Passwords are a pain. To quote Bruce Schneier, "The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it's easy to remember, it's something nonrandom like 'Susan.' And if it's random, like 'r7U2*Qnp,' then it's not easy to remember."^[1]

Strong passwords are hard. So what do we do? We make our passwords easy to remember. Or we make one strong password and just reuse it everywhere. Or we write them down. (Or worse, we store them in a Google Doc somewhere and hope Google won't abuse it.)

Strong Rules Yield Weak Password Practices

This situation honestly isn't aided by industry recommendations (or sometimes requirements) for passwords. "Your password must be at least 8 characters long and contain at least one character from each category:"

• lowercase letters
• capital letters
• numbers
• special characters

The thing is, policies like this lead users to create the least secure password they can get away with - because it's easier to remember. They're locked into these constraints that don't give them a lot of wiggle room. So they try to make it look like a word they know (which makes it easier to break with a password cracking dictionary), or they write it down or save it somewhere where it might be compromised. They probably make the password as short as possible - 8 characters or whatever the absolute minimum they can get away with is.

Creating Strong, Memorable Passwords

But it doesn't have to be this way. Password strength is a function of both length and complexity. If a password has more different types of characters (e.g., lowercase AND capital letters AND numbers AND special characters), that makes it stronger on the side of complexity. But if that very complex password is only 6 characters long, it can still be cracked very quickly by an adversary who simply tries all the possibilities.

On the other hand, a fairly simple password (let's say, a string of words using only lowercase letters and spaces) can be made very long, but remembered fairly easily (humans are much better at remembering phrases than sequences of random characters). For this reason, some prefer to say "passphrases" rather than "passwords" when referring to the string used to authenticate oneself. (Consider though, if the phrase is well-known or associated with the user, it might be guessed by a clever adversary.)

https://xkcd.com/936/, licensed under a Creative Commons Attribution-NonCommercial 2.5 Generic (CC BY-NC 2.5) license

Why Not Have Both Length and Complexity?

The truth is, I don't even know what most of my passwords are. I have to have a few memorized, but the rest I keep in my password manager, which I use to generate long, complex passwords and store them so I don't have to remember them.

Now, you might be asking here, "How is that different from keeping them in a Google Doc?" And it really comes down to who has access to the passwords. With Google Docs, you're trusting Google (including its employees) not to abuse your data (which they're very much known for doing). A password manager should store passwords securely, encrypted using a master password that only you know. (Yeah, you're responsible for knowing that one.)

But once you unlock your password manager with your master password, it will store your other passwords for you, and even help you generally new, strong passwords that you don't have to remember, so you can make them as long and complex as you want!^[2]

One note of consideration is that a password manager still provides a single point of failure. If someone gets your master password and accesses your password manager, they have access to all of your passwords. But I think in most use cases this is a small enough risk for the reward that password managers make sense.

Choosing a Password Manager

So what password manager is right for you? Well, ultimately I can't answer that question for you, but I'll give you some things to consider before offering two recommendations.

Platform

Will it run on your platform? If you're planning to use it on multiple devices, will it run on all of them? You don't want to get all set up with one password manager on your desktop and then learn it doesn't work on your phone.

Cost

Can you afford to pay for this software or service? Many password managers are free-to-use.

License

It is important to me to use free and open source software whenever possible. This is especially important in my opinion for security software. How can you trust the software if you can't examine how it works? (That said, I recognize the flaw in this line of thinking. Just because code can be audited doesn't mean it has been, and I'm certainly not in a position to examine every program I run before I use it.)

Online or Offline

Your password manager may be either cloud-based (online) or local (offline). A cloud-based solution offers the convenience of having your password backed up and synced between devices. On the other hand, a password manager that doesn't sync with anything gives you greater control over your data. If you use a local password manager, you must be good about backups. You don't want to lose all your passwords and not have a backup. It's basically a matter of convenience vs. a little extra security.

Zero-Knowledge Providers

If you do choose a cloud-based password manager, consider how much you trust that provider and how much you want them to know about your passwords. Some cloud-based providers store your password database encrypted in such a way that even they can't access your passwords; only you can. On the other hand, there are some advantages to delegating some trust to another party. A true zero-knowledge provider cannot reset your password without resetting your account. Either they have access to your passwords and can grant you access again, or you alone have access, and if you lose your password, there's no recovering from that.

My Recommendations

(Offline) KeePassXC

KeePassXC is a community fork of the KeePassX password manager. It is available for Windows, macOS, and GNU/Linux systems. It is totally free to use, as well as being free and open source software. With KeePassXC, you don't have to sign up with a cloud provider or anything; you just create a database file and start filling it with your passwords.

Because KeePassXC is only a local solution, if you want to use the same password manager across multiple devices, you will need to sync the file. KeePassXC uses the KeePass 2.x (.kdbx) format to store your passwords. This format is also compatable with the KeePassDroid app for Android (which you can get on F-Droid or the Google Play Store), as well as the MiniKeePass app for iOS (which you can get on the App Store). MiniKeePass is a dead project. For iOS, use KeePassium (Apple App Store) instead.

Note: I have not used the mobile apps and am not vouching for them specifically.

(Online) Bitwarden

Bitwarden is a free and open source cloud-based password manager. It has clients on all the major platforms (Windows, macOS, GNU/Linux, iOS, and Android, as well as browser add-ons for major browsers and web access). You can register for a free account or even host it yourself on your own server. Because Bitwarden is a zero-knowledge provider, they don't have access to your passwords. This also means that you can't reset your password without deleting all your data. So make sure you remember your master password!