Which Password Manager?

There are dozens of password managers, including some built into browsers. Many of them do the basic job you need, which is to use a master password and strong encryption to securely store your passwords. More important than selecting the “best” password manager is to use such software wisely. I describe how to use a password manager here (basics and index to password series) and here (tips).

If you’re already using and liking a password manager not mentioned in this post, by all means keep using it so long as it offers master password protection in combination with strong encryption. While most password managers offer password import and export functions, the actual practice of switching password managers and learning a new one is cumbersome.

However, if you’re selecting a password manager for the first time or dissatisfied with your current password manager, you may as well benefit from my efforts to identify the best password managers for individuals. My efforts included extensive use of two password managers and poring through hundreds of reviews, forums, and comments about many others.

Below I describe four password managers with an outstanding combination of features, low cost, ease of use, and well-deserved popularity.

What to look for in a Password Manager

  • Security must be a given (master password, AES).
  • It should be as easy as possible to get started using the password manager, without sacrificing security.
  • It must be easy to securely auto-fill user name and passwords in the more popular browsers.
  • It must be easy to capture new login information and associate with one specific site.
  • Passwords should be synced and easily available on all the desktop and mobile platforms you use. Keeping your passwords on your phone is more secure than carrying around a printed listing of your passwords, so long as it is protected by a master password.

There are also a few optional features that you may want, such as automatic form filling, secure notes, multiple identities, easy import/export, password generation, USB key support, and additional security features such as virtual keyboards, two-factor authentication, and one-time passwords.

Weaknesses Shared by all Password Managers

So far as I have been able to determine, all password managers will let you choose as weak a master password as you like, some without any warning. Most password managers allow some or all passwords to not be protected by a master password. Furthermore, many password managers ask users to make decisions during setup (or offer options) that require significant knowledge of password security.

By allowing this flexibility, users can be exposed to more danger than if they weren’t using a password manager at all – because all of these unprotected or lightly protected passwords are assembled in one electronic location.

Simon Davis of RoboForm-maker Siber Systems says that users of RoboForm fall into two categories: those who seek convenience and those who seek security. His experience has been that convenience users outnumber security conscious users. Some people do not protect any data with a master password.

I suspect that most users seeking convenience would use a strong master password to protect all passwords if they understood the risks involved of not doing so. I started out as a RoboForm convenience user but changed my habits to a secure user after educating myself about the risks of unprotected passwords.

It is possible to imagine password manager software which does a better job of both warning and educating users about unsafe password practices. It is also possible to imagine a setup process for password managers that asked the user a simple question at the beginning of setup: Do you want to optimize for security, convenience, or half-way in between? At the very least, I would like to see improved, cooperative efforts by the security industry to promote safe password practices.

Best Cloud-Based Password Manager: LastPass

Cloud Computing is the use of web services to create, edit, and store data on servers located elsewhere. A number of cloud-based password services have launched in the past few years. These password services make it easy for you to access your passwords from any desktop or mobile browser. While many people feel instinctively more comfortable storing sensitive information on their own hard drive rather then some far off server, the developers of such sites explain that they don’t store your master password. It is impossible to view the encrypted passwords stored on their servers without the master password, even for employees of the online password service.

If you’re comfortable with your passwords being encrypted and stored in the cloud, you’ll find that using cloud-based password services are convenient. Your passwords are easily available and synced across all platforms using browser bookmarklets, plugins, or extensions. For people who use multiple operating systems, browsers, and mobile devices on a daily basis, a cloud-based solution is far more convenient than the desktop-based competition, which is generally compatible with fewer systems. Assuming proper security, the only disadvantage is that the service can be partially or fully disrupted when the server storing the passwords goes down.

LastPass is one such cloud-based password service. Though I have not personally tested LastPass, an examination of reviews, forums and the LastPass web site suggests that users are overwhelmingly satisfied with LastPass. This service is the only password manager system for consumers I’ve come across that includes every optional feature offered by any of its competitors. The “one-time passwords” feature provides a secure means to access passwords from public WiFi. The potential disruption caused by temporary server failure can be mitigated by local password caching for those who use a plug-in for Firefox or Internet Explorer. LastPass maintains an extensive and well organized web site and forums.

LastPass is a free service with basic functionality comparable with RoboForm or 1Password, yet available on a wider variety of platforms. For $12/year, LastPass offers mobile clients, two factor authentication, and emergency phone support. And most people who have tested multiple password managers claim that LastPass is one of the easiest to use.

You can learn more from these two reviews:

LastPass Review by PC Magazine

LastPass Review by Tech Herald

And from the LastPass web site:

LastPass.com

Risks of Storing Passwords in the Cloud with LastPass (UPDATE)

Two recent incidents highlight the risks of storing passwords in the cloud, so I felt a need to update this post with this entirely new section.

On May 4, 2011, lastpass notified users of an unexplained transmission of data to and from their services. It is not known whether passwords were stolen. Given that stored passwords are encrypted, this is not likely to cause problems but lastpass management has taken precautionary steps. Details here.

