Best password managers

Cybercrime cost the global economy $600 billion (£454.66 billion) in 2017, according to a report from McAfee. The impact of cybercrime is ongoing and affects almost every country in the world.

One of the best ways you can protect yourself against online fraud is still by using a strong password and a different one for every site and service that you use. It's true that you won't be protected against a data breach that exposes emails and passwords that are not encrypted, but using a complex password for each site will protect you against those credentials being replicated elsewhere.

Plus it makes brute-force spoofing of the user - where software automatically churns through typical dictionary word and letter combinations - much more difficult.

Of course, remembering all of these is not a trivial matter, especially less so when the passwords are a mixture of non-dictionary word letters uppercase and lower, mixed in with numbers and symbols. That's where a password manager comes in.

Most password managers work the same way: you will setup an account with a (preferably strong) master password and it will then store credentials for the sites you tend to visit, either manually or through an automated function in the app.

So what makes a good password manager? A strong commitment to security, easy user experience, functionality and price are all factors.

There are a range of different password managers out there today, some proprietary, some open source - some that have received multiple extensive security audits and some that are offline. Depending on your needs and technical ability, you might want to be able to sync across your cloud services, self-host on your own servers, or use one as a digital wallet. Here we run through some of the best options.

Additional reporting by Hannah Williams.

Keeper
© Keeper

Keeper

Keeperis a propriety password manager and digital wallet, which enables users to sync and backup files and passwords in the cloud.

Every file that is added is encrypted and stored with a unique encryption key, so users can ensure that sensitive documents like financial information are fully protected using AES encryption and two-factor authentication.

It also provides a multi-tenant password management feature for enterprises. This includes file sharing, user provisioning, auditing, reporting and active directory integration features.

The pricing starts from £1.75 a month for individual use, £2.08 per user, per month for business and £3.33 per user, per month for the enterprise package.

Keeper is available on Windows, MacOS, Linux, Android, iOS, Windows Phone and Blackberry OS.

TrueKey
© YouTube

TrueKey

McAfee-owned password manager, TrueKey, provides secure multi-factor authentication with the inclusion of face, fingerprint or master password recognition.

It is a customisable password protector, enabling users to add up to six different factors to ensure better security.

All the passwords are protected with AES-256 encryption.

TrueKey is available on PC, Mac, iOS and Android but only available on Chrome, Firefox, Microsoft Edge (as an extension) and Safari browsers.

It is completely free for up to 15 passwords, with the premium package available for £19.99 a year for unlimited password management.

1Password

1Password

This password manager from Canada does what it says on the tin: allows you to have one master password to access any online service you use regularly.

1Passwordhas some really attractive user functionality. You can use Touch ID on your iPhone and Nexus Imprint to authorise 1password with your fingerprint for even quicker access. It stores all kinds of account details, from passwords to bank details and loyalty schemes and will autofill web forms for you once these are stored. There is an audit function for weeding out weak passwords and a password generator to replace them with.

Master passwords are end-to-end encrypted and aren't stored anywhere, so 1Password can't see it even if they wanted to and you are in control of where your data is stored, either offline, with 1Password or with a third party like Dropbox or iCloud. 1Password even open sources its encryption design so that it can be peer reviewed.

Pricing: For individuals it is $2.99 (£2.35) a month and there are family (£3.95) and work versions (starting at £3.15 per person) also available.

1Password is developed by AgileBits and runs on Windows, MacOS, and Android, and also supports browsers including Brave, Chrome, Firefox, Opera, Safari and Edge. There is a sort of 2FA available, called Duo authentication and limited to Teams accounts for now.

AgileBits makes its security audits available by various vendors here.

EnPass

EnPass

EnPass will be familiar to Lastpass users, with similar features and UI. It's a freemium model built by the New Delhi, India-based Sinew Software Systems and supports Windows 7 and later, MacOS, Linux, iOS, Android, and Windows 10 Mobile.

The desktop application is available for free but the mobile app is only available for free on a trial basis – afterwards you’ll have to pay a $9.99 licence fee per platform.

The free version includes browser support for Safari, Chrome, Opera, Firefox, and Edge, with autofill functions including in all of these. EnPass has offline functions but also supports optional cloud sync on Microsoft OneDrive, Google Drive, Dropbox and Box.

Again, though, EnPass is closed source/proprietary and a security audit has not been made available publicly.

LastPass
© LastPass

LastPass

This is one of the better known password managers, and for good reason. LastPass is cross platform, working on Mac, Windows, Linux, all of the major browsers and in the Apple, Google and Windows app stores.

Security concerns were raised in 2015, when hackers compromised account email addresses, password reminders, server per user salts, and authentication hashes.

After the breach LastPass CEO Joe Siegrist published a note to calm fears, saying: "We are confident that our encryption measures are sufficient to protect the vast majority of users."

Read next: Using a Chromebook with LastPass and two-factor authentication

LastPass says master passwords are never sent to its servers and aren't accessible by the company. Everything is end-to-end encrypted at device level, so that LastPass can't see passwords even if it wants to.

