Even though LastPass is no longer free, don’t give up on password managers
Note (January 5, 2023): We found out there was a security breach of LastPass. Attackers were able to download the encrypted passwords of users, and the list of internet addresses associated with each user. LastPass seems to have made some questionable design decisions, and therefore I wouldn’t personally recommend using LastPass. I still recommend a password manager. You’re better off with any of the alternatives listed below.
Of course, right after I recommended using LastPass, a password manager that securely stores and generates passwords for you, the company decided to start charging for it.
It’s still a fine product, and it has useful features like password sharing between multiple users. If you want to share a single online bank login or your Netflix password with your significant other, you can without insecurely sending a text message. It will even send your passwords to next of kin, if you pass.
The price of entry isn’t really that high. Commercial password managers like LastPass can actually be cheaper than going to 7–Eleven to buy a coffee once a month. If you have several users on a family account, a commercial password manager can actually be less than $1/month, per user.
But not everyone needs or wants the bells and whistles. Fortunately, there are two free entrants, from big names, that are ready and willing to take the place of LastPass, and you might already have them on your computer and phone. They aren’t perfect, but they might be good enough for you.
Replacement #1: The Microsoft Authenticator password manager
The Microsoft Authenticator password manager just happens to be built into the Edge browser on the desktop, but it does not limit you to the Microsoft Edge world, and therefore makes a nice no cost LastPass replacement.
The Microsoft Authenticator password manager is a recent development from Microsoft. It automatically syncs passwords to the cloud from Edge. To sweeten the deal, though, Microsoft also has a handy Chrome extension which allows it to work across multiple Chromium browsers including privacy-focused Brave, customizable Opera, and, of course, Google Chrome itself.
If you use those browsers or Edge, it works great. Unfortunately, if you want to use a desktop browser that isn’t based on the Chrome browser, you’ll be out of luck. There’s no syncing with Safari on desktop Macs or Firefox on any desktop.
With Microsoft Authenticator, you’re not limited to desktop syncing. Microsoft Authenticator fully integrates to both iOS and Android. You can download the Microsoft Authenticator app for iOS or Android, and suddenly you can autofill passwords on any app on those platforms. That means it will work for the Safari browser on iOS and Chrome on Android, among other apps.
Like most paid password managers, Microsoft Authenticator password manager also allows you to generate secure, randomly generated passwords to use. Unfortunately, unlike the paid services, this feature is limited to the desktop, which is a bit of an oversight. Hopefully, Microsoft adds automatic password generation on mobile devices soon.
Note that Google’s Chrome browser has a similar password autofill feature for desktop, iOS, and Android. The drawback to Google’s version of password syncing is that, on the desktop, you must use Chrome and you can’t use the other Chromium-based browsers such as Brave, Opera, or Edge. Google Chrome’s password manager also doesn’t let you generate secure passwords from mobile. However, if you’re happy using Chrome, turn on Google password syncing, and you’ll be set across mobile and desktop. You can even use Google Chrome password sync to autofill passwords in any iOS app, including Safari, provided you download Google Chrome for iOS.
Replacement #2: For the Apple focused, iCloud Keychain
iCloud Keychain works as a LastPass replacement, but only if you’re fully integrated into the Apple ecosystem. To make this be a reasonable replacement, you’d want to have both an iPhone/iPad and a Mac, and also use Safari as your default browser on both.
iCloud Keychain is set up by default by iOS. When using Safari, you’ll notice that iOS offers to save your username/password when you login or generate new secure passwords when making a new account. It then syncs those passwords to the cloud, so that it can be accessed by your other Apple devices.
However, you really need to be using Safari on both desktop and mobile to make this work. On the desktop side, autofill for passwords only works for Safari. You can lookup any stored passwords in the Keychain Access application on your Mac, if you want to copy and paste to another browser, but it is an inconvenience to do this frequently.
On iPhones and iPads, autofill from iCloud Keychain works across apps, except for non-Safari browsers like Chrome and Firefox.
If you use Windows as a primary platform, iCloud Keychain can work for you, but not well. You can manually look up previously saved passwords in the Settings app on your iPhone or iPad. You then would type the passwords on the desktop computer. That’s generally not a great solution.
Early in 2021, Apple did actually release a Chrome extension that allowed iCloud Keychain password syncing on Windows. However, Apple quickly pulled it because it didn’t seem to work well. Will it ever be back? That’s unclear.
Don’t forget two-factor authentication
If you plan on using any of these products, you absolutely need to enable two-factor authentication, which allows you to get a text, get an app notification, or enter a one-time code to confirm you are the one signing into your account. Two-factor authentication will prevent someone that has only your password from accessing your account, and getting your other passwords.
Microsoft and Google do not enable two-factor authentication by default, but have instructions (Microsoft, Google). Apple ID accounts are already required to have two-factor enabled, but it never hurts to check your Apple ID settings.
These replacements aren’t perfect and aren’t perfectly secure
Of course, there is a reason that many password managers charge, and that’s so they can develop the features missing from these replacement solutions. The reason features are missing? The companies are understandably focused on products developed in house.
In fact, all the drawbacks I mentioned for these solutions — not syncing to all browsers and not syncing to all mobile apps — are solved in most paid commercial password managers, including LastPass.
If you are absolutely paranoid about your passwords, these two solutions are not for you. Unlike with LastPass and similar solutions, you do not get to set a master password for your passwords. If someone is able to authenticate as you, they could potentially get your passwords on a device not owned by you. Paid solutions usually allow you to set a secondary master password that would prevent anyone who didn’t know the secondary password from setting up new devices.
Additionally, if you should be paranoid, like if you are a journalist, important government official, or activist, you should look elsewhere. Because there is no master password, your login to Apple, Microsoft, or Google is the most protection you will ever get. If someone was able to authenticate as you on those services, the attacker would have all your passwords. Additionally, it is possible that a very determined attacker that only had your password could get enough information, legally or illegally, from Apple, Microsoft, or Google to decrypt your passwords. (Of course, if someone is after you to this degree, you probably don’t want to use a commercial service of any kind.)
For most people, Microsoft Authenticator password manager and iCloud Keychain solutions are good enough. They provide a sufficient level of security — and the price is right. However, if you’re missing some of the features exclusive to paid password managers, like syncing across different types of devices or master passwords that give you secondary protection, shelling out the few dollars a month is probably worth the cost.
Jerry Galvin has over 15 years of experience in systems engineering and cybersecurity operations. He currently specializes in vulnerability management.
