Staying safe and secure online has always been important but now more and more people are waking up to the fact that we need to take extra steps to protect our various accounts.
Banking online. Shopping online. Communicating online. Running a business online.
These have all rapidly become standard in today’s world. Given how embedded the internet is in our lives we need to take the necessary steps to stop people taking advantage of our online presence.
I recently put out a post explaining how to enable two factor authentication (2FA) across your accounts, including this handy checklist for enabling 2FA with Google and Slack.
Today, we’re going to look at password managers. 1Password vs LastPass vs all the rest!
In this Process Street article, we’ll look at:
- Why you should use a password manager
- The Challenge: Can third party password managers be better than your inbuilt systems?
- What do the 6 leading password managers offer and which one is right for you?
Why you should use a password manager
A password manager is obviously a security measure which you should consider implementing.
There are multiple reasons why this is a good idea. First off, between 50 and 80% of people use the same password for different sites. This makes people’s behavior predictable and therefore vulnerable.
If you have a password manager which also generates super hard to crack passwords then you avoid this issue entirely. Having one of your accounts hacked doesn’t have to result in any of your other accounts being compromised, depending on what’s been hacked.
Moreover, even if you have a really solid password strategy, what about your partner or your kids or your employees or whoever happens to occupy the same digital spaces you do?
Perhaps they don’t have effective measures in place? How do we work with such imperfect humans? With a decent password manager, you can get a family or business plan whereby everyone’s accounts are protected and passwords can be shared between people securely.
This enforces good security measures on other people, meaning your personal methods are unlikely to be scuppered by someone else’s mistakes.
Of course, a password manager alone won’t simply solve all security concerns. If you forget your master password then, in the words of autocorrect, you’re “ducked”. Though, biometric access could help in these scenarios.
There’s also a bit of a debate between cloud vs local for password storage. Basically, cloud is good because it can autofill your browser with your password for an easy user experience. Plus, it’s convenient to access your passwords from anywhere on any device safe in the knowledge that losing your laptop won’t result in losing all of your access to everything.
On the other hand, local storage is much more secure. Hackers would have to want to target you personally and get keystroke tracking malware on to your device in order to gain access. Nevermind the difficulties of this, it just seems unlikely someone is going to go to all that effort. If you have a local setup but multiple devices subscribed to the service then you can send your passwords from one device to another – so they’re stored locally in more than one location.
It depends on your needs really. A tech startup or a company with an IT guy/gal could probably operate with local storage and a master user. But cloud is so convenient.
Either solution, let’s be honest, is probably secure enough for the vast majority of us. Those of you who work for presidential campaigns should seek further guidance from a security consultant.
In this Process Street article we’re going to look at 8 password management options in total. Here are your quicklinks for the ones we’ll cover:
The Challenge: Can third party password managers be better than your inbuilt systems?
I find that on a day to day basis I end up using password manager systems which are already built into my existing systems.
I use Chrome as my go to browser, and this comes with Google Smart Lock. I spoke to other colleagues and some of them make use of Apple’s iCloud Keychain.
These rank among the most popular password managers out there simply because people already have them. So if they’re already in use, why should we opt for new software instead of sticking with these free options we already have?
I’m not going to make the decisions for you – you can make your own mind up about which software is best for you.
Below I’m going to list the key parameters upon which I’ll be judging the password managers and then dive into Smart Lock and Keychain to see what we’re comparing 3rd party tools to.
The key parameters we’ll judge on:
- Can it be used on multiple devices?
- Does it include browser extensions for autofill?
- Is it for individuals or is it business friendly?
- Can you securely share passwords?
- Does it have a built in password generator?
- Does it feature multi-factor authentication?
- Are there biometric options available?
- Has the password manager got a strong security history?
- How much does it cost?
Google Smart Lock
Definitely a convenient password manager for anyone whose work or digital activity is based around Google’s systems.
Your Chrome browser is able to sync up across devices, with Chromebooks and Android devices neatly fitting into its services. The Chrome app on iOS can service iPhone users too. This makes it pretty effective as a cross device option.
It doesn’t have a password generator but it will remember your password when you create one for a site provided you tap to allow it to. It’s lack of a password generator is offset by the options for multi-factor authentication and single sign on. On top of this, there are also biometrics like fingerprints which can be done via the app.
