Which Password Manager?

There are dozens of password managers, including some built into browsers. Many of them do the basic job you need, which is to use a master password and strong encryption to securely store your passwords. More important than selecting the “best” password manager is to use such software wisely. I describe how to use a password manager here (basics and index to password series) and here (tips).

If you’re already using and liking a password manager not mentioned in this post, by all means keep using it so long as it offers master password protection in combination with strong encryption. While most password managers offer password import and export functions, the actual practice of switching password managers and learning a new one is cumbersome.

However, if you’re selecting a password manager for the first time or dissatisfied with your current password manager, you may as well benefit from my efforts to identify the best password managers for individuals. My efforts included extensive use of two password managers and poring through hundreds of reviews, forums, and comments about many others.

Below I describe four password managers with an outstanding combination of features, low cost, ease of use, and well-deserved popularity.

What to look for in a Password Manager

  • Security must be a given (master password, AES).
  • It should be as easy as possible to get started using the password manager, without sacrificing security.
  • It must be easy to securely auto-fill user name and passwords in the more popular browsers.
  • It must be easy to capture new login information and associate with one specific site.
  • Passwords should be synced and easily available on all the desktop and mobile platforms you use. Keeping your passwords on your phone is more secure than carrying around a printed listing of your passwords, so long as it is protected by a master password.

There are also a few optional features that you may want, such as automatic form filling, secure notes, multiple identities, easy import/export, password generation, USB key support, and additional security features such as virtual keyboards, two-factor authentication, and one-time passwords.

Weaknesses Shared by all Password Managers

So far as I have been able to determine, all password managers will let you choose as weak a master password as you like, some without any warning. Most password managers allow some or all passwords to not be protected by a master password. Furthermore, many password managers ask users to make decisions during setup (or offer options) that require significant knowledge of password security.

By allowing this flexibility, users can be exposed to more danger than if they weren’t using a password manager at all – because all of these unprotected or lightly protected passwords are assembled in one electronic location.

Simon Davis of RoboForm-maker Siber Systems says that users of RoboForm fall into two categories: those who seek convenience and those who seek security. His experience has been that convenience users outnumber security conscious users. Some people do not protect any data with a master password.

I suspect that most users seeking convenience would use a strong master password to protect all passwords if they understood the risks involved of not doing so. I started out as a RoboForm convenience user but changed my habits to a secure user after educating myself about the risks of unprotected passwords.

It is possible to imagine password manager software which does a better job of both warning and educating users about unsafe password practices. It is also possible to imagine a setup process for password managers that asked the user a simple question at the beginning of setup: Do you want to optimize for security, convenience, or half-way in between? At the very least, I would like to see improved, cooperative efforts by the security industry to promote safe password practices.

Best Cloud-Based Password Manager: LastPass

Cloud Computing is the use of web services to create, edit, and store data on servers located elsewhere. A number of cloud-based password services have launched in the past few years. These password services make it easy for you to access your passwords from any desktop or mobile browser. While many people feel instinctively more comfortable storing sensitive information on their own hard drive rather then some far off server, the developers of such sites explain that they don’t store your master password. It is impossible to view the encrypted passwords stored on their servers without the master password, even for employees of the online password service.

If you’re comfortable with your passwords being encrypted and stored in the cloud, you’ll find that using cloud-based password services are convenient. Your passwords are easily available and synced across all platforms using browser bookmarklets, plugins, or extensions. For people who use multiple operating systems, browsers, and mobile devices on a daily basis, a cloud-based solution is far more convenient than the desktop-based competition, which is generally compatible with fewer systems. Assuming proper security, the only disadvantage is that the service can be partially or fully disrupted when the server storing the passwords goes down.

LastPass is one such cloud-based password service. Though I have not personally tested LastPass, an examination of reviews, forums and the LastPass web site suggests that users are overwhelmingly satisfied with LastPass. This service is the only password manager system for consumers I’ve come across that includes every optional feature offered by any of its competitors. The “one-time passwords” feature provides a secure means to access passwords from public WiFi. The potential disruption caused by temporary server failure can be mitigated by local password caching for those who use a plug-in for Firefox or Internet Explorer. LastPass maintains an extensive and well organized web site and forums.

