Anyone using online services in this day and age needs to remember lots of passwords. As is stated quite commonly, you should try to use a different hight quality password on each site / service. I'm sure most people have noticed by now that memorizing 150+ passwords is quite impossible. You can use different schemes for passwords to make the whole thing more feasible. Like memorising 3-5 unique passwords for high value services, and then share one for less valuable, and one throw-away password for everything else. But eventually your thow-away passwords will become common knowledge, and then you need to change them on potentially hundreds of sites.
With the amount of sites that gets hacked more or less every day, chances are that your username / password combination from at least a few sites exist if a lot of password databases, and there's a big business in finding sites that those passwords work in. So if you are re-using passwords, it's only a matter of time before your accounts will get hacked.
This is why you should really use a password manager to manage all your passwords, and use unique ones for every service. I will look into some different password managers in this post, and go through how they work. Ideally you can have unique very strong 10+ character randomly generated passwords on all of your sites and services. This is still far from ideal, because there is a definite inconvenience factor involved in any such system. You still need to manually enter passwords from time to time, and it can be quite inconvenient to not be able to log in if you don't have access to your password manager at the moment. But it's the best that can be done for now.
Online Password Managers
This is the most convenient type of manager, but it comes with some loss of control, and is also arguably least secure. But one should be aware that all of the solutions listed in this post are vastly more secure than the alternative of not using them. I will be focusing on two of the "best" ones, there are others like Dashlane and 1Password, but I haven't used them, so I can't say much about them. I have done feature / price comparisons, and they have come up short in my opinion.
It is important to note that even though most of these managers have web versions, the saved passwords are decrypted in the browser, and can't be read by the people running the service. But one should always remember that there is no way to know for sure that they aren't decrypting your data. There will always be level of trust involved, but everyone knows that if any of the services would be caught doing something like that, they would be out of business, and there is almost no reason for them to do so.
Lastpass
Lastpass is probably the most known of all the password managers, and it was one the first to do security properly. Lastpass is a good choice all around, but sice they got bought up by LogMeIn, the software support and quality have dropped considerable. They are also quite expensive for teams, and are lacking a lot of features that are good in team based develpment. But for private individuals it is free, and works well enough. They have browser plugins, as well as mobile apps for Android and iOs. Like many others, the full feature set is available in the Web version.
Bitwarden
This is the one I'm using at the moment. It's is very similar to Lastpass, but completely open-source. It also has a lot of features that Lastpass is lacking, like the ability to enter multiple URLs for one record. I should note here that even though Bitwarden is open-source, and there is a self hosted alternative, like Lastpass, it is not completely free to use. They do sell it as a service, and you need to pay 10€ per year to unlock all the features. This would probably be possible to get around by building your own versions of the client, but I think it's worth the money to support the developers, and it's not very expensive either.
Web Browser Store
I'm not going to go into this very deeply, but if you want you can store passwords in the Web Browser. At least Firefox and Chrome have secure, online synced password vaults. But even though you don't need to install anything to use these there are considerable downsides to using them compared to Lastpass and Bitwarden.
One downside is that there is no cross browser compatibility, if you have all your passwords saved in Chrome, you can't access them when using Firefox, and vice versa. Most of the browsers allow you to export the data, but it's better to not lock yourself in in the first place.
Another downside is that you can't share password entries with other people. This can be a useful feature when you want to share a set of up-to-date passwords with your family members or co-workers.
There's also some question about exactly how secure these solutions are. You probably don't need to worry too much about random people hacking your password vault, but there might be some situations where your passwords can be read be third parties, for example the browser vendor. The browser stores are not as security focused as stand-alone solutions.
Local Password Managers
If you're not comfortable with using online services, a local password manager might be a good option. They keep the password database locally on your machine, and you can better check the encryption process, and control where the data is located. As it's usually good to be able to access your data from different devices, you might want to sync the database somehow, but it this case you are completely in control over where and how it is synced. There are a lot of different ones to choose from, but I will look at two different ones. One is probably the most popular local password manager, and the other one I find quite interesting and fun, but is probably way too techy for most users.
Keepass
Keepass is probably the best known and most used local password manager. The crypto used in it is well designed, you can choose things like crypto algorithms, and how many times your master password is hashed. There are also clients for just about every platform, as well as browser plugins and different tools to use the password vault.
Pass - Password Store
I like the concept of this one, but the practical utility might not be that great. What I like about this one is that it's basically only a thin layer of glue between existing technologies. The password manager is command line only, although there are alternative clients that may use different GUIs. Each password entry is saved as a file, and encryped using PGP. The advantage of this is that it allows password sharing as you can encrypt the file with multiple keys. Passwords are organised into different folders on your system, that you can design however you want them. Like other local managers you could use almost any file based sync tools to syncronize the passwords, but Pass also has built-in Git support. Added or changed passwords are automatically committed to the repository, that can then manually be pushed and pulled from a remote repository if you want. The Git repository is of course also useful for version control even if you don't syncronize remotely. Pass is probably not a realistic option for less techy users, and it doesn't really have that many extra features. But the upside is that there is very little chance you'll ever lose anything from it, and it uses public key crypto which allows for safe password sharing. And as it uses existing crypto implementations there is very little chance of any mistakes in any of the implementations.
The Master Password
Regardless of what you choose, your passwords should be pretty safe as long as you pick a good master password. And here comes the biggest problem with basically all of the password managers. You need a very strong master password that is hard to brute-force, but you should never forget it. Unlike passwords to different services, there is no way to ever recover a lost password. If you forget it, all your passwords and data is lost. And obviosly it would be a big security problem to write it down on any of the devices you have access to the database from. I would recommend writing it down on paper, and storing the paper somewhere safe. Prefrerrably not close to your computer or phone.
Conclusion
There exists quite a few solutions that don't use username and password to identify and autheticate yourself, but for public services username and password is still used almost exclusively. And as long as that is the case, we're stuck with using them. Where possible you should also use two factor validation, but even that is not sure to keep people out, because there are usually ways to recover from lost passwords and two factor tokens. However, by using these steps, you will stop all but the most extreme hacking attempts on your accounts.
Photo by Matthew Brodeur on Unsplash