10 local and cloud-based contenders make passwords stronger and online life
easier for Windows, OS X, iOS, Android, BlackBerry, and Windows Phone users
Thanks to a continuous barrage of high-profile computer security scares and
reports of cloud-scale government snooping, more of us Internet users are wising
up about the security of our information. One of the smarter moves we can make
to protect ourselves is to use a password manager. It's one of the easiest too.
A password manager won't shield you against Heartbleed or the NSA, but it's an
excellent first step in securing your identity, helping you increase the
strength of the passwords that protect your online accounts because it will
remember those passwords for you. A password manager will even randomly generate
strong passwords, without requiring you to memorize or write down these random
strings of characters. These strong passwords help shield against traditional
password attacks such as dictionary, rainbow tables, or brute-force attacks.
Many password managers allow you to automatically populate your password vault
by capturing your Web logins using a browser plug-in and allowing you to store
these credentials. Other options for populating your password database include
importing an Excel spreadsheet or manually entering your login information.
Further, using these stored credentials is typically automated using a browser
plug-in, which recognizes the website's username and password fields, then
populates these fields with the appropriate login information.
Although several browsers offer similar functionality out of the box, many
password managers offer several benefits over the built-in browser functionality
-- including encryption, cross-platform and cross-browser synchronization,
mobile device support, secure sharing of credentials, and support for
multifactor authentication. In some cases, usernames and passwords must be
copied from the password manager into the browser, reducing the ease of use but
increasing the level of security by requiring entry of the master password
before accessing stored login information.
6 simple tricks for protecting your passwords
Some password managers store your credentials locally, others rely on cloud
services for storage and synchronization, and still others take a hybrid
approach. Some of the options using local storage (such as KeePass and
1Password) still support synchronization through Dropbox or other storage
services. Deciding which password manager is best for you will come down to
features and ease of use, as well as to whether you're comfortable storing your
passwords on the Internet.
If having your critical data stored in a cloud service worries you, then KeePass,
1Password, or SplashID Safe (sans SplashID's cloud service) offer the top
options. If you trust cloud-based services with your passwords and believe they
will protect your data using good security practices and encryption, then
LastPass, Dashlane, or PasswordBox are your best bets.
In my judgment, KeePass is the best of the options using local storage. The fact
that it's open source, free, and complemented by countless plug-ins adds up to a
very flexible option. With the right combination of plug-ins, KeePass can be
made to do almost anything you could require of a password manager. My favorite
cloud option is LastPass, primarily due to its low cost and the consistent
implementation of features across all of the clients. Each LastPass client I
tested was easy to work with, stable, and remarkably uniform from a usability
perspective. Additionally, the fact that a LastPass Premium account is all of $1
per month makes it an extremely compelling option.
But one of these other options might suit you better. Really, you can't go wrong
with any of these password managers.
1Password
1Password is the brainchild of AgileBits, maker of the popular Knox encryption
tool for OS X. Unlike Knox, 1Password offers support for multiple platforms,
including Mac, Windows, iOS, and Android.
Like KeePass, 1Password uses a local file to store encrypted passwords.
AgileBits does not provide a cloud service for synchronization with mobile
devices, but 1Password does support synchronization of the password vault using
Dropbox (all platforms) or iCloud (Mac and iOS only). 1Password also supports
synchronization over Wi-Fi between Windows, Mac, and iOS clients. Because the
1Password vault is contained in a single file, you gain the convenience of a
portable password vault without having to store your passwords on the Internet.
1Password clients allow you to create and maintain multiple password vaults.
Multiple vaults can be used to share some of your passwords with another family
member or co-worker. Secure sharing between 1Password clients is supported,
giving you a method to transmit a login (or any sensitive information, such as a
credit card number or the answer to a website's security question) to another
licensed 1Password user over an encrypted channel. Emailing login information in
plain text is also supported, but this information is only as secure as your
email traffic.
1Password favorites
1Password stores your passwords in a local file, but supports synchronization
across devices using Dropbox and iCloud.
1Password now provides a number of different tools that analyze your passwords
and the services they secure in order to identify potential vulnerabilities.
Though many websites have patched the Heartbleed vulnerability by now, 1Password
takes the precaution of comparing your last password change for a site against
the date the site’s server was patched. If your password hasn’t been changed
since the patch, 1Password will encourage you to protect yourself through a
password change. Potential areas of concern such as duplicate or weak passwords
are also identified.
The cost of using 1Password is markedly different than cloud-based password
lockers. Users must purchase clients for each platform they intend to use,
costing more up front than a subscription service, but potentially saving money
in the long term. 1Password for PC or Mac cost $49.99; the Mac-plus-PC bundle
runs $69.99. Both the iOS app and Android apps are free with an in-app upgrade
to the Pro feature set for $9.99.
