Review: The 6 best password managers
- 25 May, 2017 20:00
Thanks to the continuous barrage of high-profile computer security scares and reports of cloud-scale government snooping, more of us Internet users are wising up about the security of our information. One of the smarter moves we can make to protect ourselves is to use a password manager. It’s one of the easiest too.
A password manager is an excellent first step in securing your online identity, helping you increase the strength of the passwords that protect your online accounts because it will remember those passwords for you. A password manager will generate a unique strong password for every account and application, without requiring you to memorize or write down these random strings of characters. These strong passwords help shield against traditional password attacks such as dictionary, rainbow tables, or brute-force attacks.
Many password managers allow you to automatically populate your password vault by capturing your web logins using a browser plug-in and allowing you to store these credentials. Other options for populating your password database include importing an Excel spreadsheet or manually entering your login information. Further, using these stored credentials is typically automated using a browser plug-in, which recognizes the website’s username and password fields, then populates these fields with the appropriate login information.
Although several browsers offer similar functionality out of the box, password managers typically offer several benefits over the built-in browser functionality—including encryption, cross-platform and cross-browser synchronization, mobile device support, secure sharing of credentials, and support for multifactor authentication. In some cases, usernames and passwords must be copied from the password manager into the browser, reducing the ease of use but increasing the level of security by requiring entry of the master password before accessing stored login information.
Some password managers store your credentials locally, while others rely on cloud services for storage and synchronization, and still others take a hybrid approach. Some of the options using local storage (such as KeePass and 1Password) still support synchronization through Dropbox or other storage services. Deciding which password manager is best for you will come down to features and ease of use, as well as to whether you’re comfortable using a cloud-based password manager that stores your passwords on the Internet.
If having your critical data stored in a cloud service worries you, then KeePass, 1Password, and SplashID Safe (sans SplashID’s cloud service) are the best options. If you trust cloud-based services with your passwords and you believe they will protect your data using good security practices and encryption, then Dashlane and LastPass are the top choices.
In my judgment, KeePass is the best of the options using local storage. KeePass is free open source, and with the right combination of plug-ins, it can be made to do almost anything you could require of a password manager. Among the cloud options, I’m split: I like LastPass for its low cost and its consistent implementation of features across all of the clients, but I prefer Dashlane’s approach to securing passwords.
Each LastPass client I tested was easy to work with, stable, and remarkably uniform from a usability perspective. Plus, a LastPass Premium account costs all of $1 per month, making it an extremely compelling option. But Dashlane takes password security a few steps further, most notably by limiting its web app to a read-only version of your password vault, and only decrypting your data within your local browser session, not on the server. In a nutshell, go with LastPass for maximum ease and features at the lowest price; go with Dashlane for maximum password security.
Two products offer a middle path that may appeal to some users. 1Password and SplashID Safe combine the security benefits of offline vault storage with the convenience of full synchronization through an online service. With either of these password managers, you can choose to synchronize most of your credentials using the cloud service while selectively opting to store certain information offline or to synchronize through an alternative such as Dropbox.
Really, you can’t go wrong with any of these password managers. Along with the six full-featured options I focus on below, there are even a few other tools you might consider. Read on for the details.
1Password is the brainchild of AgileBits, a long-time developer on MacOS, though 1Password runs on multiple platforms including Mac, Windows, iOS, and Android.
1Password has long supported the use of a local file to store encrypted passwords, and now offers synchronization, monitoring, and other benefits through an optional cloud service. 1Password also supports synchronization of password vaults using Dropbox (all platforms) or iCloud (MacOS and iOS only). If you would prefer not to use the cloud for password synchronization, 1Password can synchronize password vaults across Windows, MacOS, iOS, and Android clients directly via Wi-Fi.
Because a 1Password vault is contained in a single file, you are able to control how individual vaults, and therefore passwords, are managed. A downside to vault management with a 1Password account is that new vaults can be created only through the web app, which caused some confusion for me in testing.