LastPass is a free service with basic functionality comparable with RoboForm or 1Password, yet available on a wider variety of platforms. For $12/year, LastPass offers mobile clients, two factor authentication, and emergency phone support. And most people who have tested multiple password managers claim that LastPass is one of the easiest to use.

You can learn more from these two reviews:

LastPass Review by PC Magazine

LastPass Review by Tech Herald

And from the LastPass web site:

LastPass.com

Risks of Storing Passwords in the Cloud with LastPass (UPDATE)

Two recent incidents highlight the risks of storing passwords in the cloud, so I felt a need to update this post with this entirely new section.

On May 4, 2011, lastpass notified users of an unexplained transmission of data to and from their services. It is not known whether passwords were stolen. Given that stored passwords are encrypted, this is not likely to cause problems but lastpass management has taken precautionary steps. Details here.

On February 26, 2011, security researcher Mike Cardwell reported a LastPass vulnerability. A cross-site scripting (XSS) vulnerability allowed the possibility of any logged-in LastPass user visiting a malicious web site to have various account details logged (though not in a way that exposed encrypted passwords). Mike Cardwell believes other XSS LastPass vulnerabilities may be discovered in the future, based on his understanding of the LastPass architecture. LastPass is a top notch company and I expect them to do everything possible to eliminate any remaining vulnerabilities. Details from lastpass are here.

LastPass responded with great speed and openness to both issues which is a great credit to their integrity. However, these incidents serve as a reminder that web-based software is more difficult to secure than desktop-based software. LastPass is a tempting target for password thieves. I have no doubts about the integrity or ability of the LastPass team. But the more popular they get, the more resources will be used by the bad guys to break in and steal passwords. People with nagging doubts about the security of web-based password managers can now point to these real examples.

Best Windows Password Manager: RoboForm

UPDATE: EasyPass was launched by security software leader avast! in October 2011. It is essentially RoboForm. So this review of RoboForm serves as a review of the Avast EasyPass password manager as well.

For those people who use their passwords primarily on their Windows systems, RoboForm offers fully featured password management and automatic form filling software for a reasonable cost ($29.95 for the first system, $9.95 for subsequent licenses). An online version of RoboForm with fewer features is available for free. For years, RoboForm received top accolades from PC magazine and other publications, though in recent times the competition has greatly improved.

For those who prefer to store their passwords on their own system, RoboForm remains the best option for Windows. Plug-ins for Firefox and Internet Explorer (UPDATE: and in 2011, Chrome and Opera) makes RoboForm work very smoothly with browsers. I have used RoboForm for over 5 years and have no plans to switch. Dropbox keeps my 3 Windows systems’ passwords in sync.

While RoboForm has its roots as Windows software, it has versions for most major mobile platforms ranging from the Blackberry (nonsyncing, basic password storage that can be used via copy/paste) to the iPhone (includes sync and 1 click logins). Using an optional, free RoboForm Online service in conjunction with the RoboForm Bookmarklet allows RoboForm to autofill logins on unsupported browsers or unsupported operating systems (OS X, Linux). RoboForm extensions for Firefox and Chrome used in conjunction with Roboform Online means that RoboForm can be accessed from either of these two browsers on any operating system.

RoboForm is very flexible – perhaps too flexible – as it allows users many options to reduce security. For example, the security settings can be set so that 5 hours after you close your browser, log out, and put your computer to sleep, someone could waken the computer, log in to the guest account, and start logging in to all your web sites. RoboForm is not set up this way by default, but why even allow the possibility of such an insecure setup?

Once you do set up RoboForm securely, it has all the required and most of the optional features one would want in a password manager. Its superior handling of a wide variety of web site styles for automatic form filling and login field detection makes it very easy to use, and a big time saver. Additional nice touches include tracking password changes, an optional feature to gracefully handle new account setup, and a customizable tool bar.

