Password Boss Review

Password Boss Review

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

As a PCMag security analyst, I report on security solutions such as password managers and parental control software, as well as privacy tools such as VPNs. Each week I send out the SecurityWatch newsletter filled with online security news and tips for keeping you and your family safe on the internet.

Password Boss Logo

The Bottom Line

Password Boss handles all basic password management tasks, including secure sharing and password inheritance, but lacks some of the advanced features found in other modern password managers.

PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

Password Boss Specs

Name Value
Import From Browsers Yes
Two-Factor Authentication Yes
Fill Web Forms Yes
Multiple Form-Filling Identities Yes
Actionable Password Strength Report Yes
Digital Legacy Yes
Secure Password Sharing Yes

For proper online security, you must use a unique and strong password for every website. Password Boss is a fine password manager, one that takes on the job of remembering and creating all your credentials and then syncs them across all of your devices. In addition to handling all expected password management tasks, Password Boss comes with secure sharing and digital legacy options.

A representative from Password Boss told us the company plans to release an all-new version of the password manager in 2023. The desktop and mobile apps could use a cosmetic refresh, and security features such as enhanced multi-factor authentication options could be added in the future.

How Much Does Password Boss Cost?

Oddly, Password Boss’ pricing information is unavailable on the company’s website. You have to download the password manager, create an account, and then see that Password Boss’ premium edition costs $29.99 per year. Dashlane costs more than Password Boss, at $59.99 per year, and LastPass is $36 per year.

Previously, Password Boss offered a version of the password manager that was free to use on a single device. The company did away with that option, and instead, it now offers a free 30-day premium trial. We reached out to Password Boss for clarification regarding its product offering and what happens when the free trial runs out. We will update this review when the company replies to our correspondence.

Similar Products


Keeper Password Manager & Digital Vault

Zoho Vault




LogMeOnce Password Management Suite Ultimate


RoboForm Everywhere

Getting Started With Password Boss

After installing Password Boss, enter an email address and a master password to create your account. Like Keeper and some other competitors, Password Boss goes to great lengths to get you started successfully. Its onboarding process starts by asking for simple address information, which feeds into the form-filling system. A series of tips explain features, such as password capture and replay, secure sharing, and inheritance, and help install the browser extension.

The first time you start Password Boss during each session, it displays a list of five important steps: Create an account; Save a password; Save a secure note; Create your identity; and Setup emergency access. You can uncheck a box to get rid of this reminder, but we suggest you get rid of it the better way by accomplishing all five steps.

As part of the syncing process, Password Boss keeps an encrypted cloud backup of your data. In an unusual move, it lets you choose to store that backup in any of eleven server locations: US East, US West, Frankfurt, Ireland, London, Montreal, Singapore, Sydney, Tokyo, Seoul, and Sao Paulo. No matter the location, Password Boss can’t access your encrypted data even if enjoined to do so by the government. However, if you’re paranoid about security, you might consider selecting a server in a country subject to the EU’s General Data Protection Regulation (GDPR).

Getting your passwords safely recorded in a password manager can be a chore, as can switching to a different password manager. LastPass and 1Password support import from more than 30 competing products, for example.

Password Boss doesn’t offer much help to those jumping ship from another product. It can only import from 1Password, Bitwarden, ConnectWise Automate, Dashlane, Keeper, LastPass, MyGlue, PassPortal, RoboForm, SplashID, and Sticky Password. Password Boss can also import passwords from Chrome, Edge, Firefox, Internet Explorer, and Opera (but not Safari) browsers.

During the initial onboarding process, Password Boss helps you install its browser extension in your default browser. If you launch a browser that lacks the extension, Password Boss offers to install it. You can also click Browser Buttons from the menu and install it for all your browsers. Password Boss supports Chrome, Internet Explorer, Firefox, Edge, Opera, Safari (on Mac), and Vivaldi.

Capturing and Filling Passwords

When you log in to a secure site, Password Boss offers to save your credentials. At this time, you can give the entry a friendly name or assign it to an existing folder. Like LastPass and RoboForm, Password Boss lets you nest folders. It also rates the strength of the captured password.

If you have any trouble with the password capture process, Password Boss offers another way to get your credentials recorded. When you click the Password Boss owl icon in a username or password field, it offers to save your login data or create a new password. After you submit your credentials, it saves them and logs you in.

When you revisit a site for which you’ve saved credentials, Password Boss automatically fills in those credentials and logs you in. Clicking the browser extension’s toolbar button brings up a display of all your saved logins. It’s like a miniature version of the main window. You can switch to folder view if you like or type in the search box.