For those who want to share passwords securely, 1Password offers team and family accounts that allow you to selectively share password vaults with other members, and even control which members can make changes to passwords. 1Password also allows you to use the team or family account’s secure storage to share sensitive documents among members. Each member has the ability to create and manage their own password vaults and accounts in addition to gaining access to shared vaults. Unfortunately, sharing vaults is limited to family or team accounts. You can’t simply share with another individual with a 1Password account.
1Password provides a number of different tools that analyze your passwords and the services they secure in order to identify potential vulnerabilities. The 1Password Watchtower service keeps track of compromised websites and services that could impact your personal security, and alerts you to change your passwords or to be on the lookout for potential problems. Tools like Security Audit can help you identify weak passwords in order to strengthen your critical accounts.
The security features behind 1Password include the use of a secret key, which is a random string of characters generated when you initially create your 1Password account. This security key, which is not recoverable by 1Password, is used to secure your account and each client. 1Password does offer the ability to easily authenticate a new client using a QR code. Unfortunately, 1Password does not support multifactor authentication other than the use of registered devices. Both the iOS and Android clients support authentication using the fingerprint reader on your device.
You have several different options for getting started using 1Password. Each of the 1Password clients for Windows, MacOS, iOS, and Android are free. An account is required only if you are going to use the 1Password service for synchronization. For business users, 1Password Standard and 1Password Pro cost $3.99 and $11.99 per user per month respectively. 1Password and 1Password Families cost $2.99 and $4.99 per user per month.
Dashlane is another password manager that toes the line between cloud service and local password manager in an attempt to answer every security concern. You can store your password database on Dashlane’s servers and take advantage of synchronization across devices, or you can store your password vault locally and forgo synchronization. It’s your choice.
If you store your password database in Dashlane’s cloud, your master password remains with you only (much like 1Password, only Dashlane was doing it first). Rather than storing a hash of the master password on its servers, Dashlane only uses your password to encrypt and decrypt the data on your local device.
Authentication is performed against devices that are registered with Dashlane through a two-step process, incorporating your master password and a device registration code sent via email. Two pricing tiers are offered for Dashlane users. A free account allows access to your passwords through a single device of your choice. Premium accounts, which cost $39.99 per year, let you synchronize your passwords across multiple devices, perform account backups, share more than five items, give you access to the web app, and entitle you to Dashlane’s customer support.
With Dashlane, your retention of your master password is an absolute must. The company states that it is unable to perform password recovery in the event of loss, a necessary side effect of its decision not to store a copy of your password in any form. Two-factor authentication is supported through the use of U2F (Universal 2nd Factor), such as a Yubico Yubikey. Support for two-factor authentication must be enabled through the Windows or Mac client and can only be used on clients with a live Internet connection.
Dashlane’s team features allow you to securely share login information with other Dashlane users. Shared items can be provided with limited rights, which restrict the ability to change permissions or reshare an item, or with full rights to the data. Dashlane also offers the ability to designate emergency contacts, making it easy to allow family or co-workers access to critical accounts or information in the event of an emergency. The data shared with an emergency contact can be fine-tuned in order to provide only certain information to specific contacts.
Dashlane’s architecture makes it an excellent option for users who want the convenience of a cloud-based solution without the fear of potential service breaches. Of course, while the precautions Dashlane takes to safeguard your data eliminate the risk involved with storing information online, they may not protect you from other attack vectors.
A mature open source project (GNU GPL version 2), KeePass is a free password management solution for Windows, MacOS, and Linux, running natively on Windows and requiring Mono or Wine for the other platforms. Many of the benefits of open source software are prevalent in KeePass, including ports to other client operating systems, comprehensive language support, and a robust plug-in ecosystem. With the extensibility offered by plug-ins for KeePass, you can change the encryption algorithm, automate logins through your browser, integrate an on-screen keyboard, and even create scripts you can run against the password manager.
KeePass was designed to store a local copy of the password vault. Cloud backup and support for synchronization across multiple devices are obtained through plug-ins that work with the likes of Dropbox, Google Docs, Microsoft OneDrive, or even your own FTP server. A side benefit of a local password database such as KeyPass is the ability for multiple users to share a database or for one user to keep multiple databases, sharing some and keeping others private.
