Password Managers: A Review
Why You Should Read This
Why would you want to read a review about password managers? I was thinking about all the scams out there and how hackers want to steal our money, get into our computers and bank accounts. Like many of you, I have done some things to protect myself, but I know that’s just not good enough. My brother has been in computers since – well a LONG time. I saw a post he wrote on FB recently and asked him to write a guest blog. While he’s retired now, he still volunteers to help others in his community with their electronic devices. He is very knowledgeable. So without any further chit-chat, here’s what he wrote:
Password Managers
What is a Password Manager?
Password managers for your computers store your login information for all the websites you use and help you log into them automatically. They encrypt your password database with a master password – the master password is the only one you need to remember.
Passwords – What Most People Do
Now, a word about the passwords you use. Password reuse is a serious problem because of the many password leaks that occur each year, even on large websites. When your password is leaked (or compromised), malicious individuals have access to some or all of your data, to include your login information and anything else you’ve chosen to put into accounts.
Make Them Unique
To prevent password leaks from being so damaging, you should use unique passwords on every website you have a login with. These should also be strong passwords – long, unpredictable passwords that contain numbers and symbols.
But How Do I Remember Them?
Web geeks can have hundreds of accounts to keep track of, while even the average person is likely to have dozens of different passwords. Remembering such strong passwords is nearly impossible without resorting to some sort of trick – or having a photographic memory. The ideal trick is a password manager that generates secure, random passwords for you and remembers them so you don’t have to.
How does a password manager work?
Once you’ve chosen the application and registered your account with them, you will have created a master password. This should be the only password you need to actually remember because to gain access to your password manager – you’ll need to log into it. Still, you should try using a long and strong password that you can remember.
“Strong Password”
Wait – you keep saying “strong” for a password – what does strong mean? Strong is referring to a password that is very secure and would be quite difficult, if not impossible to crack. A strong password is long in length, has gibberish for the content, and uses a combination of upper and lower case letters, numbers and special characters. So, think about using a password with 24 characters that would be nearly impossible to remember – and certainly not one you could pronounce. Did you know (and you can do an Internet search on this very topic) that the most popular passwords used include ‘123456’, ‘password’, ‘qwerty’ and others? These can be hacked in seconds with a password cracker program (these are easily found on the Internet by the way).
A Random Password Generator
Most good password managers provide a random password generator in their application. You should be able to choose the length and content of that password before generating it. If you’re not seeing the options to do these things with the password generator provided – consider using another one that can be found online (just search for ‘password generator’ and you’ll get quite a few choices). I use one that is named ‘Secure Password Generator’ and can be found at this URL: https://passwordsgenerator.net/
With this password generator, I can choose the password length and decide if I want to include symbols, numbers, upper case, lower case, and to exclude similar characters (these are the ones that can be confusing – is it the letter ‘O’ or a zero ‘0’….is it the small letter ‘l’ or the number ‘1’….and so forth). Once I choose my criteria, I click the Generate Password. The new password is displayed, highlight it, copy it and then go back to your password manager application and paste it accordingly.
Using Your Password Generator
Each password manager application, once it’s running, should prompt you to save a login to an account when you log in the first time. You also have the option to create entries in your account by simply creating new entries. Then, once your login information for that account is stored in your account – when you visit the site of your choice and are ready to log in – your password manager should log you in automatically. (Note: some password managers require you to click on a pop-up to a login page instead of logging you in automatically).
Noted Pros and Cons
It should be noted that every application listed here has its pros and cons, and every one of them have fans of that application and then people who want nothing to do with it – for whatever reason. To each their own! You should look at reviews online for any application (password managers or not) and decide if this is the one for you. Use your own judgment too! Many reviews may be from people who work for that company and are putting out positive reviews. Many reviews may be from people who work for competitors to another companies software and put out negative reviews. You should consider checking different websites for their reviews of a product and not rely on just one site. The more popular review sites for computer software include: PCMag, Software Advice, Capterra, and my favorite – Top Ten Reviews. One that should be highly considered for reviews is the Consumer Affairs website. I think you’ll get the most accurate reviews there, but reviews are limited as this site is not used as much as it should be. Also too, there are many webpages that offer wonderful (and biased) reviews in favor of software because they include affiliate links to that software. They are hoping you’ll use that link and to access that companies website and maybe even purchase that product. This review site makes money off you for using that link to click to the companies website and even more money should you purchase the product. Kinda hard to trust someone if they are bragging up a piece of software with the main intent of putting money in their pocket. My suggestion is to look at many reviews, then go directly to the companies website on your own – don’t use links within websites.
