The Ultimate Password Manager: 1Password vs LastPass vs KeePass vs RoboForm

Staying safe and secure online has always been important but now more and more people are waking up to the fact that we need to take extra steps to protect our various accounts.

Banking online. Shopping online. Communicating online. Running a business online.

These have all rapidly become standard in today’s world. Given how embedded the internet is in our lives we need to take the necessary steps to stop people taking advantage of our online presence.

I recently put out a post explaining how to enable two factor authentication (2FA) across your accounts, including this handy checklist for enabling 2FA with Google and Slack.

Today, we’re going to look at password managers. 1Password vs LastPass vs all the rest!

In this Process Street article, we’ll look at:

• Why you should use a password manager
• The Challenge: Can third party password managers be better than your inbuilt systems?
• What do the 6 leading password managers offer and which one is right for you?

Why you should use a password manager

A password manager is obviously a security measure which you should consider implementing.

There are multiple reasons why this is a good idea. First off, between 50 and 80% of people use the same password for different sites. This makes people’s behavior predictable and therefore vulnerable.

If you have a password manager which also generates super hard to crack passwords then you avoid this issue entirely. Having one of your accounts hacked doesn’t have to result in any of your other accounts being compromised, depending on what’s been hacked.

Moreover, even if you have a really solid password strategy, what about your partner or your kids or your employees or whoever happens to occupy the same digital spaces you do?

Perhaps they don’t have effective measures in place? How do we work with such imperfect humans? With a decent password manager, you can get a family or business plan whereby everyone’s accounts are protected and passwords can be shared between people securely.

This enforces good security measures on other people, meaning your personal methods are unlikely to be scuppered by someone else’s mistakes.

Of course, a password manager alone won’t simply solve all security concerns. If you forget your master password then, in the words of autocorrect, you’re “ducked”. Though, biometric access could help in these scenarios.

There’s also a bit of a debate between cloud vs local for password storage. Basically, cloud is good because it can autofill your browser with your password for an easy user experience. Plus, it’s convenient to access your passwords from anywhere on any device safe in the knowledge that losing your laptop won’t result in losing all of your access to everything.

On the other hand, local storage is much more secure. Hackers would have to want to target you personally and get keystroke tracking malware on to your device in order to gain access. Nevermind the difficulties of this, it just seems unlikely someone is going to go to all that effort. If you have a local setup but multiple devices subscribed to the service then you can send your passwords from one device to another – so they’re stored locally in more than one location.

It depends on your needs really. A tech startup or a company with an IT guy/gal could probably operate with local storage and a master user. But cloud is so convenient.

Either solution, let’s be honest, is probably secure enough for the vast majority of us. Those of you who work for presidential campaigns should seek further guidance from a security consultant.

In this Process Street article we’re going to look at 8 password management options in total. Here are your quicklinks for the ones we’ll cover:

• iCloud Keychain
• Google Smart Lock
• 1Password
• LastPass
• Dashlane
• Keeper
• RoboForm
• KeePass

The Challenge: Can third party password managers be better than your inbuilt systems?

I find that on a day to day basis I end up using password manager systems which are already built into my existing systems.

I use Chrome as my go to browser, and this comes with Google Smart Lock. I spoke to other colleagues and some of them make use of Apple’s iCloud Keychain.

These rank among the most popular password managers out there simply because people already have them. So if they’re already in use, why should we opt for new software instead of sticking with these free options we already have?

I’m not going to make the decisions for you – you can make your own mind up about which software is best for you.

Below I’m going to list the key parameters upon which I’ll be judging the password managers and then dive into Smart Lock and Keychain to see what we’re comparing 3rd party tools to.

Check it.

The key parameters we’ll judge on:

• Can it be used on multiple devices?
• Does it include browser extensions for autofill?
• Is it for individuals or is it business friendly?
• Can you securely share passwords?
• Does it have a built in password generator?
• Does it feature multi-factor authentication?
• Are there biometric options available?
• Has the password manager got a strong security history?
• How much does it cost?

Google Smart Lock

Definitely a convenient password manager for anyone whose work or digital activity is based around Google’s systems.

Your Chrome browser is able to sync up across devices, with Chromebooks and Android devices neatly fitting into its services. The Chrome app on iOS can service iPhone users too. This makes it pretty effective as a cross device option.

It doesn’t have a password generator but it will remember your password when you create one for a site provided you tap to allow it to. It’s lack of a password generator is offset by the options for multi-factor authentication and single sign on. On top of this, there are also biometrics like fingerprints which can be done via the app.