Mobile support for KeePass is more obtuse than for the commercial options. Ports are available for iOS, Android, and Windows Phone, but the big question becomes synchronization support. Not all mobile ports support cloud synchronization, and those that do support only a subset of the cloud options. Some mobile KeePass clients carry a cost, though most are in the $1 to $2 range.
Note that a couple of web-based KeePass clients allow you to work with a key database stored on your local hard drive or a cloud storage account. KeeWeb is particularly sleek, and it’s available in native Windows, MacOS, and Linux versions as well. Like KeePass, KeeWeb is itself open source.
If you’re more concerned about the security of your password vault than mobile clients and device synchronization, you’ll be pleased to know that KeePass supports multiple authentication methods by default. KeePass database files can be locked by a combination of password, key file, and Windows user account. With a key file stored on removable media such as a USB thumb drive, two-factor authentication can be used to secure access to your critical passwords.
The biggest downside to KeePass is complexity. Getting all of the advanced functionality offered by the competition will require quite a bit of research, setup, and maintenance. Heck, you even have several options for multifactor authentication, but you’re largely on your own to get it working. While KeePass is a great solution for fans of free open source and maximum flexibility, it is certainly not as straightforward as some of the cloud-based services and hybrid solutions listed here.
LastPass may be the most popular password manager in this review, due to a rich set of features, support for a wide range of mobile platforms, and straightforward licensing, not to mention aggressive marketing. Unlike KeePass, LastPass is decidedly cloud-centric, using its own cloud service to store user information and synchronize data.
The sheer popularity of LastPass makes it a tempting target for people with malicious intent and the skill set to match. Over the last three years LastPass has acknowledged multiple security incidents, including compromised user emails and password reminders, though its encrypted user vaults were not compromised. The more recent security issues were due to a vulnerability in the LastPass browser plugin.
It’s important to keep these vulnerabilities in perspective. All software has bugs, and security software is no exception. The most important consideration when choosing which software to use is whether vulnerabilities are patched soon after they’re discovered. LastPass has passed this test.
LastPass offers a free and Premium pricing tier for consumers, with the Premium service costing $1 per month. Users of the free edition get many of the basics you’d expect from a cloud-based service including plugins for multiple browsers and anywhere access. But the free version even supports multifactor authentication, using a variety of options including LastPass Authenticator and Google Authenticator. And while mobile device support used to be limited to Premium subscribers, LastPass users can now synchronize with their mobile apps using the free service.
Premium users gain the ability to share credentials with family members. The Shared Family Folder feature allows a single user to share with up to five other users, including users with free accounts. The downside is that Premium subscribers are limited to a single shared folder, and permissions are managed at the folder level, which isn’t as fine-grained as some of the competition. Users wanting more control over sharing will need to look into LastPass Teams or LastPass Enterprise.
LastPass has a somewhat confusing array of pieces. Downloading the basic installer for Windows provides browser plug-ins, an import tool (for migrating from another password vault or spreadsheet), and a shortcut to the LastPass web app, all in addition to the desktop client. Premium subscribers also have access to LastPass for applications, which provides increased utility by allowing you to automatically log into desktop applications such as Skype or a corporate VPN client.
LastPass supports several forms of two-factor authentication. I’ve already mentioned that both LastPass Authenticator and Google Authenticator are supported with free accounts, providing simple integration using a mobile device. LastPass Authenticator can be used to receive push notifications in the event of an authentication attempt, allowing you to confirm the authentication request from your mobile device. Premium accounts gain support for Yubikey, a USB hardware authentication device, and Sesame, a software authentication tool run from a USB storage device, as well as support for desktop fingerprint readers in Windows.
If you need simple password management, you can’t go wrong with a free LastPass account. For more granular credential sharing and mobile device support, LastPass premium will be the best $1 you spend each month.
RoboForm is a popular password manager and form filler. It falls short of the leading password managers on a few counts, but has been closing the gap. RoboForm Everywhere, the premium tier, offers synchronization across multiple platforms, a web app, two-factor authentication, and sharing capability. RoboForm Everywhere is licensed annually for $19.95, though licenses can be purchased for longer time periods at a discount.