When you’re signing up for a new account or updating a weak password to a new, stronger one, Password Boss automatically offers its built-in random password generator. Password Boss generates 20-character passwords by default, using all character types. If your password manager defaults to anything shorter than 16 characters, crank up the length. You don’t have to remember them, so they might as well be long.

Multi-Factor Authentication Option

Without multi-factor authentication, anybody who got hold of your master password could get full access to your account, and you don’t want that. With multi-factor authentication enabled, logging in requires both something you know (the master password) and, in this case, something you have (a mobile authenticator app).

Like many competing products, Password Boss relies on Google Authenticator for multi-factor authentication. You can also use a Google Authenticator work-alike, such as Duo Mobile or Authy. Install the app on your smartphone, snap the QR code displayed by Password Boss, and you’re ready to go. Well, almost. To keep you from getting locked out if you lose your mobile device, Password Boss prompts for an alternate phone number to receive an emergency key. It also presents you with a one-time unlock code to disable multi-factor; keep that code safe!

After entering your master password, you’ll also enter a six-digit code generated by the authenticator. If you like, you can configure it to only require this second factor every 30 days on trusted devices. Even if you don’t choose multi-factor authentication, adding a new device requires the entry of a code sent to your email account.

Dashlane and Keeper, among others, support hardware security keys backed by Yubico, among others. There are many options for multi-factor authentication; any of them significantly increase your account’s security.

Password Hygiene

At the bottom of the password list, a prominent panel displays your security score. If every password is strong and unique, you’ll score 100 percent. Any weak or duplicate passwords drag down that score, as will passwords that Password Boss considers old, meaning they haven’t been changed for three months. You cannot turn off the warning for old passwords, which is not ideal since we recommend not changing your strong, unique passwords often.

Clicking the security score generates a full report, including duplicate, weak, old, and compromised passwords. Dashlane, Keeper, LastPass, and a few others give you a full-scale actionable security report showing all passwords ordered by strength. We prefer that to the Password Boss report, which only flags the weakest passwords.

Dashlane and LastPass automate the process of changing a site’s password. Keeper eschews this capability because it’s not Zero Knowledge but does make the manual update process smooth. With Password Boss, when you click Update it simply displays instructions and offers assurance that it will record the update.

Password Boss keeps a history of all of your passwords and notes. You can access these records by visiting the Tools dropdown menu in the app and selecting the history you want to see. You can delete passwords and notes from your history, too.

Password Boss includes a full Security Dashboard in the left-rail menu. This page summarizes the security score report and displays a pie chart identifying the types of data you’ve stored with Password Boss. More importantly, it includes buttons to scan the Dark Web for possible compromises.

Clicking for a password scan runs your passwords through the Have I Been Pwned website to see if any of them have turned up in Dark Web data dumps. Seeing bad passwords like 123456 flagged isn’t meaningful, but if something like yo#edEQSY5KYrYx6 shows up, you’ve got trouble.

Password Boss can also scan the Dark Web to see if your email address turns up. Note that any site, anywhere, might have a list that contains your email address, even if you never visited. If you have an account at the compromised site, that’s a bigger worry.

Hit or Miss Form Filling

Like many other password managers, Password Boss can fill in personal and financial data on web forms, saving you the aggravation of typing your details over and over. This form-filling ability manifests as four items on the menu: Digital Wallet, Secure Notes, Personal Info, and Identities. It’s important to understand how these categories interact.

You can add any credit cards or bank accounts to the Digital Wallet. In addition to credit card details, you can choose a color and a card type. If the card is American Express, Discover, JCB, Mastercard, or Visa, the card’s icon will get the appropriate logo. It’s not quite as detailed as Dashlane’s equivalent feature, which also displays the cardholder name and the logo of the issuing bank, but it’s helpful.

Personal Info comes in five types: Address, Company, Email, Name, and Phone. You can add as many items as you want of each type, just as you can with Dashlane and RoboForm. With LastPass, 1Password, and others, you create one or more full-scale identities containing the full collection of personal data, plus one or more credit card entries.

Password Boss creates a default identity using data you enter during installation. You can edit this identity or create new identities. Each identity can contain exactly one instance for each of the seven kinds of data (two financial and five personal). Multiple identities can connect to the same item—for example, two identities might share an address.

In testing, we found that this feature was hit-or-miss. It filled in the same phone number in fields for home, work, cell, and fax numbers; other products distinguish these. You will have to type in a few entries by hand, but having most of the data entry automated is a help.

