I hate passwords. I hate coming up with them. I hate remembering them. I hate mistyping them four times in a row. And I hate getting locked out of whatever I'm trying to log into in the process.
That said, I hate being hacked only slightly more, so I've done my part to use passwords that aren't "password123" or something equally foolish. The hard part is keeping them straight, which I could do by writing them down -- but isn't that a security hole all over again? Heck, I've known that since I was a kid. I saw "WarGames."
Password vaults, aka password safes or password managers, help solve this problem. They give you a central spot to store all your passwords, encrypted and protected by a passphrase or token you provide. This way, you have to memorize a single password: the one for your password vault. All the other passwords you use can be as long and complex as possible, even randomly generated, and you don't have to worry about remembering them.
If having your passwords in a single encrypted store were all you needed, then a password-protected Microsoft Word document would do the trick. There has to be an easier way. One of the reasons I looked at these password vaults was to see how easy it was to work with them over an extended period of time. If they didn't provide much more convenience over simply copying and pasting passwords from a text file, they'd hardly be worth using.
So here are eight of the leading password managers available, ranging from services designed to be used mainly on the Web to client-side apps with a slew of incarnations. With each, we tested the Web incarnation (where applicable), the Windows client and the Android version, the latter a Samsung Galaxy Note 6 running Android 5.1.1 with fingerprint reader support.
In the long run, passwords are on the way out -- theoretically, anyway. For the foreseeable future, passwords are here to stay. As long as we’re stuck with them, we should use strong ones that aren’t likely to be hacked and protect them as best we can. The applications reviewed here make those objectives far easier to meet and can spare you a huge amount of typing tedium.
1Password feels in many ways like a commercial version of KeePass. Many of 1Password’s behaviors and UI choices will remind you of KeePass, but 1Password has been packaged and presented with more polish.
The similarities extend to the way data is organized. Like KeePass, 1Password lets you store username/password pairs in user-defined folders (Banking, Online Shopping, and so on), and it allows entries to contain custom text fields, attachments, or other metadata. The username/password pairs can be autotyped into an application or used to autofill a Web form. All passwords are protected in a single vault file, secured by a master password of your choice.
Where 1Password improves on KeePass is by making all of this functionality more straightforward. KeePass doesn’t natively support automatic form filling in a Web browser, so you must add plug-ins to both KeePass and your Web browser if you want to do that. By contrast, 1Password automatically detects browsers in use, installs the necessary form-filling plug-ins, and even lets you manage these plug-ins from a central UI within 1Password. It’s also easier in 1Password, when manually editing a password entry, to specify which items go in which form fields. With KeePass, that process is less straightforward.
A number of features in 1Password have been polished significantly. With KeePass, autotype can be directed only to the window that last had focus or to a window with a title manually specified in a given password entry. 1Password lets you choose the currently open window to which to send an autotype sequence, with the previous window as the default.
Another good 1Password feature not found natively in KeePass is auditing of duplicate and weak passwords. In the View menu, select Duplicate Passwords or Weak Passwords, and you’ll see lists of passwords that don’t pass muster. The mobile app handily supports auto form-filling. Unlocking by way of a fingerprint is supported on Android, but only on devices running Marshmallow.
Most password managers now offer ways to store structured forms of sensitive personal information. In 1Password you’ll find preformatted templates not only for credit cards, but for bank accounts, loyalty programs, passports, driver’s licenses, software licenses, common types of online accounts, and so on. (The Secure Notes features in 1Password, akin to the one in LastPass, is a simple text-entry template.) You can also attach arbitrary metadata to such entries, such as images or text fields. One feature the developers might want to add is the ability to take a scanned copy of a document in a common format, such as a driver’s license, and have the application automatically capture the text from the relevant fields without having to type it in.
Price: $49.99 per user; the full-featured trial version of 1Password is free to use for 30 days. Platforms: Windows, Mac OS X, iOS, Android.
Dashlane comes outfitted with features common to many other commercial password managers. Aside from keeping username/password pairs, Dashlane can store freeform text notes (and optionally secure them with your master password), keep copies of personal information such as credit cards and bank accounts, and save pertinent details for personal documents such as passports or driver’s licenses.
Dashlane scores major points for making it easy to get started with the program. That applies whether you’re coming from another password manager or using a password manager for the first time. LastPass users, for instance, are invited to export their existing passwords to a CSV and import them into Dashlane. (You can likewise import from other common password managers, many of which are listed here.)
Other nice features in Dashlane are reminiscent of features in LastPass, such as the ability to share passwords in a controlled fashion with a few trustees. Sharing allows you to grant either limited rights (read, use) or full rights (read, use, edit) to the recipient. Another LastPass-like feature is the ability to automatically grant emergency access to your password database. The mechanism is the same, too. If the trustee places a request for emergency access, you have a predefined period of time (typically two days) to decline it; otherwise, it’s automatically approved.
Another good feature, the Security Dashboard, is reminiscent of 1Password. At a glance, you can see high-level statistics about your password usage -- how many are weak or reused, how many are old or potentially compromised -- along with specific steps you can take to up your score. You still have to change problematic passwords on your own, though.