My biggest concern with 1Password has to do with feature parity between the Mac
and PC versions. Currently both platforms offer similar features, largely due to
a massive update to the Windows version mere days before publication of this
article. Previously, features such as secure sharing or Wi-Fi sync were nowhere
to be found. AgileBits has made good on promises to bring these features to all
platforms, but if you're primarily a PC user, the lag may be cause for concern.
Regardless, 1Password is a strong password manager. With AgileBits' strong ties
to the Apple community, this is particularly true for Mac and iOS users.
Dashlane
Dashlane toes the line between cloud service and local password manager in an
attempt to answer every security concern. You can store your password database
on Dashlane's servers and take advantage of synchronization across devices, or
you can store your password vault locally and forgo synchronization. It's your
choice.
If you store your password database in Dashlane's cloud, your master password
remains with you only. Rather than storing a hash of the master password on its
servers, Dashlane claims to use your password merely to encrypt and decrypt the
data locally. For this reason your password database on the Web is read only,
and changes can solely be made on a client.
Authentication is performed against devices that are registered with Dashlane
through a two-step process, incorporating your master password and a device
registration code sent via email. Two pricing tiers are offered for Dashlane
users. A free account allows access to your passwords through a single device of
your choice. Premium accounts, which cost $39.99 per year, let you synchronize
your passwords across multiple devices, perform account backups, share more than
five items, give you access to the read-only Web app, and entitle you to
Dashlane's customer support.
Dashlane score
Dashlane will store your password database in the cloud, but your master
password remains with you only. (Don't lose it!). Like other password managers,
Dashlane will assess the strength of your password as you create it.
With Dashlane, retention of your master password is critical. The company states
that it is unable to perform password recovery in the event of loss, a necessary
side effect of its decision to not store a copy of your password in any form.
Two-factor authentication is also supported through the use of Google
Authenticator. Support for two-factor authentication must be enabled through the
Windows or Mac client and can only be used on Internet-connected clients.
Dashlane’s team features allow you to securely share login information with
other Dashlane users, providing them with an appropriate level of access to the
information. Shared items can be provided with limited rights, which restrict
the ability to change permissions or reshare an item, or with full rights to the
data. Dashlane also offers the ability to designate emergency contacts, making
it easy to allow family or co-workers access to critical accounts or information
in the event of an emergency. The data shared with an emergency contact can be
fine-tuned in order to only provide certain information to specific contacts.
Because Dashlane attempts to be a hybrid of a cloud-based and local password
manager, it isn't as full featured as other cloud offerings, and it may not win
over customers fearful of cloud services. However, Dashlane has been able to
accomplish something truly remarkable through no small amount of ingenuity and
attention to security precautions. Before you dismiss Dashlane because it's a
cloud-based service, take a look at the company's security whitepaper, which
details the concepts and security practices it has implemented.
KeePass
A mature open source project (GNU GPL version 2), KeePass is a free password
management solution for Windows, OS X, or Linux, running natively on Windows and
requiring Mono for the other platforms. Many of the benefits of open source
software are prevalent in KeePass, including ports to other client operating
systems and a robust plug-in ecosystem. With the extensibility offered by
plug-ins for KeePass, you can change the encryption algorithm, automate logins
through your browser, integrate an on-screen keyboard, or even create scripts
you can run against KeePass.
KeePass was designed to store a local copy of the password vault. Cloud backup
and support for synchronization across multiple devices are obtained through
plug-ins that work with the likes of Dropbox, Google Docs, and Microsoft
OneDrive. A side benefit of a local password database such as KeyPass is the
ability for multiple users to share a database or for one user to keep multiple
databases, sharing some and keeping others private.
KeePass master
With KeePass, you can lock your password vault using a combination of password,
key file, and Windows authentication.
Mobile support for KeePass is a little more obtuse than some of the commercial
options. Ports are available for iOS, Android, and Windows Phone, but the big
question becomes synchronization support. Not all mobile ports support cloud
synchronization, and those that do support only a subset of the cloud options.
Some mobile KeePass clients carry a cost, though most are in the $1 to $2 range.
If you're more concerned about the security of your password vault than mobile
clients and device synchronization, you'll be pleased to know that KeePass
supports multiple authentication methods by default. KeePass database files can
be locked by a combination of password, key file, and Windows user account. With
a key file stored on removable media such as a USB thumb drive, two-factor
authentication can be used to secure access to your critical passwords.