Many password managers let you store and sync secure notes in the form of simple or formatted text snippets. Password Boss supports simple notes, and it also lets you save a dozen types of formatted data, among them Driver’s License, Insurance, and Passport. Dashlane takes this concept a step beyond, for example, displaying your passport using the colors and style of the selected country.

Secure Password Sharing

The whole point of passwords is to ensure that nobody but you can log in to your secure accounts. Even so, there are occasions when people need to share an account. You can use Password Boss to share passwords, other saved items, and even whole folders.

Open the Sharing Center, click the plus icon, and choose what you want to share. Name the share and start adding recipients. For each recipient, you can assign one of three access levels. The default is read-only access, with the password visible. You can let the recipient use the password without being able to see it or go the other way and offer full editing rights to the shared item.

You can revoke access to a shared item at any time. If you do so over trust issues, change the password for the shared item. You can also set a share to expire automatically on a given date and time.

A recipient with Password Boss gets a notification within the program that a new share is available. When the recipient accepts, you get a notification of that event. In case the recipient isn’t already a user, Password Boss sends an email with a link to download the software. The recipient can either sign up for a free trial or pay to use the software, which is not ideal. Offering a permanent free version of Password Boss would solve this problem.

Password Inheritance

To give full access to your account’s data, enter the recipient’s email address, add a personal message, and set a waiting period of up to 30 days. At any time, the recipient can request access, but this request generates a notification in your Password Boss account. If you’re still living above ground, you can cancel the access request any time during the waiting period (and start looking for a more trustworthy emergency recipient). If not, when the time elapses, the recipient inherits your account data. LastPass and Dashlane work in much the same way.

Password Boss doesn’t just hand your master password to the recipient. That wouldn’t even be possible; only you know your master password. Instead, when the recipient accepts, Password Boss creates a data package on the server encrypted with the recipient’s master password and releases that data when the waiting period finishes.

By clicking the Advanced button, you can fine-tune emergency access. Perhaps you want your heir to receive just passwords, not your digital wallet or other items. You could also split up your passwords, sending some to one heir, and some to another. For most people, though, the simple, complete account inheritance is easiest.

Zoho Vault emphasizes a distinction between work and personal passwords. You can designate an heir for either, but there’s no waiting period. And in a business environment, the administrator can force the release of the work-related bunch.

Password Boss Mobile Apps

Download Password Boss from the appropriate store and log in to your account. You now have full access to all your saved data items. You get all the features of the desktop edition, plus a few platform-specific ones.

On Android devices, Password Boss can handle passwords for all apps and in all browsers. Tap the owl icon to fill in a saved password or capture a new one. Password Boss is smart enough to offer, for example, your password for logging in to the Facebook app.

Password Boss for iOS lets you define a four-digit PIN for access or use Touch ID or FaceID if available. When you tap a saved password in the iOS app, Password Boss opens it in its internal browser, which is not as slick as other password managers, such as 1Password, which integrates with the new iOS AutoFill setting.

A Reliable Password Manager

Password Boss performs the basic functions of a password manager quite well. The app’s features include password inheritance, secure sharing, and a security dashboard. Password Boss also runs on many platforms and browsers.

Unfortunately, Password Boss lacks a free option and does not support authentication with hardware security keys. We also think its credential import options should be improved, and in testing, form filling was unreliable.

If you’re thinking about trying Password Boss, consider our Editors’ Choice picks for paid password managers. Dashlane packs many advanced features yet remains one of the easiest offerings to use. Keeper Password Manager & Digital Vault costs the same as Password Boss but supports more advanced features and puts security front and center. A LastPass subscription includes security features such as password strength reports and dark web monitoring. Zoho Vault offers a robust free plan for individuals and flexible business plans for teams.

In the free category, the Editors’ Choice winner is Bitwarden, a powerful password manager with surprisingly few limitations. Its paid tier adds security and storage tools at an extremely low price for the category.

The Best Authenticator Apps for 2022

Mobile authenticator apps make logging in to online accounts and websites more secure with multi-factor authentication. These are the top MFA apps we’ve tested.

PC hardware is nice, but it’s not much use without innovative software. I’ve been reviewing software for PCMag since 2008, and I still get a kick out of seeing what’s new in video and photo editing software, and how operating systems change over time. I was privileged to byline the cover story of the last print issue of PC Magazine, the Windows 7 review, and I’ve witnessed every Microsoft win and misstep up to the latest Windows 11.