Users looking for enhanced security can use SMS-based One-Time Passwords (OTP) with RoboForm by enrolling their phone. However, other multifactor authentication options are absent. RoboForm does support sharing credentials, though there are some key limitations. Individual records can be shared, or a single shared folder can be created along with the ability to manage permissions for the users you’re sharing with, but you can’t share from the web app, and users must have a RoboForm account to receive shared credentials.
One feature RoboForm offers that’s on par with LastPass is the ability to handle application-based logins, not just those in your web browser. This has the potential to be a killer feature under the right circumstances, particularly for users who must manage logins to multiple apps for cloud services or corporate tools.
SplashData has been in the password manager business for years. Its product, SplashID, has been particularly popular on mobile devices. Currently SplashID supports access through the web and client apps for Windows desktop, Windows, MacOS, iOS, Android, BlackBerry 10, and Windows Phone.
Where other password managers are either local or cloud-based, SplashID supports either option. SplashID has simplified its licensing structure somewhat in version 8. A basic SplashID account is free, but limits you to one device and doesn’t allow sharing or backup. A SpashID Pro account allows you to synchronize your password vault for $1.99 per month or $19.99 per year. SplashID Pro supports unlimited devices, synchronization over the Internet or Wi-Fi, sharing, and automated backup. It also comes with customer support.
Businesses or families can leverage TeamsID, which offers many of the same features as SplashID, but is geared toward groups. TeamsID adds an admin panel that allows you to control who has access to each record, either by assigning a record to an individual user or a group of users. TeamsID costs $2 monthly per user for the Family Addition, or $3 monthly per user for the Business edition.
SplashID has at least one feature we wish all the cloud-based services would implement: the ability to configure a login as local only, giving you the ability to prevent your most sensitive data from being stored on the Internet. The idea is that if you have certain login information or other sensitive data you don’t trust to the Internet, you can prevent this information from being uploaded to SplashID’s servers.
SplashID Safe supports two methods of sharing login information. When sharing with a user who has a SplashID cloud account, the login information is imported directly into their account. Users without a SplashID cloud account will receive an email containing a link to securely retrieve the information. Links to shared information are secured with a password (which can be included in the email or shared using another method), valid for only 24 hours, and expire after the first use.
Two-factor support in SplashID provides an extra layer of security only when registering a new device (not on each login), requiring you to enter a six-digit code sent via email. While a registered device paired with a password technically meets the definition of two-factor authentication (something you have and something you know), it’s not quite on a level with services offering support for Google Authenticator or other two-factor methods. SplashID Safe offers a pattern unlock feature as an alternative to a master password, which works just fine on mobile devices, but feels a little strange in the web browser.
It’s always nice when a security product is backed by a brand synonymous with computer security, and Symantec’s Norton Identity Safe certainly has that factor in its favor. Identity Safe has another plus: It’s completely free. You can choose from a number of free password managers, but none are cloud services operated by a software vendor with a level of trust built up over decades. Norton Identity Safe used to be part of a Norton security suite, but it’s now a stand-alone service with a web front end and clients for Windows, iOS, and Android.
KeePass isn’t the only open source password manager. There’s also Password Safe, currently available for Windows in both installable and portable versions, and for Linux in a beta version. Password Safe is not nearly as feature-rich or mature as KeePass, and I’d be hard-pressed to give you a reason to use it over its big brother. That said, Password Safe is a viable alternative, and if all you need is a local password manager, the decision may come down to which program you find easier to use. The result may be Password Safe.
Keeper is a full-featured password manager supporting multiple client platforms including Windows, MacOS, iOS, Android, and Windows Phone. Security features include two-factor authentication and secure sharing. Keeper offers two pricing tiers, starting with an Individual account that provides unlimited storage, access to the Keeper web app, secure sharing, and access to the support team for $29.99 per year. Keeper Family supports up to five users, provides 10GB of secure file storage, and offers a streamlined sharing experience.
Trend Micro Password Manager has a free option that supports only five passwords. Trend Micro’s subscription service, which costs $14.95 for one year or $24.95 for two years, supports an unlimited number of passwords and devices. Desktop clients are available for Windows and MacOS, and mobile clients are available for iOS and Android. While there’s nothing wrong with Password Manager, it doesn’t match other competitors in features or polish.