The biggest downside to KeePass is complexity. Getting all of the advanced
functionality offered by the competition will require quite a bit of research,
setup, and maintenance. While KeePass is a great solution for fans of open
source, maximum flexibility, and free software, it is certainly not as
straightforward as some of the cloud-based services listed here.
LastPass
LastPass may be the most popular password manager in this review, due to a rich
set of features, support for a wide range of mobile platforms, and
straightforward licensing, not to mention aggressive marketing. Unlike KeePass,
LastPass is decidedly cloud-centric, using its own cloud service to store user
information and synchronize data.
A recent LastPass security notice underscores one drawback of a cloud-based
password manager: It makes a tempting target for hackers. Although no user
accounts were accessed and no vault data was taken, attackers did make away with
account email addresses and other data that could be used in targeted attacks.
Bottom line: LastPass users should change their master passwords. Brian Krebs'
post on the LastPass breach provides a concise explanation of the risks.
LastPass offers a free and premium pricing tier for consumers, with the premium
service costing $1 per month. Users of the free edition get many of the basics
you'd expect from a cloud-based service, including plug-in support for multiple
browsers, anywhere access, and even support for multifactor authentication using
Google Authenticator on an Android or iOS device or Microsoft Authenticator on
Windows Phone. Mobile device support requires a premium account but includes
support for iOS, Android, BlackBerry, and Windows Phone. Even some mobile
browsers such as Dolphin and Firefox Mobile work with LastPass Premium to
automate username and password entry. Finally, premium users get access to the
LastPass support team, rather than being relegated to the user forums.
LastPass vault
LastPass offers handy functionality for sharing accounts with friends and
family. The free service allows you to selectively share account login
information with other LastPass users, allowing them to authenticate to
individual Web applications using your information, without giving them direct
access to your passwords. Premium account subscribers get access to a Family
Folder, a feature that lets you specify exactly which login information to share
with up to five other LastPass users.
Desktop support for LastPass is somewhat confusing. Downloading the basic
installer for Windows provides browser plug-ins, an import tool (for migrating
from another password vault or spreadsheet), and a shortcut to the LastPass Web
app. Premium subscribers also have access to LastPass for applications, which
provides increased utility by allowing you to automatically log into desktop
applications such as Skype or a corporate VPN client.
LastPass supports several forms of two-factor authentication. I've already
mentioned that both Microsoft Authenticator and Google Authenticator are
supported with free accounts, providing simple integration using a mobile
device. Premium accounts gain support for Yubikey, a USB hardware authentication
device, and Sesame, a software authentication tool run from a USB storage
device.
If you need simple password management in a Web app, you can't go wrong with a
free LastPass account. For more granular credential sharing and mobile device
support, LastPass premium will be the best $1 you spend each month.
PasswordBox
PasswordBox bears a number of similarities to Dashlane. Master passwords are
neither stored nor transmitted, meaning that password data is secured throughout
the process, and password resets are technically impossible. PasswordBox even
takes extra steps to ensure the security of your information in other ways, such
as PCI-compliant data centers and providing the ability to send the company
encrypted email using the PGP key published on its website.
PasswordBox is currently missing some of the features available in Dashlane,
such as two-factor authentication, but both two-factor and fingerprint-based
authentication are reportedly coming soon. You can read about the security
measures PasswordBox uses to safeguard password data in the company's security
whitepaper.
PasswordBox does not use stand-alone client programs on Windows and Mac, opting
instead for browser plug-ins (Chrome, Firefox, and Internet Explorer), but
mobile apps are available for both iOS and Android. Another minor oddity:
PasswordBox doesn't offer a Web app to view or edit passwords or manage your
account -- everything is handled via mobile app or browser plug-in.
PasswordBox
PasswordBox stores your passwords on its servers, but they're never decrypted
there. Passwords can only be viewed and edited using the browser plug-in or
mobile client.
PasswordBox is priced competitively with the other cloud-based password
managers. Free accounts support up to 25 stored passwords, including
synchronization and full sharing capabilities. Premium accounts cost $12 per
year and give you unlimited password storage. Referring five friends nets you a
premium account for life.
PasswordBox allows users (free or premium) to share saved login information
seamlessly between accounts, even without the passwords being visible. Shared
log-ins persist even through password changes, and they can be revoked at any
time. An interesting and unique feature of PasswordBox is the Legacy Locker,
which allows you to designate one or more responsible parties who get access to
your account information in the event of your death. Account transfers using
Legacy Locker are not performed until a death certificate is provided and
validated.
PasswordBox is now part of the Intel Security Family, meaning its future is in a
state of flux. For now Intel Security is offering free premium subscriptions to
both new and existing users.