Password Managers I Don’t Recommend
It should also be noted that one should not even consider using a password manager that comes along with your web browser – Chrome, Edge, Firefox, Safari, and others. All of these have integrated password managers and shouldn’t be a problem, right? Wrong! Each browser’s built-in password manager cannot compete with dedicated password managers. For one thing, Chrome and Edge store your passwords on your computer in an unencrypted form. Firefox’s password manager isn’t the ideal solution either. The interface doesn’t help you generate random passwords and it lacks various features, such as cross-platform syncing.
Password Files On Your Computer
People could access the password files on your computer and view them, unless of course – you encrypt them on your own. How can someone access your password file? Well, if one knows where to look (easy enough to find), then that file can be accessed should you walk away from your computer for a time and not lock it. For another – and are you ready for this – if you’re using public wi-fi, a hotspot that is not secured properly – then someone who knows how can access your computer if they are using that same hotspot.
For Example: There is a coffee shop in my town with a public wi-fi available and it has been discovered how insecure it is – they simply have not put in the security measures needed to protect people’s computers when they are using that hotspot. A person on one side of the coffee shop can actually gain access to someone’s else’s computer within that coffee shop. I’ve seen it and it has been brought to the attention of management – and nothing has been changed. They say that putting more secure measures on their wi-fi would cause an inconvenience to their customers in logging into that wi-fi. So, instead they are okay that everyone’s computer is insecure and vulnerable to being accessed. I don’t use my laptop there at all.
How Do I Start?
Before we get started…
…please take note that no computer or software is completely safe. Any computer or software product can be hacked into if someone knows how to do it. Even with the most secure measures, there are people smart enough to find holes in the security and exploit them – for whatever reason. Then too, you have to trust the company you use for your data – any data. Is that data being sold by the company you hope to trust and to whom and for what reason. Companies like Facebook and Google have been in the news a lot in recent years because people’s data, their personal information, has been sold to other companies for a profit. Nice, huh? Not! Then there’s the people who work at certain companies and have access to people’s data files – then do something not right with that data…again, for whatever reason. At some point you’ll have to trust companies for the various things you use on your computer – to include password managers.
Review of the Popular Password Managers
So, let’s get down to the more popular applications available for password managers. I’m going to list them in alphabetical order and tell you a little about the application, then the pros and cons to it.
Ready?
1Password:
This application offers a number of extras. In addition to managing passwords, it can act as an authentication app, like Google Authenticator. It also adds a secret key to the encryption key it uses, meaning nobody can decrypt your passwords without that key. (The downside is that if you lose this key, no one, not even 1Password, can decrypt your passwords.)
Cost: No free version found, $36.00 per year for one device, $60.00 per year for the families version
Trial period offered: Free for 30 days
Dashlane:
They have extensions for every browser, so no matter which browser you use – Dashlane should work with it. There is a free version and a premium version. Dashlane stores your passwords on your device – not in the cloud. While this may seem more secure, if you use your password manager program on multiple devices – you will have to keep individual files up-to-date…they will not be synced like when using cloud services.
(Personal note: I’ve tried Dashlane and it is a wonderful product; however, if using the premium version (the free one doesn’t offer things I wanted to use), it is one of the more expensive applications around for a password manager. One of the features in the premium version is that a VPN comes with it. A VPN, or Virtual Private Network, is a connection method used to add security and privacy to private and public networks. This helps with that aforementioned coffee shop – to add a layer of security on a public hotspot. I found that when I had the VPN activated, my Microsoft Outlook email wouldn’t work correctly. Dashlane was finding many-to-most of my emails, because of words in a subject line for example, to be insecure – then Dashlane would not only block the emails but actually blocked Outlook entirely. Working with the folks at Dashlane – nothing could be worked out to alleviate this. Dashlane eventually said it’s a Microsoft problem. Microsoft said it was a Dashlane problem. I was still within the 30-day trial period (highly recommend you do this with any software) and asked for my money back. Dashlane did that for me.)