  • Related Security Picks:

(Illustration: René Ramos)

Leaks and hacks from recent years make it clear that passwords alone don’t provide enough security to protect your online bank account, social media accounts, or even accounts for websites where you shop. Multi-factor authentication (MFA, also known as two-factor authentication or 2FA) adds another layer of protection. The security team at PCMag frequently exhorts readers to use it. Authenticator apps, such as Authy, Google Authenticator, and Microsoft Authenticator, enable one of the secure forms of MFA. Using one of these apps can even help protect you against stealthy attacks like stalkerware.

Our summaries of the best authenticator apps, listed alphabetically, will help you decide which one to use so you can start setting up your accounts to be more secure. If you’re looking for the best free authenticator app, you’re in luck. They’re all free. Below our recommendations, you’ll find more background information on just how these apps work to keep you safe, as well as criteria you should consider when choosing one.

Recommended by Our Editors

This simple but fully functional app does everything you want in an authenticator. It lets you add online accounts either manually or with a QR code. Unlike Google Authenticator, it can create cloud backups of your registered accounts, either in iCloud for Apple devices or Google Drive for Androids, which is key for when you lose your phone or get a new one. The backup is encrypted and only accessible from the 2FAS app.

Unlike Authy, 2FAS doesn’t need to know your phone number or even require you to create an online account, so it’s not susceptible to SIM-swapping fraud. You can set a PIN to access the app, and on iPhone it can use FaceID or TouchID, and you can add it as a home-screen widget, but there’s no Apple Watch app. The company also offers a test page (Opens in a new window) you can use to check any authenticator app.

Duo Mobile

Duo Mobile is geared toward corporate apps, especially now that it’s part of Cisco’s portfolio. The app offers enterprise features, such as multi-user deployment options and provisioning, and one-tap push authentication, in addition to one-time passcodes. You can back up Duo Mobile using Google Drive for Android, and using iCloud KeyChain on iPhone.

Google Authenticator

Google’s authenticator app is basic and offers no extra frills. Unlike Microsoft Authenticator, Google Authenticator doesn’t add any special options for its own services. Google Authenticator lacks online backup for your account codes, but you can import them from an old phone to a new one if you have the former on hand. There’s no Apple Watch app for Google Authenticator.

LastPass Authenticator (for iPhone)

LastPass Authenticator is separate from the LastPass password manager app, though it offers some synergy with the password manager. Installing LastPass Authenticator is a snap, and if you already have a LastPass account with MFA enabled, you can easily authorize LastPass by tapping a push notification. Also, once the app is set up with your LastPass account, it’s easy to create a backup of your authenticator accounts in your LastPass vault, which alleviates some pain when you have to transfer your data to a new phone.

Microsoft Authenticator

Microsoft Authenticator includes secure password generation and lets you log in to Microsoft accounts with a button press. The app also lets schools and workplaces register users’ devices. Account recovery is an important feature that you should turn on if you use this app. That way, when you get a new phone, you’ll see an option to recover by signing into your Microsoft account and providing more verifications. Like the 2FA app, Microsoft Authenticator offers another layer of security: You can require unlocking your phone with PIN or biometric verification in order to see the codes.

Password management options are in a separate tab along the bottom. You can sync with the Microsoft account you associated with the authenticator, and after that, you’ll see the logins you’ve saved and synced from the Edge browser. In addition, Authenticator can operate as a password filler/saver utility on your phone.

One problem (and it’s an Apple lock-in issue) is that you can’t transfer your saved MFA accounts to an Android device if you’ve backed up to iCloud, since the iPhone version requires using iCloud. This is the case for most authenticators that offer cloud backup.

Twilio Authy

One of Twilio Authy’s big advantages is encrypted cloud backup. However, it’s somewhat concerning that you can add the account to a new phone using “a PIN code sent via a call or an SMS,” according to Authy’s support pages (Opens in a new window) . There’s also an option to enter a private password or passphrase which Authy uses to encrypt login info for your accounts to the cloud. The password is only known to you, so if you forget it, Authy won’t be able to recover the account. It also means that authorities cannot force Authy to unlock your accounts.

Unlike the other apps listed here, Authy requires your phone number when you first set it up. We’re not fans of this requirement, since we’d rather have the app consider our phones to be anonymous pieces of hardware; and some have suggested that requiring a phone number opens the app up to SIM-card-swap fraud. Authy’s Help Center offers a workaround, but we’d prefer it just worked more like other authenticator apps. At least there’s an Apple Watch app for those who want it.