SplashID Safe
SplashID has been in the password manager business for years. Its product,
SplashID Safe, has been particularly popular on mobile devices. Currently
SplashID Safe supports access through the Web and client apps for Windows
desktop, Windows, Mac, iOS, Android, BlackBerry 10, and Windows Phone.
Where other password managers are either local or cloud-based, SplashID Safe
supports either option. SplashID has simplified its licensing structure somewhat
in version 8. A basic SplashID account is free, but limits you to one device and
doesn’t allow sharing or backup. A SpashID Pro account allows you to synchronize
your password vault for $1.99 per month or $19.99 per year. SplashID Pro
supports unlimited devices, synchronization over the Internet or Wi-Fi, sharing,
and automated backup. It also comes with customer support.
For an additional $5 per user per month, families or businesses can leverage
SplashID Safe Teams edition, which adds an admin panel that allows you to
control who has access to each record, either by assigning a record to an
individual user or a group of users.
SplashID Safe has at least one feature we wish all the cloud-based services
would implement: the ability to configure a login as local only, giving you the
ability to prevent your most sensitive data from being stored on the Internet.
The idea is that if you have certain login information or other sensitive data
you don't trust to the Internet, you can prevent this information from being
uploaded to SplashID's servers.
SplashID Safe supports two methods of sharing login information. When sharing
with a user who has a SplashID cloud account, the login information is imported
directly into their account. Users without a SplashID cloud account will receive
an email containing a link to securely retrieve the information. Links to shared
information are secured with a password (which can be included in the email or
shared using another method), are valid for only 24 hours, and expire after the
first use.
Two-factor support in SplashID only provides an extra layer of security when
registering a new device (not on each login), requiring you to enter a six-digit
code sent via email. While a registered device paired with a password
technically meets the definition of two-factor authentication (something you
have and something you know), it's not quite up to par with services offering
support for Google Authenticator or other two-factor methods. SplashID Safe
offers a pattern unlock feature as an alternative to a master password, but I
found this feature to be somewhat inconsistent.
Other contenders
It's always nice when a security product is backed by a brand synonymous with
computer security, and Symantec's Norton Identity Safe certainly has that factor
in its favor. Identity Safe has another plus: It's completely free. You can
choose from a number of free password managers, but none are cloud services
operated by a software vendor with a level of trust built up over decades.
Norton Identity Safe used to be part of a Norton security suite, but it's now a
stand-alone service with a Web front end and clients for Windows, iOS, and
Android.
RoboForm is a popular password manager and form filler, but it falls short of
the leading contenders on a few counts. Though it offers synchronization across
multiple platforms, there is no Web app, two-factor authentication, or sharing
capability. Individual RoboForm desktop licenses can be purchased outright for
Mac or PC at a price of $29.95, and a Windows portable version for USB storage
is available for $39.95. RoboForm also offers subscription-based licensing for
$19.95 per year, which provides synchronization and access through mobile apps
on iOS, Android, Windows 8, and Windows Phone.
KeePass isn't the only open source password manager. There's also Password Safe,
currently available for Windows in both installable and portable versions, and
for Linux in a beta version. Password Safe is not nearly as feature-rich or
mature as KeePass, and I'd be hard-pressed to give you a reason to use it over
its big brother. That said, Password Safe is a viable alternative, and if all
you need is a local password manager, the decision may come down to which
program you find easier to use. The result may be Password Safe.
My1Login has both a free version, supported through advertisements and affiliate
links to partner sites, and a pro version, which eliminates the ads and
affiliate links for $2 per month. My1Login offers features commonly found in the
other contenders such as secure sharing and strong password generation. The
problem with My1Login is that the entire service is Web-based, with mobile
support coming through the mobile Web app only. While My1Login is enthusiastic
about the minimal setup requirements due to the lack of client applications, I
find this method to be more difficult to use in the long term.
Keeper Backup is full-featured password manager supporting multiple client
platforms, including Mac, Windows, iOS, Android, and Windows Phone. Security
features offered by Keeper Backup include two-factor authentication and secure
sharing. Keeper offers three pricing tiers, starting with a free edition that
supports one device, no sharing, and a limited amount of data. Keeper Backup
provides unlimited storage, access to the Keeper Web app, secure sharing, and
access to the support team for $9.99 per year. Backup Unlimited adds support for
synchronization across devices for a heftier $29.99 per year.
Trend Micro's DirectPass has a free option that supports only five passwords.
Trend Micro's subscription service, which costs $14.95 for one year or $24.95
for two years, supports an unlimited number of passwords and devices. Desktop
clients are available for both PC and Mac, and mobile clients are available for
iOS and Android. While there's nothing wrong with DirectPass, it doesn't match
other competitors in features or polish.
