisting of different words or phrases, the right type of passphrase can be more secure than a complex password yet easier to remember.
To devise a solid passphrase, use a series of words or phrases with some meaning or significance to you so that you'll easily recall it. I also like to include a mix of uppercase and lowercase characters as well as numbers and symbols. Just make sure you're able to remember your master passphrase. If you forget it, you'll have to start from scratch with your password manager.
This ZDNET article offers several useful tips on creating a healthy passphrase. 1Password offers an online password generator that will suggest and help you fashion passphrases. When you've concocted the right one, type it and then retype it at the appropriate window for your password manager.
2. Use biometric authentication
Biometric authentication provides a secure and convenient alternative to a password or PIN, especially with a password manager. Instead of having to type your master password each time you want to activate the password manager, use your face or finger to verify your identity.
Most password managers should allow you to adopt whatever type of biometric authentication is built into your device or operating system. On a Windows PC, that means Windows Hello. On an iPhone or iPad, that means Face ID or Touch ID. And on an Android device, that means facial or fingerprint recognition.
Check the security settings for your password manager and look for an option to switch to the built-in form of biometric authentication. You're asked to enter your master password to confirm the switch.
From then on, you'll be able to open or activate the password manager using your chosen form of authentication. You may still be asked to enter your master password at certain intervals or to make specific changes. Otherwise, your face or finger will do the trick.
3. Enable two-factor authentication
Should a hacker ever learn your master password, you want to be sure they can't sign into your password manager account on one of their own devices. For this, you can turn to two-factor authentication (2FA), which most password managers should support at this point.
Look at the settings for your specific password manager to see if it offers an option for two-factor authentication or a one-time password. If so, enable that option. If given a choice among email, SMS, or the authenticator app, choose the authenticator app as that's the most secure method.
The next time you try to use your password manager on a new PC or mobile device, you'll be sent the one-time password via your preferred method. Enter the one-time password when prompted, and that new device will now be cleared to use your password manager. Your password manager's account page may also list all the devices that have been enrolled so you can check for any suspicious ones and remove any you no longer use.
Beyond the three security options I discussed, different password managers may offer additional ones. Your best bet is to check the security settings for your specific product and avail yourself of any that will help protect your account and login information from abuse or compromise.