If you’re a business utilizing Google Apps for Work Unlimited then you can access an admin panel which allows you to revoke devices or accounts if you think they’ve been tampered with, like with Gmail. The business side of Smart Lock is rapidly increasing and includes features like forcing users to have a lock or passcode on their phone.

Smart Lock is cloud storage of your passwords so you can access it anywhere, and so far Google’s security systems don’t seem to have caused too much trouble.

It’s free for anyone with a Google account to use and the premium business version comes as standard for purchasers of Google Apps for Work.

iCloud Keychain

This one’s Apple’s baby and she syncs beautifully across Apple devices.

There are two slight advantages of Keychain against smart lock for me:

• The ability to generate passwords
• It doesn’t just run in browsers

Now, I know Smart Lock doesn’t just run in browsers in the context of Android phones, but for work things laptops and desktops are more important and Apple’s products more well represented. It’s systems like Keychain which mean that once you connect your MacBook to a WiFi network you’re iPhone will automatically be able to connect too.

Convenient stuff.

The major downside compared to Smart Lock is that Keychain is very much a personal system. There doesn’t currently seem to be a setup for it to be used as a business tool. This is where Smart Lock adds extra value.

Other than those bits, the two systems offer pretty similar services capably providing the necessary core elements of an effective password manager.

Like Smart Lock, Keychain is free and in-built for Apple users.

What do the 6 leading password managers offer and which one is right for you?

Now let’s look at the competition.

Some of these have been around for a while. We have paid, free, and open source options below.

But will any of them still be able to prove their worth against the rapidly improving offerings of our tech giant manoeuvres?

1Password

1Password can be installed on Windows, Mac, iOS, Android, and used via the cloud.

It has password generators, optional autofill with the browser extension, multi-factor authentication, SSO, and offers business plans.

It has a strong reputation in the field and will hit you with a notification if they think any of your passwords might have been breached.

The business plan gives user management tools to an admin who can reset and reallocate passwords. Plus, you can share passwords by putting them into a shared vault. This is how you can pass them around family members easily and securely. For family or small team purposes, this puts 1Password in the mix.

Even better, in 2017 1Password released Travel Mode. This allowed you to mark your passwords safe for travel or not. If they’re not safe for travel then they’re removed from local storage and held in the cloud. This prevents border security officials from gaining access to certain sensitive information.

Will I ever need that feature? Unlikely. Will I use it anyway to pretend I’m a secret agent? The bookies are offering excellent odds.

Basic plan costs $2.99 per month with a business plan at $7.99. You can get a family plan at $4.99 per month which covers your family up to 5 people.

LastPass

LastPass has many of the same features as 1Password: Windows, Mac, iOS, Android, and cloud storage are all enabled.

Password generator and password sharer are included as standard. Multi-factor authentication and a GB of secure storage come with the basic personal plan.

The Family, Team, and Enterprise plans all add on extra features in regards to user management, added security, and technical add ons like API access.

However, LastPass has had a number of security issues in 2011, 2015, 2016 and 2017.

You can get the extension for free, the Premium plan for $2 a month, Family (of 6) for $4 a month, and Team and Enterprise plans for $2.42 and $4 a month respectively.

Dashlane

Dashlane is available on all the major platforms much like the other systems. It stores your passwords locally with a cloud backup and offers a password generator and autofill.

The business version allows you to share passwords and includes a central administration dashboard to manage all the users.

It has multi-factor authentication along with password reset functions and the other features we would expect. Dashlane were actually the first password manager to implement password reset back in 2014, beating LastPass to the punch by only a couple of hours. This system makes it easier to control against breaches in other sites – something Dashlane notify you about as it happens.

If you’re really into this kind of thing, you can check out this 2016 paper from MIT titled Security Analysis of Dashlane. The researchers found minor vulnerabilities and recommended certain changes to fix the flaws.

You can get Dashlane for free for one device, which is a very good option. The premium level starts at $3.33 per month to use across devices with business plans at $4 per user.

Keeper

Keeper offers the same kinds of features as the other tools, but really emphasise the company’s security credentials.

It uses multi-factor authentication along with biometric scans and something called Keeper DNA which can use your smartwatch to verify who you are. To me, Keeper DNA just looks like regular 2FA but with a watch. But it sure as hell does sound good.

Keeper’s hard sell on security is summed up in this quote from its website:

Information that is stored and accessed in Keeper is only accessible by the customer because it is instantly encrypted and decrypted on-the-fly on the device that is being used – even when using the Keeper Web App. The method of encryption that Keeper uses is a well-known, trusted algorithm called AES (Advanced Encryption Standard) with a 256-bit key length. Per the Committee on National Security Systems publication CNSSP-15, AES with 256-bit key-length is sufficiently secure to encrypt classified data up to TOP SECRET classification for the U.S. Government.