If you’re a business utilizing Google Apps for Work Unlimited then you can access an admin panel which allows you to revoke devices or accounts if you think they’ve been tampered with, like with Gmail. The business side of Smart Lock is rapidly increasing and includes features like forcing users to have a lock or passcode on their phone.
Smart Lock is cloud storage of your passwords so you can access it anywhere, and so far Google’s security systems don’t seem to have caused too much trouble.
It’s free for anyone with a Google account to use and the premium business version comes as standard for purchasers of Google Apps for Work.
This one’s Apple’s baby and she syncs beautifully across Apple devices.
There are two slight advantages of Keychain against smart lock for me:
- The ability to generate passwords
- It doesn’t just run in browsers
Now, I know Smart Lock doesn’t just run in browsers in the context of Android phones, but for work things laptops and desktops are more important and Apple’s products more well represented. It’s systems like Keychain which mean that once you connect your MacBook to a WiFi network you’re iPhone will automatically be able to connect too.
The major downside compared to Smart Lock is that Keychain is very much a personal system. There doesn’t currently seem to be a setup for it to be used as a business tool. This is where Smart Lock adds extra value.
Other than those bits, the two systems offer pretty similar services capably providing the necessary core elements of an effective password manager.
Like Smart Lock, Keychain is free and in-built for Apple users.
What do the 6 leading password managers offer and which one is right for you?
Now let’s look at the competition.
Some of these have been around for a while. We have paid, free, and open source options below.
But will any of them still be able to prove their worth against the rapidly improving offerings of our tech giant manoeuvres?
1Password can be installed on Windows, Mac, iOS, Android, and used via the cloud.
It has password generators, optional autofill with the browser extension, multi-factor authentication, SSO, and offers business plans.
It has a strong reputation in the field and will hit you with a notification if they think any of your passwords might have been breached.
The business plan gives user management tools to an admin who can reset and reallocate passwords. Plus, you can share passwords by putting them into a shared vault. This is how you can pass them around family members easily and securely. For family or small team purposes, this puts 1Password in the mix.
Even better, in 2017 1Password released Travel Mode. This allowed you to mark your passwords safe for travel or not. If they’re not safe for travel then they’re removed from local storage and held in the cloud. This prevents border security officials from gaining access to certain sensitive information.
Will I ever need that feature? Unlikely. Will I use it anyway to pretend I’m a secret agent? The bookies are offering excellent odds.
Basic plan costs $2.99 per month with a business plan at $7.99. You can get a family plan at $4.99 per month which covers your family up to 5 people.
LastPass has many of the same features as 1Password: Windows, Mac, iOS, Android, and cloud storage are all enabled.
Password generator and password sharer are included as standard. Multi-factor authentication and a GB of secure storage come with the basic personal plan.
The Family, Team, and Enterprise plans all add on extra features in regards to user management, added security, and technical add ons like API access.
However, LastPass has had a number of security issues in 2011, 2015, 2016 and 2017.
You can get the extension for free, the Premium plan for $2 a month, Family (of 6) for $4 a month, and Team and Enterprise plans for $2.42 and $4 a month respectively.
Dashlane is available on all the major platforms much like the other systems. It stores your passwords locally with a cloud backup and offers a password generator and autofill.
The business version allows you to share passwords and includes a central administration dashboard to manage all the users.
It has multi-factor authentication along with password reset functions and the other features we would expect. Dashlane were actually the first password manager to implement password reset back in 2014, beating LastPass to the punch by only a couple of hours. This system makes it easier to control against breaches in other sites – something Dashlane notify you about as it happens.
If you’re really into this kind of thing, you can check out this 2016 paper from MIT titled Security Analysis of Dashlane. The researchers found minor vulnerabilities and recommended certain changes to fix the flaws.
You can get Dashlane for free for one device, which is a very good option. The premium level starts at $3.33 per month to use across devices with business plans at $4 per user.
Keeper offers the same kinds of features as the other tools, but really emphasise the company’s security credentials.
It uses multi-factor authentication along with biometric scans and something called Keeper DNA which can use your smartwatch to verify who you are. To me, Keeper DNA just looks like regular 2FA but with a watch. But it sure as hell does sound good.
