Review: 8 password managers for Windows, Mac OS X, iOS, and Android

Previous 1 2 Page 2

Keeper Password Manager 8.3

Keeper Password Manager may not be as impressive to look at as others in this roundup, and it doesn’t sport as broad a range of functionality, but it gets the job done. It also has a few smart features I haven’t seen anywhere else, such as the self-destruct function.

The core functionality for Keeper is in line with that of the competition. User/password pairs can be stored in a folder hierarchy, and password entries can include user-specified fields or file attachments. Installing the desktop client automatically sets up browser plug-ins that perform automated sign-ins on websites. The app is basic and straightforward, but not very flexible. For instance, while there’s a random password generator, there doesn’t appear to be a way to customize it to meet your organization’s password length or complexity requirements. Some of this may be by design to deliberately reduce the application’s potential bug count or attack surface.

If you’re importing data from another password manager, Keeper is quite strict about the format you use. A CSV I exported from KeePass was rejected because it had line breaks in the imported notes column. However, a little search-and-replace made all well.

Keeper’s self-destruct feature protects you if your device is lost or stolen. After five unsuccessful password entry attempts, Keeper records will be deleted from the device in question. (The cloud-synced copy is kept safe, though.) A product like KeePass wouldn’t be able to implement this, because one could always swap in an alternate KeePass client that didn’t honor a self-destruct restriction.

The mobile version of Keeper is excellent. It’s so good it makes the desktop client look like an afterthought. For one, the mobile app has a much more elegant and native look and feel; the desktop app is a cross-platform Java concoction, with all the UI clunkiness that implies. The mobile app can use a smartphone’s fingerprint reader for authentication (provided you’re using the for-pay service) or verify identity through an external wearable device. I also liked an optional feature that blocks screenshots of the app, although I suspect that could be defeated on phones with custom ROMs.

Price: Free for one device; Backup Unlimited version (adds multiple device support, cloud sync, fingerprint-based log-ins, sharing, Web app), $29.99 per year; Enterprise plans begin at $750 per year plus $48 per user per year, and include AD/LDAP integrations, auditing/policy management tools, and shared folders. Platforms: Windows, Mac, Linux, iOS, Android, Windows Phone, Kindle Fire, Nook.

LastPass 4.0.0

LastPass is browser-centric. It installs as a Web browser extension on Windows, Mac, and Linux, and users access it through a toolbar button in any or all of their browsers, with all data automatically synchronized to LastPass’s servers. Open a Web page with a sign-in form, and LastPass automatically fills in the username and password fields for you.

If you open a form field on a site that LastPass doesn’t have an entry for, it offers to create a new entry and (optionally) generate a password for it. Form fields that are recognized by LastPass have a distinct asterisk icon next to them. Clicking that asterisk brings up a context menu, allowing you to generate passwords, manually select what to paste, and more.

Click the LastPass toolbar button to bring up a nicely organized drop-down menu with fast access to the app’s most commonly used functions. Best of all is a search box at the top of the menu, allowing keyboard jockeys to bring up a password entry by typing a couple of letters from its name.

LastPass checks the strength of new passwords, and it can audit the strength of existing ones. The Security Challenge function checks all of your stored passwords -- including the master password -- and identifies those that are weak or duplicates. Problematic passwords can be replaced with newly generated ones, although LastPass can’t change the passwords on the sites where they are actually used. You’ll have to do that on your own.

Username/password combinations aren’t the only details LastPass is designed to manage. It also provides form-filling functions to automate the entry of addresses, phone numbers, credit card data, and other personal information commonly typed into a Web form. LastPass attempts to autodetect which data goes into which form fields, and it generally does a pretty good job, although it has a few limitations. For example, I found that LastPass had some trouble automatically selecting the correct expiration date for my credit card from drop-down menus.

LastPass also provides a way to store Secure Notes, which are essentially free-form texts not associated with a given password entry. Secure Notes can be individually secured by requiring the reader to re-enter the master password, but they can’t be individually password-protected.

The smartest feature by far is Emergency Access, which allows a trusted contact to gain access to the vault. The way it works is ingenious. The trusted user requests emergency access, and if after a predetermined length of time (say, a week) you haven’t explicitly declined them access, they can open your vault as if it were their own.

The mobile app version of LastPass -- available for iOS, Android, and Windows Phone -- is loaded with impressive convenience features. Like KeePass on the desktop, the mobile app can autofill login and password fields not only in Web browsers but in mobile apps generally. Setting up this feature requires some initial fiddling, but once running, it worked reliably. If your phone has a fingerprint reader, LastPass automatically detects it and uses it to authenticate -- no need to type a master password. There’s also support for third-party two-factor authentication products like Yubikey.