Cost: Free (limited to 50 accounts), $60.00 per year for the premium version, and $120.00 per year for the Premium Plus version (offers credit monitoring, identity restoration support and theft insurance)
Trial period offered: Free for 30 days
KeePass:
This is another application that stores your files on your computer rather than in the cloud. Your choice again – using a cloud-based application or not. KeePass has browser extensions and mobile apps for managing your passwords. With this application, you are the one responsible for your passwords and you’ll likely have to sync them between devices manually.
Cost: Free (this is an open-sourced program and will always be free as long as it remains open-source
Trial period offered: Not applicable
Keychain:
https://support.apple.com/en-us/HT204085
This is an Apple product and like most any Apple product – you are extremely limited in functionality and accessibility should you venture away from anything not Apple. So, if you live in the world of Apple computers, this may be a good product for you, but if you venture into syncing with a Windows device or use the Chrome or Firebox browsers – then Keychain comes up way short.
(Personal note: I used Keychain for a time, but found it to be very limiting as it did not work outside of an Apple device. That was my desire so if you’re only using Apple devices, you might be happy with it. I did find that syncing it from the mac computer I owned at the time to an iPhone (an apple device) was a problem in that I had to manually sync the two devices whenever I updated the password file. This was a real pain in that I’d sometimes make the change from my iPhone and forget to sync the file once back on my mac computer. Apple support was useless and I never got this issue resolved.)
Cost: Free (remember it only works on apple devices)
Trial period offered: Not applicable
LastPass:
This is a cloud-based password manager with extensions, mobile apps, and even desktop apps for all the browsers and operating systems you could want. It offers two-factor authentication (highly recommended) to ensure no one else can log into your password vault.
(Personal note: I used LastPass for years and gave up on it in 2017. Why? I was finding some functionality not working as it was supposed to. One was the feature they brag about – to be able to back up one’s password manager file to a .csv file that can be viewed in Microsoft Excel and can be used to recover the online file – if needed. That function stopped working and I could no longer create backups. LastPass support staff was of no help with this. The bigger issue is that LastPass has been hacked into and had security compromises numerous times over the years. It happens, right? However, the frequency and severity were increasing and I could no longer trust this application. They have also had numerous ‘bugs’ in their software these past few years and that has affected their customers.)
Cost: Free (limited functionality), $36.00 per year for one user, $48.00 per year for up to 6 users
Trial period offered: 30 days
Roboform:
This may be one of the most secure password managers available. This application not only stores your password information, but it can also save information on your credit cards (not ever recommended – not with any password manager), notes, identities, contacts, bookmarks, and non-browser applications. Because this is a cloud-based service, you can log into your password file from any device.
One fault to Roboform is that it is not the most user-friendly. While the interface is up-to-date and there aren’t any egregious design errors, there are too many options that won’t pertain to the majority of users. If you’re looking for a lot of features and are a little more on the tech-savvy side of life – you’ll love this application. Even if you’re not the most tech-savvy….Roboform offers a very secure, maybe the most secure, way to use a password manager program.
Like most other applications listed here, Roboform offers two-factor authentication.
The support from the help center at Roboform is rated the best of any support centers for password manager applications.
One irritant that some users don’t like is that every 14 days, you’ll get a pop-up stating your free trial is over. This is simply a marketing tool by Roboform to get you to consider paying for one of the premium versions. You can just click to shut down the pop-up and wait another 14 days for it to show up again. A small price to pay for such a wonderful free program.
(Personal note: I’ve tried and used maybe ten different password managers over the past decade or more. Some, like LastPass, I was with for years. All have their own pros and cons, but I’ve come to find that Roboform is the best password manager on the market today. Don’t let the geeky offerings scare you off – this application will work for you. There is plenty of help in the documentation you can view or simply contact their support staff to help you get things set up the way you want.)
Cost: Free for a single user, $24.00 per year for unlimited devices for a single user, $48.00 per year for up to five users, and $30.00 per year for the business edition
Trial period offered: 30 days
Sticky Password:
https://www.stickypassword.com/
This program will remember all your passwords and logins, automatically fill out forms, generates super-strong passwords, keeps your credit card information, protects your private notes, syncs and encrypts data across your devices, works on all your devices and supports 16 browsers, and even works on USB and memory cards. Many of these things are offered by the programs listed above.
