Thanks to high-profile computer security scares such as the Heartbleed vulnerability and the Target data breach , and to the allegations leveled at the government and cloud providers by Edward Snowden, more of us Internet users are wising up about the security of our information. One of the smarter moves we can make to protect ourselves is to use a password manager. It's one of the easiest too.
A password manager won't shield you against Heartbleed or the NSA, but it's an excellent first step in securing your identity, helping you increase the strength of the passwords that protect your online accounts because it will remember those passwords for you. A password manager will even randomly generate strong passwords, without requiring you to memorize or write down these random strings of characters. These strong passwords help shield against traditional password attacks such as dictionary, rainbow tables, or brute-force attacks.
Many password managers allow you to automatically populate your password vault by capturing your Web log-ins using a browser plug-in and allowing you to store these credentials. Other options for populating your password database include importing an Excel spreadsheet or manually entering your log-in information. Further, using these stored credentials is typically automated using a browser plug-in, which recognizes the website's username and password fields, then populates these fields with the appropriate log-in information.
Although several browsers offer similar functionality out of the box, many password managers offer several benefits over the built-in browser functionality -- including encryption, cross-platform and cross-browser synchronization, mobile device support, secure sharing of credentials, and support for multifactor authentication. In some cases, usernames and passwords must be copied from the password manager into the browser, reducing the ease-of-use but increasing the level of security by requiring entry of the master password before accessing stored log-in information.
Some password managers store your credentials locally, others rely on cloud services for storage and synchronization, and still others take a hybrid approach. Some of the options using local storage (such as KeePass and 1Password) still support synchronization through Dropbox or other storage services. Deciding which password manager is best for you will come down to features and ease-of-use, as well as to whether you're comfortable storing your passwords on the Internet.
If having your critical data stored in a cloud service worries you, then KeePass, 1Password, or SplashID Safe (sans SplashID's cloud service) offer the best options. If you trust cloud-based services with your passwords and believe they will really protect your data using good security practices and encryption, then LastPass, Dashlane, or PasswordBox are your best bets.
In my judgment, KeePass is the best of the options using local storage. The fact that it's open source, free, and complemented by countless plug-ins adds up to a very flexible option. With the right combination of plug-ins, KeePass can be made to do just about anything you could require of a password manager. My favorite cloud option is LastPass, primarily due to its low cost and the consistent implementation of features across all of the clients. Each LastPass client I tested was easy to work with, stable, and remarkably uniform from a usability perspective. Additionally, the fact that a LastPass Premium account is all of $1 per month makes it an extremely compelling option.
But one of these other options might suit you better. Really, you can't go wrong with any of these password managers.
Like KeePass, 1Password uses a local file to store encrypted passwords. AgileBits does not provide a cloud service for synchronization with mobile devices, but 1Password does support synchronization of the password vault using Dropbox (all platforms) or iCloud (Mac and iOS only). 1Password also supports synchronization over Wi-Fi between Windows, Mac, and iOS clients. Because the 1Password vault is contained in a single file, you gain the convenience of a portable password vault without having to store your passwords on the Internet.
1Password clients allow you to create and maintain multiple password vaults. Multiple vaults can be used to share some of your passwords with another family member or coworker. Secure sharing between 1Password clients is supported, giving you a method to transmit a login (or any sensitive information, such as a credit card number or the answer to a website's security question) to another licensed 1Password user over an encrypted channel. Emailing login information in plain text is also supported, but this information is only as secure as your email traffic.
The cost of using 1Password is markedly different than cloud-based password lockers. Users must purchase clients for each platform they intend to use, costing more up front than a subscription service, but potentially saving money in the long term. 1Password for PC and Mac cost $49.99, while the universal iOS version runs $17.99. The Android app is free with in-app purchases, providing read-only access to your password vault until you purchase the upgrade. AgileBits also provides bundled options for purchasing 1Password for PC and Mac or a five-user family license.
My biggest concern with 1Password has to do with feature parity between the Mac and PC versions. Currently both platforms offer similar features, largely due to a massive update to the Windows version just days before publication of this article. Previously, features such as secure sharing or Wi-Fi sync were nowhere to be found. AgileBits has made good on promises to bring these features to all platforms, but if you're primarily a PC user, the lag may be cause for concern. Regardless, 1Password is a strong password manager. With AgileBits' strong ties to the Apple community, this is particularly true for Mac and iOS users.
Dashlane toes the line between cloud service and local password manager in an attempt to answer every security concern. You can store your password database on Dashlane's servers and take advantage of synchronization across devices, or you can store your password vault locally and forgo synchronization. It's your choice.
If you store your password database in Dashlane's cloud, your master password remains with you only. Rather than storing a hash of the master password on its servers, Dashlane claims to use your password merely to encrypt and decrypt the data locally. For this reason your password database on the Web is read only, and changes can solely be made on a client.
