Review: Password managers help keep hackers at bay
LastPass, Keeper top the field in test of 10 password managers.
By David Strom
To accomplish this, they have two components for their tool: first is a series of smartphone apps (including Windows Phone along with iOS and Android). Once you install the app, you set up your identity; either by typing this information directly into the app or via a webpage that you can import the details via a QR code scan. You can include all sorts of things in this identity besides your name and address, including credit card numbers and other personal and business details. All of this identity information is tied to an eight-digit ID number in their database that is then displayed on your phone.
The second component of SingleID is a piece of open source PHP code that you place on your website. This turns the typical login dialog into a special form that asks for your SingleID login ID number. Once you type in the number (which looks like a one-time password but doesn’t ever change), SingleID then authenticates you back to your phone, and asks if you want to login to this particular site. There are code snippets for Wordpress blogs and regular web servers to get you started in adding the SingleID protection to these sites.
It is a clever hack, and once you get it setup you avoid a lot of infrastructure to get a secure login. Think of the SingleID login ID number as your username for their service, so you don’t have to worry about keeping it a secret (like a OTP) because no one can do anything with this information. There is no trusted (or even untrusted) third party because all the communication is between your smartphone app and the server that you wish to access. This means that you also don’t have to worry about man-in-the-middle attacks, because there isn’t anything in the “middle.”
The advantage, apart from having to no longer have to manage multiple passwords, is that you retain complete control over your identity information. There is nothing stored on any cloud: your information is stored and encrypted on your smartphone. As the vendor says, “SingleID is a distributed platform and thus no database of sensitive personal data is being built up anywhere.”
Of course, the downside is that you have to instrument all the websites that you want to make use of the SingleID process, which won’t help you when you want to login to Dropbox or American Airlines or the hundreds of other commercial sites that you already have accounts on. But for internal applications, this could be a very useful and inexpensive solution, since it is completely free. The GitHub documentation is very clear, and it should take an average developer just an hour or so to review it and implement its code.
Sticky comes with desktop and mobile and browser extensions. The mobile versions include Blackberry, Kindle Fire, and Nokia X phones, in addition to iOS (7.x and higher) and Android (2.3 and higher) phones. There is a limited SaaS control for certain administrative features, but this is because it doesn’t really have any enterprise management features. Each user has to manage their own account, using the SaaS app.
It has limited browser support: there is no Safari Windows extension and on Macs just Safari and Chrome browsers are supported.
It also has limited second factor authentication where if you change the SaaS settings, it will send an OTP to your email address when you attempt to register a new device. Other tools have more granularity for their MFA feature.
Sticky’s complex password generator is also behind the times of its competitors. The browser extension merely copies the complex password into the clipboard. If you want something more sophisticated, you will have to use the desktop version to incorporate it into the login process. We had problems logging into our Southwest Airlines account using their mobile app.
One nice feature is that Sticky presents you with two browser options on their mobile app: using the phone’s native browser or its own protected version.
Sticky has a free version that doesn’t have password synchronization across all its platforms: to have that feature, you will have to pay for the Premium version. The one-year subscription is available for $19.99, and the lifetime license is available for $99.99.
TeamsID is a very simple password manager that is designed for enterprises. You set up groups of users within your organization that share the same password collections. It is currently available as a pure SaaS app, other versions are in the works for mobile and desktop apps and browser extensions.
By simple we mean that there are none of the other features that most of its competitors offer: there is no support for multifactor authentication and no Active Directory connector. TeamsID stores its vault in the cloud, as you might suspect.
When you save your login information, you are also prompted to save additional information, such as an attached file, tags, or other notes about the login to the record. The software tries to find an appropriate logo for each record, but it was somewhat inconsistent when we tested it. Records can be for individual logins or for groups. You can choose from a number of blank templates to fill in, such as for a bank or an airline frequent flyer account.
Records are shown in alphabetical order on the main dashboard, and the password details are shown in plain text which made us somewhat nervous: most of its competitors hide this information, at least by default. Finally, one large issue is that these records are just for reference only: there is no automation of the login: you will have to copy and paste the URL, login and password from each individual field.
TeamsID has begun to build a solid product but it vastly incomplete, especially when compared to some of the more established tools.
TeamsID has a 30-day free trial and an annual contract of $36 per user.
Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.
How we tested password managers
We installed each product on Windows 7 and 10 desktops as a starting point. We also used Android and iOS phones and Mac desktops (if a client was available for these systems). We then set up logins to various Web-based services such as Dropbox, Gmail, different airline accounts and a WordPress blog site to test these logins. We connected to the various websites with at least Firefox and Chrome browsers to try out the associated plug-ins. We looked to see whether our password data was synchronized across to the various clients. We examined any enterprise management-related features if they were available. Finally, we took notes on the relative differences in the clients across different operating systems both in terms of functionality and user interface.
This story, "Review: Password managers help keep hackers at bay" was originally published by Network World.
Copyright © 2015 IDG Communications, Inc.