Most password managers support form-filling for online purchases, but Dashlane will also capture receipts of transactions with many common online retailers. Once a purchase is complete, a modal dialog pops up in the Web page where you performed the transaction, and you’re invited to save a copy of the receipt to your vault. I tried this with an Amazon.com purchase and found it to be relatively painless.
Dashlane’s mobile app is nicely designed, too. It offers nearly all the functionality of the main app, and it makes use of fingerprint readers on Android and iOS. Devices without a fingerprint reader can use a four-digit PIN instead.
The most significant benefits you get with Dashlane Premium, for $39.99 a year, are expanded versions of features included in the free version. You can access your password vault through a Web interface, as opposed to the desktop app or a browser plug-in. You can share more than five items at a time from your vault with other users. And you can sync Dashlane across an unlimited number of devices. An enterprise-level offering, Dashlane for Teams, essentially lets you buy Premium-level accounts in bulk at a discount.
Price: Free; Premium version (adds sync across devices, sharing, backup, and Web access) costs $39.99 per year; Enterprise version starts at $24 per user per year (100 users). Platforms: Windows, Mac, iOS, Android.
It’s not hard to see why Dominik Reich’s open source, cross-platform password manager remains in wide use after 13 years. KeePass is dependable, it gets the job done, and it (or one of its many ports) can run almost any platform you could name. Plus, KeePass has been outfitted with more add-ons than you can shake the mouse cursor at. Its main drawback: Its best features require some work to figure out. Novices won’t enjoy pawing through all the plug-ins and configuration options.
KeePass stores username/password combinations for websites or applications, all protected by a master password that can be changed at any time. Instead of your copying and pasting the data from KeePass, the app can automatically type username/password combos into form fields via system-wide hotkeys. The actual typing process is obfuscated, so keyloggers will not be able to intercept the results.
By default, KeePass uses heuristics -- such as by inspecting the title of the window currently in focus -- to figure out which password to paste. You can override autodetection for individual entries or whole classes of entries.
The database, or “vault,” used by KeePass is a single file, so it can be stored anywhere and easily synchronized between computers, by way of a Dropbox folder or BitTorrent Sync share, for example. The basic unit of storage in a vault is a user/password combination, but you can add any number of pieces of metadata (such as a recovery passphrase) to a given entry.
To make password databases harder to crack by brute force, KeePass lets you designate a minimum time delay with each unlock attempt, by requiring that the master key be transformed a number of times before being used. A handy tool built into KeePass calculates how many rounds to apply for a one-second delay, although that calculation only applies to the platform you’re currently running on. Note that a one-second delay on a desktop machine may translate to several seconds on your phone, so be sure to pick a delay that’s acceptable for all platforms.
When you create a new password entry or edit an existing one, you’ll see an assessment of the password’s strength -- the longer, the better. KeePass can generate passwords automatically, using a rule set you can define. This is useful for passwords that require, for instance, a letter and a number and a symbol. Third-party plug-ins can also be used to generate passwords for KeePass. For example, the Readable Passphrase Generator plug-in assembles random phrases into memorable combinations.
Plug-ins are also used to integrate KeePass with third-party programs, such as the Google Chrome Web browser. The quality and manner of those integrations depend on the plug-in in question. Hooking up Chrome and KeePass, for instance, requires two plug-ins: one for KeePass, one for Chrome. In this case, setup requires several steps, so some may find it a chore.
Making use of the most powerful features of KeePass requires reading the manual, but it’s worth the effort. The Triggers feature lets you automate actions when certain conditions come true, such as uploading a copy of the password database to your Dropbox or OneDrive whenever it has been saved. Even more powerful, albeit harder to implement for most people, is the XML Replace feature, which allows the database’s contents to be modified programmatically -- say, to automatically update entries according to certain rules.
Other editions of KeePass, both official and unofficial, have sprung up on nearly every computing platform, so it's easy to use the same KeePass database across different devices. Many ports have platform-specific features. Keepass2Android, for instance, can paste passwords by way of a custom keyboard.
Price: Free. Platforms: Windows 98 through Windows 10; Mono (Linux, Mac OS X, BSD); iOS, Android, BlackBerry, Windows Phone, and other mobile platforms supported through unofficial ports.
Ease of use (25%)
Platform support (20%)
Overall Score (100%)
|Keeper Password Manager 8.3||8||8||9||7||8||8.1|
|Password Safe 3.38||8||8||9||8||9||8.3|
China said it plans to develop a prototype of an exascale supercomputer by the end of this year,...
The U.S. Federal Communications Commission has voted to roll back some net neutrality regulations that...
President Donald Trump is considering a new way of distributing the H-1B visa to ensure they go to the...
Samsung's new Galaxy S8 and S8+ smartphones look beautiful, and are loaded with new features that could...
They’re an example of big tech companies’ failure to take security seriously.
Samsung has a lot riding on its next smartphone, the Galaxy S8, which debuts on Wednesday at an event...
Our survey of 2,700 tech pros shows steady pay increases. But with predictions for IT spending and...