Version 7 of RoboForm improved the user interface, added fingerprint reader support, and extended functionality beyond browsers into many other windows programs that require passwords. Also under development is a Mac OS X client (UPDATE: released in February 2012), a Google Chrome plug-in (that does not require the use of RoboForm Online), an Android client, and improved versions of the existing mobile clients.

You can learn more from this review:

RoboForm Review by Tech Herald

And a video demonstration of RoboForm that is helpful for those totally new to password managers:

RoboForm Demonstration Video

And the RoboForm web site:

RoboForm.com

UPDATE: Roboform 7 was released in December of 2010. See PC Magazine’s Roboform 7 review for an excellent review.

Best Mac OS X Password Manager: 1Password

1Password is by far the most tightly integrated password manager for Apple’s computers, iPads, iPhones, and iPod touches. It looks, feels, and acts as if were a part of the Mac OS, while also including most of the features found in other great password managers. It is therefore the obvious choice for people who use only Apple devices. It costs $39.95 for the Mac version, and $14.99 for a mobile version which works on the iPad, iPhone, and iPod touch. Less expensive mobile versions are also available that have fewer features and work on fewer devices.

Like all password managers, setting up 1Password requires some learning. Trying to determine which versions of 1Password work on which operating systems for Macs and iPhones is mildly confusing, as is certain choices during setup.

But once set up, logins are fast and integration with Firefox and Safari is seamless. When you change passwords, 1Password prompts you to replace the prior password so you don’t have to do it manually. The product is very well supported, including an extensive web site with forums. Agile Bits (formerly Agile Solutions) is always very quick to make versions of 1Password available for any new Apple product or operating system (most recently, the iPad).

My wife Karin tested 1Password 2.9.x over the past year with her iMac (Mac OS 10.4.11). Prior to 1Password, Karin had never used a password manager. While Karin expressed reservations both prior to getting 1Password and during the first two weeks of use, it has since become second nature and she has become a fan of the password manager concept in general. So much so, that she recently purchased the 1Password iPod touch version.

Version 3.x was released in November of 2009 and requires Mac OS X 10.5 or higher. It has a number of helpful new features, including an option to make your passwords available to other operating systems and mobile devices, software license management, greater mobile syncing flexibility, and password storage for applications and other services that aren’t used in a browser.  Setup has also been simplified as the user is no longer required to make a decision about how to store passwords—the Agile keychain is now the only choice.

A 1Password client for Windows is under development (UPDATE: Windows version available since December, 2010. It was awkward to use when first released but I have not tested more recent, refined versions).

You can learn more from this review:

1Password Review by SmokingApples

And the 1Password web site:

1Password

Best Free Password Manager: KeePass

KeePass is a free, open source password manager first released in 2003. It now has versions available for Windows, Mac OS X, Linux, and a number of mobile devices. An advantage of open sourced software is that it is open to scrutiny, which greatly increases the chances that it will be secure and free of bugs, as compared with its proprietary counterparts. This is especially advantageous for security software such as a password manager which requires a user to entrust sensitive data to a third party.

KeePass is a fully featured password manager that includes random password generation, support for desktop application passwords, and additional security features such as two-factor authentication. Various plug-ins provide additional functionality.

However, using KeePass requires a certain amount of computer sophistication and tinkering. The lack of browser integration requires the use of global, auto-login keyboard shortcuts (auto-type), which works on some sites but requires tinkering to get working on others. The commercial password managers discussed above all take care of automatic logins more gracefully and have superior user interfaces. Therefore, KeePass may not be appropriate for the average Joe, but any article about the best password managers should mention KeePass given its zero cost, its open source scrutiny, and its popularity among more sophisticated computer users. Among the tech savvy lifehacker crowd, KeePass is most popular, though the others mentioned in this post are also popular.

Here is a review of KeePass:

KeePass review by Tech Herald

And the KeePass web site:

KeePass

Honorable mention goes to Password Safe (also free and open source), which is associated with cryptography expert Bruce Schneier. It has fewer features than the other password managers mentioned in this post, concentrating on password entry alone. But it works, and may be sufficient to meet some peoples’ needs.