Keeper’s hard sell on security is summed up in this quote from its website:
Information that is stored and accessed in Keeper is only accessible by the customer because it is instantly encrypted and decrypted on-the-fly on the device that is being used – even when using the Keeper Web App. The method of encryption that Keeper uses is a well-known, trusted algorithm called AES (Advanced Encryption Standard) with a 256-bit key length. Per the Committee on National Security Systems publication CNSSP-15, AES with 256-bit key-length is sufficiently secure to encrypt classified data up to TOP SECRET classification for the U.S. Government.
In this vein, the business offerings of Keeper include encrypted file storage and file sharing to secure not just logins and access, but files and ongoing work.
Despite all of this, it has had some security issues. Keeper was bundled with Windows 10 in 2017 by Microsoft but required a browser add on which had vulnerabilities. The issue was quickly fixed once exposed by Tavis Ormandy of Google. However, Keeper went on to sue Ars Technica for their reporting of the issue. While the lawsuit was ongoing, in May 2018, Keeper experienced what ZDNet described as a “security snafu” as one of Keeper’s servers was left exposed without password protection.
Pricing for personal use starts at £1.75 per month with families at £3.75. Business starts at £2.08 per month per user while enterprise comes in at £3.33. If you have over 100 people in your business, contact the sales team.
RoboForm has been around forever. Yet, apparently doesn’t have an English language Wikipedia page. Spanish Wikipedia tells me:
RoboForm es un establecido gerente de contraseñas y aplicación de llena formularios.
Started in 1999, we’re now on RoboForm 8 which has taken on a nicer user experience and design than previous versions.
RoboForm does pretty much everything you want your password manager to do: saves passwords, 1-click fill, data can be hosted in the cloud or locally, passwords can be generated, 2 factor authentication is there, the same encryption standards as Keeper are adhered to, files and passwords can be securely shared, and you can have family or business accounts.
You can also store notes, passwords for program applications, credit cards, form info, contacts, and bookmarks.
RoboForm has a bit of everything yet rarely gets any hype.
Well, in 2015 Paul Moore posted this article talking about a vulnerability he found in RoboForm and the company’s unwillingness to attempt to fix it claiming it couldn’t be replicated. Moore also criticized their claims of offering multi-factor authentication.
As far as I know, RoboForm 8 is a wholly different product to what existed in 2015 and I haven’t seen any mentions of vulnerability yet. But as often happens with security, trust is king.
RoboForm is free on a single device, with multiple devices available on the Everywhere plan for $1.99 a month, and family plans at $3.98 for 5 users.
The business product is priced in a confusing way where you can pay 1 year, 3 years, or 5 years up front. The most expensive is a 1-10 people company buying a year’s subscription at $29.95 per user per year. Discounts are then applied on both more users and longer upfront subscriptions.
This makes RoboForm 8 quite affordable for the business plan, it’s just hard to figure that out from how it’s presented on the pricing screen.
KeePass is one I’m excited about simply because it’s open source and absolutely zero effort has been made to make it look sexy.
And passwords aren’t sexy. So I’m fine with that.
The following is 50% of the company’s entire marketing copy:
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website’s FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem… A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.
That’s it. Quickly outlining the problem. Then giving the solution. Straight to the point. Good lads.
Let’s go for the negatives first.
If you’re not a tech person then it will likely appear to be a little intimidating. It doesn’t hold your hand and walk you through the process. It isn’t here to make life easy for you.
This is particularly true when it comes to syncing devices. Which you can do with the Professional edition not the Classic edition. Classic only runs on Windows Vista through 10. The Professional one is what you’ll need if you’re using Mac or Linux. Did I mention you need to have .NET? Because you need to be running the .NET framework. Or Mono, an open source version. It also doesn’t have a mobile app. But some third parties have pieced ones together. You could try those.
All simple so far.
The main downside from a user perspective though is that it doesn’t autosave your passwords as you create them when you’re signing up for accounts. But I suppose that isn’t the biggest deal in the world.
The upsides are that it is very powerful, can link up with browsers or applications, can be put onto a USB drive, and you can customize it all. You can create a Keypass to store on a USB to give yourself multi-factor authentication too.
Many of you reading might think I’m writing a hit piece on KeePass right now, but its target audience is loving every word. KeePass is for techies and its good.
The German Federal Office for Information Security, amongst others, recommend KeePass. The others include the French Network and Information Security Agency and the European Commission’s Free and Open Source Software Auditing (EU-FOSSA) project.