In this vein, the business offerings of Keeper include encrypted file storage and file sharing to secure not just logins and access, but files and ongoing work.

Despite all of this, it has had some security issues. Keeper was bundled with Windows 10 in 2017 by Microsoft but required a browser add on which had vulnerabilities. The issue was quickly fixed once exposed by Tavis Ormandy of Google. However, Keeper went on to sue Ars Technica for their reporting of the issue. While the lawsuit was ongoing, in May 2018, Keeper experienced what ZDNet described as a “security snafu” as one of Keeper’s servers was left exposed without password protection.

Pricing for personal use starts at £1.75 per month with families at £3.75. Business starts at £2.08 per month per user while enterprise comes in at £3.33. If you have over 100 people in your business, contact the sales team.

RoboForm

RoboForm has been around forever. Yet, apparently doesn’t have an English language Wikipedia page. Spanish Wikipedia tells me:

RoboForm es un establecido gerente de contraseñas y aplicación de llena formularios.

Started in 1999, we’re now on RoboForm 8 which has taken on a nicer user experience and design than previous versions.

RoboForm does pretty much everything you want your password manager to do: saves passwords, 1-click fill, data can be hosted in the cloud or locally, passwords can be generated, 2 factor authentication is there, the same encryption standards as Keeper are adhered to, files and passwords can be securely shared, and you can have family or business accounts.

You can also store notes, passwords for program applications, credit cards, form info, contacts, and bookmarks.

RoboForm has a bit of everything yet rarely gets any hype.

Why?

Well, in 2015 Paul Moore posted this article talking about a vulnerability he found in RoboForm and the company’s unwillingness to attempt to fix it claiming it couldn’t be replicated. Moore also criticized their claims of offering multi-factor authentication.

As far as I know, RoboForm 8 is a wholly different product to what existed in 2015 and I haven’t seen any mentions of vulnerability yet. But as often happens with security, trust is king.

RoboForm is free on a single device, with multiple devices available on the Everywhere plan for $1.99 a month, and family plans at $3.98 for 5 users.

The business product is priced in a confusing way where you can pay 1 year, 3 years, or 5 years up front. The most expensive is a 1-10 people company buying a year’s subscription at $29.95 per user per year. Discounts are then applied on both more users and longer upfront subscriptions.

This makes RoboForm 8 quite affordable for the business plan, it’s just hard to figure that out from how it’s presented on the pricing screen.

KeePass

KeePass is one I’m excited about simply because it’s open source and absolutely zero effort has been made to make it look sexy.

And passwords aren’t sexy. So I’m fine with that.

The following is 50% of the company’s entire marketing copy:

Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website’s FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem… A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

That’s it. Quickly outlining the problem. Then giving the solution. Straight to the point. Good lads.

Let’s go for the negatives first.

If you’re not a tech person then it will likely appear to be a little intimidating. It doesn’t hold your hand and walk you through the process. It isn’t here to make life easy for you.

This is particularly true when it comes to syncing devices. Which you can do with the Professional edition not the Classic edition. Classic only runs on Windows Vista through 10. The Professional one is what you’ll need if you’re using Mac or Linux. Did I mention you need to have .NET? Because you need to be running the .NET framework. Or Mono, an open source version. It also doesn’t have a mobile app. But some third parties have pieced ones together. You could try those.

All simple so far.

The main downside from a user perspective though is that it doesn’t autosave your passwords as you create them when you’re signing up for accounts. But I suppose that isn’t the biggest deal in the world.

The upsides are that it is very powerful, can link up with browsers or applications, can be put onto a USB drive, and you can customize it all. You can create a Keypass to store on a USB to give yourself multi-factor authentication too.

Many of you reading might think I’m writing a hit piece on KeePass right now, but its target audience is loving every word. KeePass is for techies and its good.

The German Federal Office for Information Security, amongst others, recommend KeePass. The others include the French Network and Information Security Agency and the European Commission’s Free and Open Source Software Auditing (EU-FOSSA) project.

KeePass isn’t fancy. It does the basics and it does them well. Highly recommend for techies.

Oh, and it’s free. Always and forever free. Enjoy.

Too long; didn’t read?

I’m gonna stick with Google Smart Lock for my day to day activity and have KeePass on my device as my local backup.

1Password would be my recommendation for families given the ease of use.

For businesses, it depends on your needs. Keeper seems to offer good enterprise software but if you’re a small business running on Google products you could try Smart Lock’s business offerings.

And for you techies out there, KeePass is only a click away.

You know my favorites. What about yours? Which ones have you tried? Which did you like? Which did you hate? Let me know in the comments below!