Password Safe

Built-in Browser Password Managers

Many people use password managers that come built-in to their browser or security suite. There are several reasons not to do this:

  • Passwords are not shared everywhere you use them (though Xmarks can partially solve this issue)
  • Browser password security is sometimes inferior or buggy as compared with stand-alone products, as it is not the main focus
  • Several stand-alone password managers have superior user interfaces and flexibility, making single click logins, form filling, and other common functions a breeze

That being said, for users who log on to accounts using only a single browser on a single computer which nobody else shares, a browser’s built-in password manager protected by a master password would be sufficient. Firefox users should be aware of Sxipper, an extension which adds significant functionality such as single click login, automatic form filling, and multiple personas.

So Which One is Best?

The 4 password managers profiled above are all very good and always improving. If forced to choose which is the most convenient for the most users, I’d go with LastPass, because you won’t need to switch to another password manager when changing browsers, operating systems, or mobile devices. Developers for RoboForm, 1Password, and KeePass devote considerable effort to making passwords synced and available on a wide variety of platforms, but the cloud-based roots of LastPass means it will usually be the first to support any new browser or operating system.

As mentioned in the update section, it is possible that cloud-based solutions are inherently less secure than desktop-based password management software. For those who value the (possibly) greater security of desktop software over cloud-based solutions or don’t need multi-platform convenience, great choices are:

  • RoboForm for Windows users
  • 1Password for Mac users
  • KeePass for tech savvy users who would rather tinker than pay

But I can’t say it too many times – more important than which you choose is how you use it. Use unique passwords at least 15 random characters long for all accounts, protecting them all with a strong master password – and your chance of getting multiple accounts compromised will be minimal. And that is something you can do with almost any password manager.

Disclaimers

1)  Passwords are just one form of necessary security. PCs lacking up-to-date browsers, security software, and/or operating system software frequently get infected with malware. Perfect password security doesn’t matter if malware observes everything you do on your computer.

2)  I have not been paid to create this series of articles or recommend these products, and will receive no payments if you click on any links in the main content area or buy one of the reviewed password managers. The only free product accepted as part of writing this series of articles was 1Password for my wife to test on her iMac. I wrote this comprehensive guide because I have developed a passion for the subject over the past year and felt that someone needed to pull all these password-related concepts together into one helpful reference guide. I welcome specific feedback so that I can improve upon this series of posts on passwords, with the hope that helping people to become more “net wise” will help reduce password theft.

Filed in category: Password management.

35 Comments

  1. Jim Kloss
    May 15, 2010 at 1:37 AM

    Using KeyPass here. I was a slow adopter of pwrd management software but finally did the right thing. Love the random pwrd generator and use it religiously now. Great set of articles BTW.

  2. May 24, 2010 at 7:58 AM

    Some readers have recommended password managers that are much less well known than the four I profiled. I encourage you or any reader to describe what you think is great about your favorite password manager. That would be helpful for other readers.

    The four password managers I have profiled have all been around for at least a couple years, have been used by many, and have therefore been scrutinized (especially key parts of the code of KeePass and 1password). I’ve seen many debates about their respective strengths and weaknesses and feel confident I’ve chosen 4 terrific password managers to profile. However, feel free to discuss pros and cons of these four password managers or any others.

  3. May 30, 2010 at 11:11 PM

    I totally agree that how you use a password manager is much more important than which one you use. Great articles, thank you. I personally use Handy Password, as it has all the necessary features providing both convenience and security. Random password generator is included and there’s no option to leave a password without protection.

  4. Thomas McColl
    September 19, 2010 at 11:00 AM

    First of all many thanks for the very useful and informative website!

    After reading your articles, and because I have a Mac, I downloaded 1password and have just started learning how to use it. It seems like neat software and I will probably keep it, but mostly for the record-keeping aspects of the secure notes and wallet. Not sure about usefulness of the password functions, but maybe I am missing something? Anyway, this is my reasoning: I need to be able to access my mail sometimes when travelling, but do not have a smartphone, so I have to have a password for my email that I can remember. The same goes for banks, and they have several layers of security questions and some require randomly generated pins for various transactions, so they seem safer. Probably I should start using better passwords for these sites, similar to the master password of 1password. Magazine and newspaper subscriptions do not seem so important, and I guess I could use the 1pass random passwords for them, however I would not buy the software just to protect those sites.