KeePass isn’t fancy. It does the basics and it does them well. Highly recommend for techies.
Oh, and it’s free. Always and forever free. Enjoy.
Too long; didn’t read?
I’m gonna stick with Google Smart Lock for my day to day activity and have KeePass on my device as my local backup.
1Password would be my recommendation for families given the ease of use.
For businesses, it depends on your needs. Keeper seems to offer good enterprise software but if you’re a small business running on Google products you could try Smart Lock’s business offerings.
And for you techies out there, KeePass is only a click away.
You know my favorites. What about yours? Which ones have you tried? Which did you like? Which did you hate? Let me know in the comments below!
Great Article Adam!
I thought of a scenario where you might not want to store passwords locally; if you are hit by ransome ware. I have witnessed it several times where I work.
To be honest I store locally everything myself but will probably use the same strategy as you eventually.
I currently use a hodgepodge of Lastpass + Google passwords + iCloud. I have a MacBook + Android phone and also need access to PWs on Library computers or the “semi-shared” computer at work. I’ve used KeePass in the past but the cross platform integration is not as seamless as Lastpass. Did I mention I also used iCloud to generate a secure password for a site that apparently wasn’t captured by ANY of these and now I’m locked out (also not getting pw reset email for unknown reasons).
Password managers are must in these days, and I agree with the articles, but please also make a review for cyclonis password manager.
I’m using lastpass, but since you mentioned about the vulnerability, this make me a little bit worry.
“However, LastPass has had a number of security issues in 2011, 2015, 2016 and 2017.”
Adam, it is disingenuous of you to put a statement like that into your review, as it implies that Lastpass is less secure. In actuality, any detailed look at the vulnerabilities you listed shows extreme competence in the response and security practices of Lastpass. Does Onepassword do the same level of byte by byte accounting of network traffic? Also, the fact that people like Project Zero are looking into vulnerabilities are overall a good thing, as the other password managers haven’t all had that level of scrutiny. Companies are encouraged not to disclose their mistakes to avoid exactly the kind of reporting you’re doing here. In reality disclose makes everyone safer (which is why Lastpass does it) and non-disclosure makes people less safe.
Hi Neal, everything you’ve said is correct and their disclosures represent a high standard of transparency. However, it would have been remiss of me not to mention security issues in this article. Thanks for your comment!
Great article! I’m using (and loving) LastPass. I’m still in the Premium Trial period and I’m willing to buy it once the trial is over. I used to store my password at Google Chrome and iCloud, but never bothered to use iCloud’s password generator. Now I’ve changed every important password and I’m feeling much safer.
But how secure is really smart lock from Google? Can they see your informasjon if they want? Does 2 alone is why i use lastpass. And why i recommend anyone to stay away from Googles or others that dont do the same. And unless iam wrong about Google smart locks encryption i find it desturbing that anyone recommends it,or anything without client side encryption.
Good article. Thanks for the feature breakdown of each pm and their pro’s and con’s. I have been considering passing up lastpass for Google’s smart lock. My family had multiple bank problems. Money was transferred from my savings account to my checking account at my bank then a charge was made against my checking account. My wife’s account was also charged and then my father in-law’s account had the same issue. The only common thread was my lastpass account.
I’m sorry, but I have to make a case here against Google Smart Lock. Not against the service itself…it would be great if it worked. I have Google Pixelbook and Google Pixel 3XL phone, both only three months old. You’d think if there were two devices on which Smart Lock would work…it would be these. It. Does. Not. Work.
In fact, Googling Smart Lock and all its problems will provide you with enough reading for the next six months! I’ve searched for three months for a solution to make Smart Lock work properly, but it just doesn’t. In the Google discussion forums, the threads are abundant about this topic…and the only good things I can find are about what it’s supposed to do.
Seriously, I can’t even get past having my Google Pixel phone (their latest and greatest) unlock my Google Pixelbook (also their latest and greatest). I’ve tried the stable Chrome OS channel, the beta channel, and even the developer channel…it ain’t happening. In a zillion places you can find words written about how it will eventually all work with Google’s “Better Together” program, but until Google actually launches that…it’s not better together at all.
Maybe if I just had a non-Google Android phone and a non-Google Chromebook this would work. But for now, with Google’s own devices, it’s a nice idea that can’t materialize.
Good article! Thank you for sharing
Very good article!
Thank you for telling us about the best password management apps