Services always look for new kinds of premium functionality to charge for. With LastPass, Premium accounts ($12 per year) come with additional multifactor authentication, a shared-folder system that can support up to five users, and the ability to save passwords for desktop applications. KeePass includes this last feature by default, one of its advantages as a native desktop app.

Finally, LastPass offers an enterprise edition with single-sign-on support, policy and reporting mechanisms, and a central admin console.

Price: Free; Premium version (adds sync across devices, multifactor authentication, shared folders) costs $12 per year; Enterprise version starts at $24 per user per year (100 users). Platforms: Web browsers on Windows, Mac OS X, Linux; mobile apps for iOS, Android, Windows Phone; desktop app for Mac OS X. 

Password Safe 3.38

Security expert Bruce Schneier decided to do more than write about password insecurity issues. He designed Password Safe, a simple open source application that allows individuals to store passwords securely, type them automatically when needed, and require only a single password to access them all.

If that description reminds you of KeePass, you’re spot-on: Password Safe is like a bare-bones KeePass. That’s not necessarily a bad thing, since a simpler program is by definition a more easily secured one.

Password Safe’s user interface and behaviors echo KeePass. You browse username/password entries via a hierarchical tree view, and you can use hotkeys to automatically type passwords into any application, not only Web pages. One KeePass feature Password Safe lacks is a systemwide autotype hotkey, where a username/password combo can be selected and typed into a window based on its title.

Password Safe may not have the breadth of features seen in many of the password managers here, but the included features are smart and useful. A “password policies” function allows you to create rules for how passwords are generated. You can specify how many characters, what kind, whether or not to use characters that can be mistaken for each other (the digit “1” versus the lowercase letter “l”), and so on. Database backups are automatically generated whenever you save new entries, so older versions of the database (and its entries) are retained. Password Safe has built-in support for YubiKey security devices, too.

The biggest downside to Password Safe is that it’s not very flexible. For one, there’s no plug-in architecture, so any expansions to the program’s feature set are entirely up to the developers. For two, Password Safe is missing (albeit perhaps by design) direct integration with Web browsers by way of plug-ins on the browser side.

Price: Free. Platforms: Windows; beta available for Linux; third-party ports available for iOS, Android, BlackBerry, Java, Python, and other platforms.

RoboForm 7.9

RoboForm is one of the longest-lived programs of its kind, originally created as a general form-filling solution for Web browsers and stand-alone applications. Like KeePass and 1Password, it’s useful for more than password storage and management. And like 1Password, it comes outfitted with a bevy of good, smart features that work with minimal tinkering.

On installation, RoboForm autodetects the browsers in use and integrates with them via plug-ins. From then on, password submissions in forms are automatically saved to the database. The password-capture process has some smarts to it: When RoboForm offers to save passwords from a Web page, it makes a few guesses as to how to label the resulting password capture -- by URL, by the page’s title, by the username plus the URL, and so on. Thus, entries for multiple subdomains of the same site are automatically kept separate and aren’t likely to stomp on each other.

Unfortunately, RoboForm doesn’t deal well with detecting the contents of form submissions where the form is automatically obscured upon submission. However, RoboForm isn’t alone in this flaw. This is a common problem with password managers that try to autodetect form submissions on Web pages.

If your PC or notebook has a fingerprint reader or smart card slot, RoboForm can use it as an authentication mechanism instead of a master password. The master password can be kept in “system-protected storage,” so logged-in users automatically have access to the password vault. Note that if you reinstall Windows or delete the user account, this system-protected storage will be erased, but you can still access a backup of the RoboForm vault with your master password. (KeePass has a version of this feature, except that losing the user account also means losing access to the vault, period.)

Previous versions of RoboForm used a toolbar that would pop up below or above the browser window. For Chrome, at least, the toolbar has been replaced by a native in-browser plug-in, but the external toolbar is still available if you want it. I found the browser-native plug-ins to be far more elegant. They’re certainly more consistent with the other applications in this vein. RoboForm’s original toolbar and native program interface look a little clunkier than the competition. They’re the most prominent signs of the program’s age.

Aside from username/password pairs for websites, RoboForm also stores browser bookmarks, personal identity data, and free-form text notes (Safenotes) in the same manner as 1Password and LastPass. Custom fields can be added to many kinds of entries in RoboForm’s database, but not all of them. Safenotes, for instance, restrict you to a single freeform text field.