  5. September 19, 2010 at 2:41 PM

    Thomas – Thanks for your comment. It is always interesting to hear different use cases for software. You are taking great advantage of some of the secondary features of 1password, but in my mind the most important feature is password management. As I mention in other posts, you can easily generate random, 15 character passwords for all of your accounts to replace your old passwords. 1Password not only remembers them for you, but also you can use 1Password to automatically open a web site that requires a login. You only need to type in your master password once at the beginning of your computer session and then 1Password takes care of the rest.

    To use these passwords while you are not at one of your own devices, there are several methods you can use, as described here:

    http://help.agile.ws/1Password3/1passwordanywhere.html

    If none of those methods work for you, then perhaps you have the right idea to make up your own easier-to-remember passwords for the few accounts you really need to access from elsewhere such as e-mail. Or perhaps lastpass might be a more appropriate password manager for your use case, as it is purely cloud-based and can easily be accessed from any device. The paid version of lastpass even includes one time passwords (OTP) which makes it possible to securely access lastpass from untrustworthy devices such as public computers.

  6. Thomas McColl
    September 20, 2010 at 2:59 AM

    Thank you for the helpful suggestions. Did purchase 1password and have started using the password generator–v. sharp program. Will have to do some thinking about the email problem, and choose the best solution…I am pretty stupid with computers and can just see myself getting locked out by my own security system! Quite often computers in business centers etc. only have Internet Explorer on which Mobile.me does not work well either for that matter. I had to download Firefox in Bangelore once which I thought was funny because you would expect that to be a most progressive place as far as software goes.

  7. May 5, 2011 at 4:25 PM

    Hi, Joe :)

    First off: thanks for this: I came here looking for information relating to inbuilt browser password management and… you answered my question :)

    LastPass seems to be having problems currently.

    Perhaps it’s just as well that I decided to evaluate KeePass instead. (Initial thoughts: blimey, what a palaver! I seem to be spending half my life updating password information at present. The One Ring is much easier to manage — I know, I know, security/ convenience tradeoff… do I want to risk it?)

    Best, Colin

  8. May 5, 2011 at 4:46 PM

    Thanks for your comment, Colin. I do know it takes a few hours to change all your passwords but you’ll make up all that time and more over the next few years with automatic logins. Also, since you already have a unique password for each account, perhaps you only need to update all the critical ones (email, financial, social, etc.).

  9. May 16, 2011 at 7:58 PM

    Good write-up. I’ll give +1 for Opera.

    There’s also a Chrome extension that integrates KeePass with Chrome, but I’m not sure how secure it is: ChromeIPass

  10. George Williamson
    September 23, 2011 at 5:59 PM

    I have been using Billeo for several years and am satisfied. Any comments/thoughts about Billeo? It used to work with Firefox but no longer with newer versions.Still works with IE9 and never with Chrome. I am now looking for a new system. Thank you so much for your helpful post! LastPass seems best for me.
    George

  11. September 23, 2011 at 6:25 PM

    I’m not familiar with Billeo. Do you have a Mac or Windows system? Do you need to access passwords from many places or just one system? The answers to these questions will lead you to the best password manager for you.

  12. September 27, 2011 at 10:54 AM

    What about a password manager that can be used in a business?
    Looking for a program that stores URL’s and users can click on it, and will be automatically logged in, without being able to see the login/passwords ?
    (We’ll have an admin that will maintain the password list)

    Any suggestions on this?

  13. September 27, 2011 at 11:16 AM

    Business-oriented password managers are not something I’ve researched, though do note that RoboForm has enterprise versions of its password manager which includes some administrative features. So that is an option to look into.

    The IT departments at most large companies are resistant to password managers in the workplace. I’m not sure why. The trend is more towards smart card solutions – that is, you issue a card or some other type of token to your employee and that is used to authenticate – though not sure how (or if) that works for services outside of the corporate intranet.