It’s proprietary software/closed source so you don’t know exactly what’s in it, and was acquired by enterprise connectivity business LogMeIn in 2015. And the developers do say automatic nightly security reviews are conducted and LastPass has also engaged third-party security firms for regular audits.

LastPass is very user-friendly software that works as an extension to the most popular web browsers – Chrome, Firefox, Safari, Edge, and Opera – with support for smart devices like Android, iOS and Windows Phone.

Price: Free for unlimited devices, with a premium tier priced at $12 (£9.50) a year

Dashlane
© Dashlane

Dashlane

Similar to LastPass, Dashlane is a slick commercial password manager. It is cross-platform in the same way as LastPass and has a clean user experience. It automates a lot of the process for you, meaning Dashlane creates and saves passwords and bank details for you and then autofills forms. If you suffer a breach you can reset all of your passwords in one go.

Dashlane stores data in the cloud with AWS but you can choose for data to stay local on your devices, which sacrifices some cross-platform functionality. It also doesn't store master passwords on its servers and even has a handy blog post for the password manager sceptics who may see a password managers as a huge draw for hackers.

The post reads: "Password managers are very similar to a bank. You trust your bank to store, manage, and protect your hard-earned money, instead of carrying thousands of dollars in a gym bag everywhere you go. Instead of writing your passwords on sticky notes or reusing the same password for all of your accounts, password managers provide a safe place for you to store, manager, and protect your passwords and other private information."

Dashlane also includes a digital wallet with receipt capture and an appealing UI on desktop and mobile, plus an in-built instant security alert function if an account is compromised or at risk.

The premium tier allows you to manage passwords across unlimited devices, and business users get secure password sharing with group management and improved account administration and 2FA options.

Price: Free for a single device, $40 (£31.50) a year after that.

KeePass/KeePassX/KeePassXC
© KeePass

KeePass/KeePassX/KeePassXC

This is one of the best and oldest open-source password managers, which means you don't have to entrust your passwords to a single, often independent, company. Being open source doesn't automatically make KeePassX the best on the market, but knowing the code is open for peer review should bring peace of mind.

You’ll find the usual features like a strong password generator and clipboard management. Auto-Type functionality means the user can define a sequence of key presses that can then be entered automatically by KeePass and sent to any open window, for example your browser or other login dialogues.

The password manager has received a security audit from the European Commission’s Free and Open Source Software Auditing project.

Note that there was a security flaw found in Chrome KeePass (CKP) that might have been saving a copy of your master key to disk due to the 'remember' feature – technical details here – an alternative called Tusk is available here.

Although KeePass is now officially supported on Windows, Linux and MacOS, other flavours also exist including for mobile.

Addtionally, KeePassX began life as a Linux port for KeePass when it was only available on Windows. A cross-platform community project called KeePassXC also exists, developed in response to the KeePassX community desiring faster releases and better maintenance. These can be run on Linux, Windows and MacOS.

Price: Free

Bitwarden

Bitwarden

Bitwardenis a totally free and open source (FOSS) password manager that was built with usability and transparency in mind. Aside from being a nice-looking piece of software with features you’d expect in 2018 – sync, unlimited storage, logins, cards, identities, and secure notes, plus a password generator and two-factor authentication (2FA) options, if you’re so inclined it can be self-hosted on one of your servers.

It's available on Windows, MacOS and Linux, Android and iOS, plus Chrome, Safari, Firefox, Vivaldi, Opera, Brave, Edge, and even Tor Browser.

However, the product hasn’t received a formal full security audit to iron out any bugs that might be hiding in the code – so that might put you off compared to solutions that have had them.

The developer has said however that there are plans for a formal audit at some point, but because it’s still heavily in development mode, now is not the time.

A premium option for $10 a year is available which give you 1GB encrypted file storage plus 2FA with the open authentication standard FIDO U2F plus Duo and YubiKey.

Norton Identity Safe
© Symnatec

Norton Identity Safe

The positive with Norton Identity Safe is that it comes from a very well respected name in the security space: Symantec. Identity Safe will store and synchronise passwords across devices and supported browsers (Firefox, Chrome, IE and Safari) and via the iOS and Android apps. There is a separate password generator that can be downloaded.

Passwords are stored in the cloud and data is encrypted prior to being stored. Your master password isn't stored anywhere.

Pricing: Free mobile app once registered with a Norton account

Mooltipass

Mooltipass

If you want a truly offline password manager you might be interested in products by Mooltipass – a small device that emulates a USB keyboard to type in passwords for you on Windows, Linux, Mac, and "most" Apple and Android devices without requiring any special drivers.

The makers of Mooltipass say the tool is designed to be as easy to use for people of all technical backgrounds and ages – you just plug and play, insert your smartcode, and unlock it with your PIN. When you visit a website that needs a login the Mooltipass then sends the credentials through, either with a browser plugin or via the hardware itself.

The device contains internal flash, which holds the encrypted credentials, and the PIN-locked smartcard has the AES 256bits key required for decryption. Three false trials will permanently kill the Mooltipass card, and credentials are sent over HID.

Copyright © 2018 IDG Communications, Inc.