How to Use a Free Password Manager—and Make Your Logins Safer

To find out if your credentials are exposed, plug your email address into Haveibeenpwned.com, a website by security expert Troy Hunt, to reveal which breaches contained your data. It doesn’t ask for your passwords (and you shouldn’t give them out to random sites anyway!).

Hackers commonly employ an attack called “credential stuffing”: They take usernames and passwords leaked from one breach and enter them at other sites in the hope that people reused them.

This is why security experts always say don’t reuse passwords, especially those for important logins like your bank, your email and your work accounts. But it also means you’ll quickly end up with more passwords than you can remember.

A full-featured password manager is a good idea, but setting one up can be time-consuming, intimidating and sometimes costly. So, as someone who’s gone through the process for myself and several family members, I am recommending cybersecurity newbies start with the fast, free versions baked into the smartphones and browsers they already use.

The Best Password Manager for You

A good password manager:

• Creates strong passwords

• Stores login credentials

• Autofills usernames and passwords

• Protects your data

• Lets you export credentials if you want to switch managers

I generally recommend independent services such as Dashlane and 1Password, because those apps work better across different platforms and have more features. However, a good fit for less tech-savvy folks are

Apple’s

AAPL 0.51%

iCloud Keychain and

Google’s

GOOG 0.47%

Password Manager. They’re free, there’s nothing to download, and they are integrated with software people already use. Plus, they can generate new passwords and send alerts when a password has been compromised.

Even Gary Orenstein, chief customer officer at the open-source password app Bitwarden, agrees: “Using any password manager is better than not using a password manager.”

Just remember, iCloud Keychain is for people who live mostly in Apple’s ecosystem, and Google’s Password Manager is for people who use Chrome or Android for most of their internet activity.

If you aren’t squarely in one of these camps, you might need a third-party app. Bitwarden is a solid free option that works across different platforms, while 1Password and Dashlane, which have monthly subscriptions, are good for families and people who need more features, such as secure password sharing.

Once you’ve set your system up, change the passwords to a few of your web and app logins first, then try using the manager across different devices, just to get the hang of it. If you’re using a built-in system, your device’s passcode protects your credentials, so don’t pick an easily guessed passcode like 1111. Here’s how to get started:

Apple’s iCloud Keychain

Where you find it: iOS/iPadOS apps, Mac apps, Safari for web and mobile, Chrome for Windows

How to enable: Turn on iCloud Keychain in your Mac’s System Preferences if you haven’t already. Click Apple ID, then iCloud, and select Keychain. Then, on your iPhone or iPad, go to Settings, tap your name, iCloud, then Keychain. If you use a Windows computer, download the iCloud Passwords for Chrome extension.

When you create a new account or reset the password for an existing one, Keychain will automatically ask to generate a strong password and save your login information for that website. The next time you visit the website, those credentials will be autofilled for you.

Whenever you type in an existing password, Keychain will offer to save those passwords, too.

Consider turning on biometric authentication for password autofill, so you don’t have to type in your computer’s password or phone’s PIN every time. On a Mac, go to System Preferences, then Touch ID. On an iPhone, go to Settings, then Face ID & Passcode.

Find your passwords: Want to look up a stored password? On a Mac, open Safari’s preferences, then select Passwords. On an iPhone, in the Settings app, scroll down and tap Passwords.

How to export: On your Mac, go to Safari and open Preferences. Click Passwords. At the bottom of the password list, click on the three dots and select Export Passwords.

Google’s Password Manager

Where you find it: Android, iOS (with the Chrome app), Chrome for web and mobile

How to enable: In the Chrome browser’s address bar, go to chrome://settings/passwords and enable Offer to save passwords. On Android or iOS, open the Chrome app, tap the three-dots icon, go to Settings then Passwords, and turn on Save passwords. When you create a new account or reset the password for an existing one, the browser will suggest a strong password and save it for you.

The easiest way to add existing passwords is to visit a website and type in your username and password—Chrome will offer to save those, too.

If you use iOS, Google can fill saved passwords in other apps as long as you have the Chrome app installed. Go to the Settings apps, select Passwords, click on AutoFill Passwords and select Allow Filing From Google Chrome.

Find your passwords: If you need to access your passwords manually, open a new tab and go to chrome://settings/passwords or passwords.google.com to copy and paste the password manually.

How to export: Go to passwords.google.com, click the Settings gear and select Export passwords.

Independent Password Managers

If you’re going to use an independent service, I have two pieces of general advice:

• Download the manager’s app or extension on every device and browser you use.

• Take the time to craft a strong master password.

If you’re using an independent manager, you’ll only need to remember one password, which you won’t have to change unless you think it has leaked somehow. Master passwords are private keys that are known only to you—not even the company knows them.

Pick a password that’s at least 12 characters long with numbers, capital and lowercase letters and symbols. It helps if it’s based on a meaningful phrase. If your favorite song is Queen’s “I Want To Break Free,” that could become “i Want 2BF by QueeN!”

You can also make your phrase simpler but longer: “Oh how I want to be free, oh how I want to break free!” Password length is more important than complexity, because longer passwords are harder to decrypt, says Jameeka Green Aaron, chief information security officer at customer-authentication company Auth0.

It’s important to note that your master password can’t be recovered or reset, so you might want to write it down on paper and store it somewhere safe but accessible.

Don’t Forget Two-factor Authentication

No matter how you plan to strengthen your password game, you need to turn on two-factor authentication, also known as 2FA, in all the internet accounts that offer it. This protection requires an additional code or validation sent to another device—a text message or a pop-up phone notification, for instance—upon login.

It should be turned on for every account that supports it. It’s extra secure because even if hackers obtained your password, it’s unlikely they’d have the verification code needed for access.

Often, 2FA is sent via text message, though security experts caution that even your phone number can be spoofed if someone really wants to steal your stuff. Many accounts now support an authenticator app, which can be safer and works without any network connectivity. Google Authenticator is a popular one. I prefer Authy because it syncs codes across several devices, which helps if you lose one.

—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.

Write to Nicole Nguyen at [email protected]