    For small companies without IT departments I would think password managers (and training on how to best use them) would be a good option. Certainly it’s better than doing nothing at all, which risks the kinds of break-in that happened with Twitter a couple years ago.

  14. Eric Williams
    November 4, 2011 at 10:51 AM

    I’ve been using SplashID for many years. It started as a Palm password manager, but now has a desktop app that can be used by itself. I’ve been syncing it through Dropbox, but have run into occasional problems when the database is open by multiple machines at the same time. I’ve been looking for an alternative, but one that can handle other information other than passwords like SplashID can.

    Chrome can also sync browser passwords through the cloud. Go to options->personal stuff->sync to turn it on. Passwords can be encrypted under your Google account password, or under a separate password — your choice.

  15. November 4, 2011 at 11:15 AM

    Eric – Have you tried RoboForm or 1Password? They both can be used they way you’re describing, with both Dropbox sync and handling information other than passwords. If you’ve tried either one, I’d be curious to know what you thought of them compared with SplashID.

  16. December 4, 2011 at 6:19 AM

    I use Lastpass with Yubikey, a strong combination !

  17. Alex
    January 9, 2012 at 9:29 AM

    I’d add netwrix password manager (www.netwrix.com) to this list as well. It‘s really easy for users to set up, and allows my end users to reset forgotten passwords without calling the helpdesk. I know the tool is also available in a freeware version for up to 40 or 50 end users.

  18. Peter
    April 5, 2012 at 3:56 AM

    Thanks for your review.
    I’ve been using PassMaster on a WM6.5 smartphone and a Windows desktop version syncing b/n both using Active Sync. This has worked really well for me but I’m about to get an android phone for work so wanting to migrate my data, approx 300 entries, over to something which runs on both android and windows PCs. I don’t like the idea of the ‘cloud’ to store my passwords. Passmaster can output a csv file so hoping I can load it into an android application easily. Passmaster also had a very simple folder structure with a good search if required. Will keep reading these reviews before making a decision.

  19. Thrawn
    May 15, 2012 at 11:28 PM

    Long random passwords are all very well, but passphrases may be just as good while being much easier to remember & type. A string of random dictionary words has very high entropy (you can do the math), but can usually be remembered easily with a mnemonic.

  20. May 20, 2012 at 8:37 AM

    Pass phrases are great and I would totally recommend them if you only need a single password. The problem is that most people have dozens of accounts. Having a single password for all accounts is risky. So if you want to have a different pass phrase for each account it gets hard to remember. I do suggest a way to combine a pass phrase with a slight difference for each service but I think most people would find the approach somewhat cumbersome.

  21. Curt
    June 15, 2012 at 7:27 PM

    Great article…the best one I’ve read yet….I guess for me it comes down to whether I want to use a cloud based system or the Windows based Robo-Form…Your article helped me narrow it down….thanks.

  22. rmark
    July 15, 2012 at 7:15 AM

    I’ve been using mars password manager,Easy to use,
    Easy to manage you passwords and logins, through Mars password IE toolbar,and can keep all your passwords on a USB flash drive and use them on any computer you happen to work at the time.

    the mars password web site:
    marstool.com

  23. rj
    July 28, 2012 at 5:20 PM

    Did anybody notice that 1Password now supports Windows?

  24. July 29, 2012 at 7:49 AM

    rj – 1Password has supported Windows for a couple years. I tested it once a few months after it came out and was not impressed. It was much less refined than the Mac version and much less convenient on Windows than Roboform. I’ve also read comments by people over the past year suggesting that the Windows version is still far behind the Mac version and several competitors. However, if you primarily use Mac and iOS devices and Windows systems only occasionally, it’s good enough to get by as you’ll at least have your passwords available.

    Roboform also has a Mac version, but from what I’ve read it trails the convenience on 1Password for Mac systems. So my advice stands: 1Password is great for (primrily) Mac/iOS users, Roboform for (primarily) Windows users, and lastpass for those who use a wide variety of systems.