Authentication is performed against devices that are registered with Dashlane through a two-step process, incorporating your master password and a device registration code sent via email. Two pricing tiers are offered for Dashlane users. A free account allows access to your passwords through a single device of your choice. Premium accounts, which cost $29.99 per year, let you synchronize your passwords across multiple devices, give you access to the read-only Web app, and entitle you to Dashlane's customer support.
With Dashlane, retention of your master password is critical. The company states that it is unable to perform password recovery in the event of loss, a necessary side effect of its decision to not store a copy of your password in any form. Two-factor authentication is also supported through the use of Google Authenticator. Support for two-factor authentication must be enabled through the Windows or Mac client and can only be used on Internet-connected clients. Dashlane's secure sharing process combines an email containing a link and an access code, both of which expire within a short period of time. It's the best approach to secure password sharing I've seen.
Because Dashlane attempts to be a hybrid of a cloud-based and local password manager, it isn't as full featured as other cloud offerings, and it may not win over customers fearful of cloud services. However, Dashlane has been able to accomplish something truly remarkable through no small amount of ingenuity and attention to security precautions. Before you dismiss Dashlane because it's a cloud-based service, take a look at the company's security whitepaper, which details the concepts and security practices it has implemented.
A mature open source project (GNU GPL version 2), KeePass is a free password management solution for Windows, OS X, or Linux, running natively on Windows and requiring Mono for the other platforms. Many of the benefits of open source software are prevalent in KeePass, including ports to other client operating systems and a robust plug-in ecosystem. With the extensibility offered by plug-ins for KeePass, you can change the encryption algorithm, automate logins through your browser, integrate an on-screen keyboard, or even create scripts you can run against KeePass.
KeePass was designed to store a local copy of the password vault. Cloud backup and support for synchronization across multiple devices are obtained through plug-ins that work with the likes of Dropbox, Google Docs, and Microsoft OneDrive. A side benefit of a local password database such as KeyPass is the ability for multiple users to share a database or for one user to keep multiple databases, sharing some and keeping others private.
With KeePass, you can lock your password vault using a combination of password, key file, and Windows authentication.
Mobile support for KeePass is a little more obtuse than some of the commercial options. Ports are available for iOS, Android, and Windows Phone, but the big question becomes synchronization support. Not all mobile ports support cloud synchronization, and those that do support only a subset of the cloud options. Some mobile KeePass clients carry a cost, though most are in the $1 to $2 range.
If you're more concerned about the security of your password vault than mobile clients and device synchronization, you'll be pleased to know that KeePass supports multiple authentication methods by default. KeePass database files can be locked by a combination of password, key file, and Windows user account. With a key file stored on removable media such as a USB thumb drive, two-factor authentication can be used to secure access to your critical passwords.
The biggest downside to KeePass is complexity. Getting all of the advanced functionality offered by the competition will require quite a bit of research, setup, and maintenance. While KeePass is a great solution for fans of open source, maximum flexibility, and free software, it is certainly not as straightforward as some of the cloud-based services listed here.
LastPass may be the most popular password manager in this review, due to a rich set of features, support for a wide range of mobile platforms, and straightforward licensing, not to mention aggressive marketing. Unlike KeePass, LastPass is decidedly cloud-centric, using its own cloud service to store user information and synchronize data.
LastPass offers a free and premium pricing tier for consumers, with the premium service costing just $1 per month. Users of the free edition get many of the basics you'd expect from a cloud-based service, including plug-in support for multiple browsers, anywhere access, and even support for multifactor authentication using Google Authenticator on an Android or iOS device or Microsoft Authenticator on Windows Phone. Mobile device support requires a premium account but includes support for iOS, Android, BlackBerry, and Windows Phone. Even some mobile browsers such as Dolphin and Firefox Mobile work with LastPass Premium to automate username and password entry. Finally, premium users get access to the LastPass support team, rather than being relegated to the user forums.
LastPass offers handy functionality for sharing accounts with friends and family. The free service allows you to selectively share account login information with other LastPass users, allowing them to authenticate to individual Web applications using your information, without giving them direct access to your passwords. Premium account subscribers get access to a Family Folder, a feature that lets you specify exactly which login information to share with up to five other LastPass users.
Desktop support for LastPass is somewhat confusing. Downloading the basic installer for Windows provides browser plug-ins, an import tool (for migrating from another password vault or spreadsheet), and a shortcut to the LastPass Web app. Premium subscribers also have access to LastPass for applications, which provides increased utility by allowing you to automatically log into desktop applications such as Skype or a corporate VPN client.
LastPass supports several forms of two-factor authentication. I've already mentioned that both Microsoft Authenticator and Google Authenticator are supported with free accounts, providing simple integration using a mobile device. Premium accounts gain support for Yubikey, a USB hardware authentication device, and Sesame, a software authentication tool run from a USB storage device.
If you need simple password management in a Web app, you can't go wrong with a free LastPass account. For more granular credential sharing and mobile device support, LastPass premium will be the best $1 you spend each month.