No modern password-management app would be complete without a mobile version, and RoboForm does have such an incarnation. It doesn’t yet support a smartphone’s fingerprint reader -- a major omission in today’s mobile world -- although it allows quick-unlock by way of a four-digit PIN.

RoboForm also comes with a Web-based edition, named RoboForm Anywhere, where the contents of one’s vault can be edited and audited. Security-conscious users will like how RoboForm activity from all devices is logged and can be perused either through the Web interface or downloaded as a CSV file. The cost-plus version of RoboForm, RoboForm Everywhere, allows integrated syncing of one’s password database across all devices for $9.95 a year.

Price: RoboForm Desktop, $29.95; RoboForm2Go, $39.95; RoboForm Everywhere, $9.95 per year. Platforms: Windows, Mac OS X, iOS, Android, Windows Phone.

SplashID Safe 8.0.9

SplashID Safe isn’t a bad program, but it’s limited in frustrating ways, and its competitors offer more at their basic tiers.

SplashID Safe is akin to LastPass in that its free tier is mainly consumed as a Web app. If you want to use the PC and smartphone versions and sync them against your SplashID cloud account, you’ll need to purchase a Pro account starting at $1.99 per month or $20 per year. For those who want to use the desktop app to manage passwords across a variety of applications, this is irksome, especially given the array of competing services with desktop apps that cost nothing.

Some good ideas have been sprinkled through SplashID Safe. When you first create an account, your vault is optionally populated with sample data of various kinds to give you an idea of how to use the service. Another nice touch: A “pattern log-in” function, akin to the kind used in smartphones, can be used to unlock the Web version or the desktop edition. I also liked how devices could be synced peer-to-peer over Wi-Fi rather than through the cloud. SplashID’s mobile app is functionally similar to the desktop app, although it doesn’t support the use of a fingerprint reader to unlock one’s vault on Android, only on iOS.

On the downside, a bevy of little issues kept throwing me off. When I attempted to import a CSV generated by KeePass into SplashID’s Web vault, it misinterpreted which columns mapped to which fields; the title of the field ended up being the password, among other problems. Because I wasn’t allowed to remap the columns on import, I needed to download a sample CSV to determine the proper format and reorganize my CSV file to get it to import correctly.

That was only the start of my trouble with SplashID Safe. The desktop app refused to install, due to the installer not being signed properly. SplashData technical support was able to provide me with a fixed copy. And because the advertised browser plug-in for Chrome was not available from the Chrome Web Store, I wasn’t able to test any of its autofill functions. (I was informed this will be corrected.)

The Web interface, used for the free tier of the product, has issues of its own. Its formatting sometimes rendered incorrectly when the browser was resized, with side effects like buttons vanishing behind each other. Finally, I was surprised that the Web app attempted to use a Flash plug-in, given how Adobe Flash has been implicated in countless security issues, although the site seemed to work normally without it.

Price: Free for one device; Pro version (supports multiple devices, sync across devices, backup, sharing), $19.99 per year; Teams version, $5 per user per month. Platforms: Windows, Mac, iOS, Android, Windows Phone, BlackBerry, Web.

One password to rule them all

Which of these password managers should you choose? Clearly, you have a number of great options.

KeePass, despite its occasional complexity, still tops the list of free and open source solutions, thanks to the breadth of plug-ins and its broad platform support. For those who want a free and open source solution, but in an implementation with fewer frills and less fuss, consider Password Safe. (That it comes with the imprimatur of a renowned security expert doesn’t hurt either.)

1Password takes the basic idea behind KeePass and lays on a veneer of commercial polish, making a good thing even better and easier to use, albeit at a cost. Dashlane is even sleeker, with a handy security auditing function, but unlike many competitors its Web version is available only as part of the for-pay package.

RoboForm, an app with a faithful following, has kept pace nicely with the competition over the years (by adding browser plug-ins, fingerprint authentication, and so on), and it offers a lot of functionality in the free version. The best part of Keeper is its mobile incarnation. Keeper is a product aimed mainly at business users, but it nonetheless provides plenty of utility for everyone else.

Finally, for those who want to tame a welter of website passwords, LastPass is an excellent place to start, considering its basic incarnation is a browser plug-in and a well-designed mobile app. SplashID is similarly designed, but much of what it does is executed better elsewhere.

This story, "Review: 8 password managers for Windows, Mac OS X, iOS, and Android" was originally published by InfoWorld.