What Is Multi-Factor Authentication?

As the name implies, MFA means you use more than one type of authentication to unlock an online account or app. Usually, the first way is your password. MFA means you add another factor in addition to that password. Experts classify authentication factors in three groups:

something you know (a password, for example)

something you have (a physical object)

and something you are (a fingerprint or other biometric trait).

When you use an authenticator app, you bolster the password you know with the token, smartphone, or smartwatch that you have.

What’s the Best Kind of Multi-Factor Authentication?

Using an authenticator app is one of the better types of MFA. There’s another common way to do it that’s not so good, however: authentication code by text message.

Yes, you can implement MFA by having your bank send you a text message with a code that you enter into the site to gain access. But getting codes by phone turns out not to be not very secure at all. A vulnerability in SMS messaging is that crooks can reroute text messages (Opens in a new window) . An authenticator app on your smartphone generates codes that never travel through your mobile network, so there’s less potential for exposure and compromise. Plus, if your text messages are visible on your lock screen, anyone with your phone can get the code.

To set up MFA by app instead of text message, go to your banking site’s security settings and look for the multi-factor or two-factor authentication section. Nearly every financial site offers it. Most sites list the simple SMS code option first, but go past that and look for authenticator app support.

Setting up MFA usually involves scanning a QR code on the site with your phone’s authenticator app. Note that you can scan the code to more than one phone, if you want a backup. Financial sites usually give you account recovery codes as an additional backup. They’re usually long strings of letters and numbers. Save those account recovery codes somewhere safe, such as in a password manager. These codes work in place of a MFA code on your phone, which means they let you still log in to the site if your phone is lost, stolen, or busted.

How Authenticator Apps Work

Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, every time you want to log in to a site, you open the app and copy the code into the secured login page. Voilà, you’re in. The time limit means that if a malefactor manages to get your one-time passcode, it won’t work for them after that 30 seconds.

The codes are generated by doing some math on a long code transmitted by that QR scan and the current time, using a standard HMAC-based one-time password (HOTP) algorithm, sanctioned by the Internet Engineering Task Force. Authenticator apps don’t have any access to your accounts, and after the initial code transfer, they don’t communicate with the site; they simply and dumbly generate codes. You don’t even need phone service for them to work.

Since the protocol used by these products is usually based on the same standard, you can mix and match brands, for example, using Microsoft Authenticator to get into your Google Account or vice versa.

What to Look for in an Authenticator App

Backups of account info. Something to look for when choosing an authenticator app is whether it backs up the account info (encrypted) in case you no longer have the same phone where you originally set it up. Authy, Duo Mobile, LastPass Authenticator, and Microsoft Authenticator offer this, while Google Authenticator does not.

Watch apps. Authy and Microsoft Authenticator offer Apple Watch apps, which makes using an authenticator app even more convenient. Google Authenticator and LastPass don’t have Apple Watch apps. With about 100 million (Opens in a new window) of these WatchOS devices in use, it’s a convenience that quite a few folks can take advantage of.

No SMS codes. As mentioned, we prefer that authenticator apps do not use codes sent by SMS during setup to authenticate you or your device. Most authenticator apps don’t. Twilio is the only app on this list that does it, and as mentioned, there’s a workaround.

Is There an Alternative to MFA Apps and Code by Text?

If you want an authentication method that’s even more thoroughly secure than an app or authentication code by text message, you can buy a dedicated key-type MFA device—our favorite at the moment is the YubiKey 5C NFC. These keys produce codes that are transmitted via NFC, Bluetooth, or when you plug them in directly in to a USB port. Unlike smartphones, they have the advantage of being single-purpose and security-hardened devices. Why are they more secure? Though it’s unlikely, a malware-infested app running on your phone could intercept the authentication codes produced by a phone’s authenticator app. Security keys have no batteries, no moving parts, and are extremely durable—but they’re not as convenient to use as your phone.

What’s the Safest Third-Party Authenticator App?

The safety of these apps stems from the underlying principles and protocols rather than any implementation by the individual software makers. That said, all those listed here are extremely safe, with a minor point off for Authy; as mentioned in the summary above, it’s the only one that requires your phone number and that can be set up using SMS verification—which is what these apps are supposed to be an improvement over. Safest of all are hardware security keys, like the YubiKey mentioned above.

Be sure not to install an unknown, unrecommended authenticator app that may look good: Malicious impersonators have shown up on app stores. Stick with the recommended ones here from well-known companies.

Retour haut de page