On February 26, 2011, security researcher Mike Cardwell reported a LastPass vulnerability. A cross-site scripting (XSS) vulnerability allowed the possibility of any logged-in LastPass user visiting a malicious web site to have various account details logged (though not in a way that exposed encrypted passwords). Mike Cardwell believes other XSS LastPass vulnerabilities may be discovered in the future, based on his understanding of the LastPass architecture. LastPass is a top notch company and I expect them to do everything possible to eliminate any remaining vulnerabilities. Details from lastpass are here.

LastPass responded with great speed and openness to both issues which is a great credit to their integrity. However, these incidents serve as a reminder that web-based software is more difficult to secure than desktop-based software. LastPass is a tempting target for password thieves. I have no doubts about the integrity or ability of the LastPass team. But the more popular they get, the more resources will be used by the bad guys to break in and steal passwords. People with nagging doubts about the security of web-based password managers can now point to these real examples.

Best Windows Password Manager: RoboForm

UPDATE: EasyPass was launched by security software leader avast! in October 2011. It is essentially RoboForm. So this review of RoboForm serves as a review of the Avast EasyPass password manager as well.

For those people who use their passwords primarily on their Windows systems, RoboForm offers fully featured password management and automatic form filling software for a reasonable cost ($29.95 for the first system, $9.95 for subsequent licenses). An online version of RoboForm with fewer features is available for free. For years, RoboForm received top accolades from PC magazine and other publications, though in recent times the competition has greatly improved.

For those who prefer to store their passwords on their own system, RoboForm remains the best option for Windows. Plug-ins for Firefox and Internet Explorer (UPDATE: and in 2011, Chrome and Opera) makes RoboForm work very smoothly with browsers. I have used RoboForm for over 5 years and have no plans to switch. Dropbox keeps my 3 Windows systems’ passwords in sync.

While RoboForm has its roots as Windows software, it has versions for most major mobile platforms ranging from the Blackberry (nonsyncing, basic password storage that can be used via copy/paste) to the iPhone (includes sync and 1 click logins). Using an optional, free RoboForm Online service in conjunction with the RoboForm Bookmarklet allows RoboForm to autofill logins on unsupported browsers or unsupported operating systems (OS X, Linux). RoboForm extensions for Firefox and Chrome used in conjunction with Roboform Online means that RoboForm can be accessed from either of these two browsers on any operating system.

RoboForm is very flexible – perhaps too flexible – as it allows users many options to reduce security. For example, the security settings can be set so that 5 hours after you close your browser, log out, and put your computer to sleep, someone could waken the computer, log in to the guest account, and start logging in to all your web sites. RoboForm is not set up this way by default, but why even allow the possibility of such an insecure setup?

Once you do set up RoboForm securely, it has all the required and most of the optional features one would want in a password manager. Its superior handling of a wide variety of web site styles for automatic form filling and login field detection makes it very easy to use, and a big time saver. Additional nice touches include tracking password changes, an optional feature to gracefully handle new account setup, and a customizable tool bar.

Version 7 of RoboForm improved the user interface, added fingerprint reader support, and extended functionality beyond browsers into many other windows programs that require passwords. Also under development is a Mac OS X client (UPDATE: released in February 2012), a Google Chrome plug-in (that does not require the use of RoboForm Online), an Android client, and improved versions of the existing mobile clients.

You can learn more from this review:

RoboForm Review by Tech Herald

And a video demonstration of RoboForm that is helpful for those totally new to password managers:

RoboForm Demonstration Video

And the RoboForm web site:

RoboForm.com

UPDATE: Roboform 7 was released in December of 2010. See PC Magazine’s Roboform 7 review for an excellent review.

Best Mac OS X Password Manager: 1Password

1Password is by far the most tightly integrated password manager for Apple’s computers, iPads, iPhones, and iPod touches. It looks, feels, and acts as if were a part of the Mac OS, while also including most of the features found in other great password managers. It is therefore the obvious choice for people who use only Apple devices. It costs $39.95 for the Mac version, and $14.99 for a mobile version which works on the iPad, iPhone, and iPod touch. Less expensive mobile versions are also available that have fewer features and work on fewer devices.

Like all password managers, setting up 1Password requires some learning. Trying to determine which versions of 1Password work on which operating systems for Macs and iPhones is mildly confusing, as is certain choices during setup.

But once set up, logins are fast and integration with Firefox and Safari is seamless. When you change passwords, 1Password prompts you to replace the prior password so you don’t have to do it manually. The product is very well supported, including an extensive web site with forums. Agile Bits (formerly Agile Solutions) is always very quick to make versions of 1Password available for any new Apple product or operating system (most recently, the iPad).

