Little Tech: It’s Time to Move to a Third-Party Password Manager (Premium)

Microsoft Authenticator is losing its password management capabilities, but there’s no need to be outraged by this change. Instead, view this as an opportunity to make a positive change you should have made years ago and adopt a more capable third-party password manager that isn’t tied to a Big Tech platform and the whims of its maker.

I wrote about password management basics in mid-2024, and I recommend (re)reading that now, especially if you’re impacted by the changes to Microsoft Authenticator. But here are a few key high-level points:

• Password managers don’t just manage passwords, so the name undercuts the product’s capabilities and, sadly, their importance. They should be called identity managers, and in addition to managing passwords, they also manage passkeys, payment methods, personal information, and more. The best password managers allow you to go completely passwordless.
• While each of the key Big Tech platform makers–Apple, Google, and Microsoft–each offer password managers that integrate with their platforms and offer some degree of cross-platform support, third-party password managers are the better option for all kinds of reasons. But key among them is that you’re not tied–stuck–with product decisions that are tied in many cases to what’s better for that company than for its customers. Yes, this is enshittification, and this is the real reason behind the changes to Microsoft Authenticator. Microsoft is driving users to Microsoft Edge, its web browser, which can also be used for autofill capabilities on desktop and mobile.
• The biggest problem moving to a new password manager is not well understood by many: Most people never think to remove the passwords from their previous password managers, and if you’re using a Big Tech product for that, the process for doing so is often tedious and time-consuming. Exacerbating the problem, most of us have used multiple apps and services that act has password managers over the years and there are likely multiple copies of your passwords, most incomplete and at least partially out of date, all over the Internet. Think about how many web browsers you’ve tried over the years. It’s important to delete passwords from apps/services you no longer use, at least for that purpose.

I use and recommend Proton Pass for password/identity management, but I have also used and can recommend Bitwarden, Dashlane, and 1Password. Speaking generally, Bitwarden is free and perhaps best for technical users. Dashlane is arguably the best truly passwordless solution. And 1Password is perhaps the simplest, with the cleanest user interface. Proton Pass is, to me, the perfect “Goldilocks” middle ground between these other options, and what I prefer. But you can’t really go wrong with any of these choices. In each case, you will want the mobile app version on Android or iPhone (and, on whatever tablet you may use) and the extension in whatever browser you use on desktop.

Most people simply use the password manager that’s built into the web browser they use. I get that, but with the possible exception of Chrome, assuming you trust Google, that’s not a good idea. Apple Passwords, in particular, is functionally lacking and will never work seamlessly or at all on Windows or Android. And I wouldn’t trust Edge with anything, let alone my identity.

Tied to this, you need at least one two-factor authentication (2FA) solution for verifying your identity when you sign in to online accounts that don’t have passkeys (and even some that do, if only for convenience). You will not use your password manager for that. I strongly recommend using Microsoft Authenticator to verify of your Microsoft consumer (Microsoft account/Microsoft 365 consumer) and commercial (Entra ID/Microsoft 365 commercial) accounts, but Google Authenticator is the better choice for all other online accounts because the accounts are all backed up to your Google account and are immediately available when you sign in to the app, no backup/restore required.

If you are using Microsoft Authenticator for password management today, you can and should export them now–indeed, you must do so before August 1, 2025. The exported file is supported by all password managers, but it only includes account/password pairs, not payment information or other personal information. From there you could back up that file–I use OneDrive’s Personal Vault for this sort of thing–or just delete it. But again, remember to delete all the passwords stored by Microsoft. After Authenticator loses this functionality in August, those passwords will still be out there on the Internet and accessible from Edge on desktop or mobile.

Of course, deleting your passwords from Microsoft is tedious and time-consuming, as noted. There’s no “select all” feature in Authenticator or Microsoft Edge, so you have to select each account, one at a time, and delete them manually.

After installing a third-party password manager on mobile and/or as password manager extension if your web browser on desktop, you should also disable the features in your web browser that offer to save passwords, autofill passwords and passkeys, save and fill personal information in forms, and the like. This varies by browser, but in Microsoft Edge on desktop, you can find these options in Microsoft Wallet in settings.

I understand the frustration with Microsoft’s decision to remove password management from Authenticator. But I also stopped using Microsoft for identity management long ago. You should too. It will require a little work, but it’s a one-time thing, and well worth the effort.