  25. Carl
    August 14, 2012 at 7:02 AM

    Thanks for the clear overview you have provided. I started out with SplashId many years ago and since a few years I’ve been using http://mitto.com, which is a free cloud service. Having everything in the cloud, and only in the cloud, was a must for me. I keep around 200 logins, IDs and other stuff for me and others (users etc).
    Mitto is a bit cumbersome in some ways, and maybe a bit secretive, but it does have a terrific sharing functionality without which I just can’t do. Do these other services have a sharing function? In that case, I will first give LastPass a good look.

  26. Jeff Marble
    October 15, 2012 at 9:12 PM

    I’m looking for a PW manager for Chrome. I have used RoboForm for years but now they force you to use there RoboForm Anywhere…even in the Chrome Lite plug in. I don’t want my passwords in the cloud. I’d also like a manager that can import my current RoboForm passwords. Any suggestions?

    Jeff

  27. October 16, 2012 at 7:36 AM

    Jeff – RoboForm does not force use of RoboForm Everywhere. When you upgrade (or install for first time), you have a choice during installation. I continue to use RoboForm without the Everywhere service.

    I do sync, but I’m using Dropbox. I figure that RoboForm and Dropbox are both juicy targets for hackers, but the likelihood of both Dropbox and RoboForm being compromised at the same time is negligible.

  28. ek
    December 11, 2012 at 7:16 PM

    Don’t trust any password managers. Who knows which update will sneak a code to steal them. Good old spreadsheet with disk encryption and password protected file on my mac. Nothing Else.

  29. Andrew
    December 20, 2012 at 7:57 PM

    I run a Keepass database, and use a combination of Keepass for my personal Windows devices, Keepass Portable on a USB stick, KeepassX on OSX and Kypass on iPhone and iPad. My database lives in Dropbox, and it does the syncing between all the devices. It all works seamlessly. When I update an entry on one device, it is automatically there on all others. It is all for FREE, apart from Kypass which is a one-off ~$3 purchase. I don’t want automatic form filling in my browser … too risky for me thanks very much. I don’t want to use cloud based password management products … the threat base is too high. Even if someone manages to get access to my Dropbox, the database file itself is AES 256-bit encrypted. If they manage to decrypt that (if they had a trillion machines, each testing a billion keys per second, it would take more than two billion years to recover an AES-128 key) then they can have my passwords.

  30. Gary
    May 17, 2013 at 6:37 AM

    I use Intuitive Password. It is a new Australian company that provides a “rock solid” cloud-based password management dystem. It supports all major browsers and mobile devices, you don’t need to manually sync your data, the system does it automatically. The user interface is very nice too. Your data is securely stored in the data center. Worth to have a try https://www.intuitivepassword.com

  31. Dave
    July 4, 2013 at 8:40 AM

    I’ve used 1Password for Mac for the past 3 years and loved it! I have had to use Windows recently and have tried the free trial of 1 Password for Windows, and it is not well integrated into your browsers, and is very awkward to enter in passwords manually.

    I’m about to give Avast EasyPass a shot.

  32. July 4, 2013 at 9:41 AM

    My experience has been the same. I use Roboform on windows and 1password for iOS. If I had a Mac, I would definitely use 1Password.

  33. Ken Lee
    August 15, 2013 at 5:26 PM

    I am just an old late 82 yo blow-in re computers but have tried for months to find an explanation of what password managers DO not HOW they work or whether I NEED one – been trying to help Avast sell me one if only someone somewhere would reply – in plain English please explain ?

  34. August 16, 2013 at 8:40 AM

    Ken – what password managers do can be found by searching for the keywords “how passwords are encrypted.” This articles seems pretty good:

    http://www.jasypt.org/howtoencryptuserpasswords.html

    Also, one of the better password managers, 1Password, has a blog where sometimes Jeff discusses some of the technical details. For example:

    http://blog.agilebits.com/2011/05/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/

    Most of the articles you’ll find are written by and for programmers or mathematicians with specialize at least to some extent in cryptography. So if you don’t have much of a math or programming background, you may find some of the articles tough going.

  35. Ken Voak
    December 6, 2013 at 12:36 PM

    Appreciate all the information. Now I need to check the best ones out to make a decision.

One Trackback