My wife Karin tested 1Password 2.9.x over the past year with her iMac (Mac OS 10.4.11). Prior to 1Password, Karin had never used a password manager. While Karin expressed reservations both prior to getting 1Password and during the first two weeks of use, it has since become second nature and she has become a fan of the password manager concept in general. So much so, that she recently purchased the 1Password iPod touch version.

Version 3.x was released in November of 2009 and requires Mac OS X 10.5 or higher. It has a number of helpful new features, including an option to make your passwords available to other operating systems and mobile devices, software license management, greater mobile syncing flexibility, and password storage for applications and other services that aren’t used in a browser.  Setup has also been simplified as the user is no longer required to make a decision about how to store passwords—the Agile keychain is now the only choice.

A 1Password client for Windows is under development (UPDATE: Windows version available since December, 2010. It was awkward to use when first released but I have not tested more recent, refined versions).

You can learn more from this review:

1Password Review by SmokingApples

And the 1Password web site:

1Password

Best Free Password Manager: KeePass

KeePass is a free, open source password manager first released in 2003. It now has versions available for Windows, Mac OS X, Linux, and a number of mobile devices. An advantage of open sourced software is that it is open to scrutiny, which greatly increases the chances that it will be secure and free of bugs, as compared with its proprietary counterparts. This is especially advantageous for security software such as a password manager which requires a user to entrust sensitive data to a third party.

KeePass is a fully featured password manager that includes random password generation, support for desktop application passwords, and additional security features such as two-factor authentication. Various plug-ins provide additional functionality.

However, using KeePass requires a certain amount of computer sophistication and tinkering. The lack of browser integration requires the use of global, auto-login keyboard shortcuts (auto-type), which works on some sites but requires tinkering to get working on others. The commercial password managers discussed above all take care of automatic logins more gracefully and have superior user interfaces. Therefore, KeePass may not be appropriate for the average Joe, but any article about the best password managers should mention KeePass given its zero cost, its open source scrutiny, and its popularity among more sophisticated computer users. Among the tech savvy lifehacker crowd, KeePass is most popular, though the others mentioned in this post are also popular.

Here is a review of KeePass:

KeePass review by Tech Herald

And the KeePass web site:

KeePass

Honorable mention goes to Password Safe (also free and open source), which is associated with cryptography expert Bruce Schneier. It has fewer features than the other password managers mentioned in this post, concentrating on password entry alone. But it works, and may be sufficient to meet some peoples’ needs.

Password Safe

Built-in Browser Password Managers

Many people use password managers that come built-in to their browser or security suite. There are several reasons not to do this:

  • Passwords are not shared everywhere you use them (though Xmarks can partially solve this issue)
  • Browser password security is sometimes inferior or buggy as compared with stand-alone products, as it is not the main focus
  • Several stand-alone password managers have superior user interfaces and flexibility, making single click logins, form filling, and other common functions a breeze

That being said, for users who log on to accounts using only a single browser on a single computer which nobody else shares, a browser’s built-in password manager protected by a master password would be sufficient. Firefox users should be aware of Sxipper, an extension which adds significant functionality such as single click login, automatic form filling, and multiple personas.

So Which One is Best?

The 4 password managers profiled above are all very good and always improving. If forced to choose which is the most convenient for the most users, I’d go with LastPass, because you won’t need to switch to another password manager when changing browsers, operating systems, or mobile devices. Developers for RoboForm, 1Password, and KeePass devote considerable effort to making passwords synced and available on a wide variety of platforms, but the cloud-based roots of LastPass means it will usually be the first to support any new browser or operating system.

As mentioned in the update section, it is possible that cloud-based solutions are inherently less secure than desktop-based password management software. For those who value the (possibly) greater security of desktop software over cloud-based solutions or don’t need multi-platform convenience, great choices are:

  • RoboForm for Windows users
  • 1Password for Mac users
  • KeePass for tech savvy users who would rather tinker than pay

But I can’t say it too many times – more important than which you choose is how you use it. Use unique passwords at least 15 random characters long for all accounts, protecting them all with a strong master password – and your chance of getting multiple accounts compromised will be minimal. And that is something you can do with almost any password manager.

Disclaimers

1)  Passwords are just one form of necessary security. PCs lacking up-to-date browsers, security software, and/or operating system software frequently get infected with malware. Perfect password security doesn’t matter if malware observes everything you do on your computer.

2)  I have not been paid to create this series of articles or recommend these products, and will receive no payments if you click on any links in the main content area or buy one of the reviewed password managers. The only free product accepted as part of writing this series of articles was 1Password for my wife to test on her iMac. I wrote this comprehensive guide because I have developed a passion for the subject over the past year and felt that someone needed to pull all these password-related concepts together into one helpful reference guide. I welcome specific feedback so that I can improve upon this series of posts on passwords, with the hope that helping people to become more “net wise” will help reduce password theft.

Author: Joe Golton

I’m a dad with a son who loves baseball. Professionally, I’ve been a software developer, investor, controller, and logistics manager. I now make my living from this blog, supplemented with occasional consulting gigs.

Comments are closed.