Cost: Free (with limited functionality), $30.00 per year for one user, or $200.00 for lifetime access
Trial period offered: 30 days
Some final notes
- Do your research by checking reviews of the various applications. Don’t take one review site at it’s word – not even what I’ve shared here with you today. You should determine what application is best for you – functionality, features, cost, and especially the security of the application.
- Be prepared that some password managers, when certain functions are activated, may cause problems with other programs you have on your computer. As stated above, when the VPN on Dashlane was activated, it caused problems with the email in Microsoft Outlook.
- Some programs require more manual intervention to use. If you’re looking for a password manager to automatically fill in your login information – be sure that it truly does.
- Be aware that some anti-virus or malware programs will actually think that your password manager is a problem.
- Look for a program that allows you to globally change all your passwords every now and again. It is recommended, even with super-strong passwords, that those passwords be changed every so often. If you’re using a super-strong password – consider that task to be included in your New Year’s resolution each year. By the way, many password manager applications don’t offer this feature….one would have to update each logon manually. This can be a pain if you have a lot of accounts (I have more than 200).
- Absolutely, positively back up your password file. If a company doesn’t allow you to do that – then you might want to do one of two things: either choose a company that does afford you to back up that file or keep a separate document on your computer with this information. Redundant – why keep a document and then use a password manager? Because the document is there only as a backup, the password manager allows for the functionality. You don’t have to copy and paste or manually enter login information from your document to the logon screen.
- Consider allowing your password manager login information, the master login, to be shared or stored in a place where a trusted member of your family (or friend) has access to it. Should something happen to you, all those accounts that may have financial information associated with them should be closed out. That family member (or friend) can deal with that if they have access to your password manager. I’m talking about banks, credit cards, retail stores, online shopping, etc. These may be accounts that have your financial information. Some websites, like Facebook, Google and others should be closed out too. Companies that require logins and not associated with something financial (like magazines, news sites, businesses, organizations, etc) can either be closed out too – or just left to expire.
- Don’t get caught up with people who are against using cloud-based services. The cloud has been around for years and is being used in many ways – not just for backups or password manager programs….but in many ways. You should be more concerned as to how each company handles your data. As to companies that use the cloud, here is just a very small listing of them:
- Adobe
- Amazon
- Apple
- eBay
- Microsoft
- Target
- Walmart
- Nearly every social media site
- Nearly every photo-sharing site
- Every company offering cloud-based backup services
- and on and on and on….the cloud-based services are here to stay for some time
- Here are just some of the issues found in 2019 with some password managers:
- 1Password – Less secure than previous versions as they are storing all passwords in plain text in memory while locking and not removing them until the program is shut down. Passwords can be extracted by way of a memory leak.
- Dashlane – Exposes all securely stored user passwords in plain text whenever a user updates any information through the user interface.
- KeePass – Scrubs master passwords from memory after use, but has exploitable memory leak errors that expose plain text passwords.
- LastPass – Fails to scrub plain text database entries from memory when a user unlocks and re-locks their account.
- None of these are issues or problems with the cloud – they are issues and problems with how those companies are handling your data. One would like to think that companies of a larger size and with many customers would take action to fix these problems; however, companies like LastPass have repeatedly failed to fix problems over the past few years. It is no wonder then why the data stored by that company continues to be hacked into.
- For your security to any website or application that stores your personal information – you should consider using two-factor authentication.
Personal Note from the Author
This review of password managers comes from me, having used different password managers for more than a decade. I’m someone who worked in the Information Technology field for 30 years, has owned my own business for five years helping people with their IT tasks, has owned home computers for 35+ years, currently volunteer helping seniors with their IT problems/issues/questions, and have built (and maintain) for free the websites to some organizations worthy of having a website but not able to afford the cost of a webmaster. I don’t profess to be an expert at anything and if anyone tells you they are, especially in the IT field which changes daily, then that should raise a red flag with you.
My sister, who owns and operates The Industrious Homemaker™ business, has asked me to share this information with you.
From Linda: Unlike most review sites, neither of us earn any money if you click on one of the above links. We’re not affiliates. We don’t get kick-backs. This is just an honest review for your benefit and safety.
Previous Posts
For previous blogs on data security, done earlier this year:
Be safe always, especially this shopping season.
#internetsafety #passwords #securepasswords #passwordmanagers #databreech