Top password managers compared

Unless you're living off the grid in a cabin in the woods -- and, if you're reading this, you're probably not -- you have more passwords than you can manage. They're all supposed to be long, complicated, unique, and difficult to guess. Oh, and you're supposed to change them all every three to six months.

The simple answer is to use a password management program. And, as the options below illustrate, there's a password manager out there for you regardless of your level of paranoia.

Plus, the leading options are getting pretty business-friendly, so if your company doesn't have a password management solution in place already, or is too small for one, then one of these password managers could do the job.

Dashlane

The best password manager on the market right now because of its ability to change most of your passwords with a single click, its support for-two factor authentication, and its business-friendly team functionality which allows password sharing with team members.

"Dashlane is a more recent arrival on the scene, but it gets a lot of praise in the SMB community for the user-friendliness of its interface," said Daniel Humphries, researcher at Software Advice, Inc., a Gartner company.

Dashlane costs $40 per year per user, but there's also a free version which works on one device.

"There are lots of options when it comes to password managers, and SMBs can decide whether they want to shell out major bucks for the deluxe versions or keep it free according to their own needs and priorities," said Humphries. "The good news is that you can do a lot with the free versions."

Dashlane's free version, for example, lets you try out its interface, including the password manager and the form auto-fill, and lets you share up to five logins.

Dashlane also has an emergency contact feature, so that someone you trust can step in and access all your accounts if something happens to you, plus a form filler so you don't have to type in your address all the time.

The ability to change all passwords with one click is currently unique to Dashlane, and covers more than 160 of the most popular sites, including Facebook, Twitter, LinkedIn, Pinterest, Amazon, Dropbox, and Evernote -- a useful feature if you think your accounts may have been compromised.

Password sharing allows you to control who has access to shared accounts, and revoke that access when needed. This is useful if there are multiple people with access to your company's social media accounts, for example.

Auto login works even with multi-page websites, such as bank sites. All passwords, auto-fill information, and notes are securely encrypted and saved where you choose -- locally or to the cloud.

The one thing missing is the ability to use Dashlane to log into standalone iPhone and iPad apps, though that is a problem for all password managers.

In fact, Apple only recently allowed third-party extensions to its mobile Safari app to allow password managers to fill in online passwords. Previously, iOS users had to open up their password manager apps, look up their passwords and copy-and-paste them into the form fields.

LastPass 

LastPass used to be my top recommendation, and is the system I currently use.

The company has an enterprise version, with Active Directory sync, configurable management policies, onboarding, offboarding and provisioning, and single sign-on for many popular cloud applications, including Office 365, Google Apps, Salesforce, Wordpress, and others.

It supports both software and hardware multifactor authentication, such as the YubiKey USB keyfob, toopher, and Duo Security.

Plus, LastPass throws in free credit monitoring, will generate one-time passwords for use at untrusted computers or networks, and will change your passwords for you.

LastPass has more than 10,000 corporate customers ranging in size all the way up to the Fortune 500, according to spokeswoman Cid Ferrara.

Prices range from $24 per user per year down to $18 with a volume discount.

Like Dashlane, LastPass offers to save passwords as you log into new sites. This could be an issue if the password management software is provided by the employer, and the employees are logging into personal sites.

"Care must be taken that users do not enter private personal information, such as banking logins as the company may face increased legal liability," said Randy Abrams, research director at Austin, Texas-based NSS Labs, Inc.

LastPass has a solution to this.

It offers a unique feature, the ability for employees to link their personal and company LastPass accounts, allowing easy access to both, but letting the company manage only the corporate ones.

When the employees leave their jobs, the company can wipe all the work logins -- and the personal passwords stay untouched.

I use the personal version, and find the interface clunky and uncomfortable to use and will probably be switching to Dashlane once my annual subscription expires later this spring.

For example, in LastPass, the feature to change your passwords requires that you edit each site's entry, individually, and ask LastPass generate a new password for it. It still saves a little bit of time compared to having to log into each site and navigate around to change its password, but is not as convenient as DashLane's one-click that resets all passwords at once.

For corporate deployments, however, LastPass is the strongest contender.

KeePass 

Many of our readers, however, will probably prefer KeePass for individual use.

"I prefer KeePass because it's free, open source, integrated with Windows User Account Control, and it is not a browser plug-in," said Jason Fossen, an instructor at Bethesda, MD-based SANS Institute. "It's not ideal for security to take many of your most important secrets -- your passwords and credit card numbers -- and incorporate them into the one application most likely to become infected with malware -- the browser."

KeePass is a separate utility, not a browser plug-in, he said.

"KeePass also supports PowerShell scripting for custom solutions," he added.

This is a minimalist option for those willing to give up convenience and functionality for extra security.

1Password

Another password management system that allows credential sharing is 1Password.

One user is Steve Hultquist, chief evangelist at Sunnyvale, Cal.-based RedSeal, Inc.

"I strongly recommend password generation applications that provide a secure vault for all your passwords," he said. "They allow you to automatically generate completely random strings of characters and to use unique passwords for every site, while the application allows you to automatically fill in those passwords when you visit the sites on your computer, mobile device, and apps."

Like Dashlane and LastPass, 1Password supports all major browsers, auto-fills forms, and has apps for both iOS and Android devices.

Blur

Blur's unique feature is that it doesn't just generate a long, completely random password -- it will also generate disposable email addresses for you that mask your real address.

Like the other commercial password managers, the basic version is free and the company makes money selling a premium version. With Blur, the $40 premium version also generates one-time credit card numbers with built-in spending limits to protect users against hidden charges or data breaches, and masked phone numbers for even more privacy.

"Everyone that uses the Internet should also use a password manager," said Abine CEO Rob Shavell. "Password managers are more convenient so you are guaranteed to save time each week and they help consumers be far more secure. Businesses both small and large need to start encouraging or mandating password manager use."

In addition to his own product, Blur, Shavell also recommends LastPass, 1Password and Dashlane, as well as PasswordBox, listed below.

"The top password managers now work well enough everywhere -- on your browser and on your phone and on almost all web sites -- that there is no longer any excuse not to use them, unless you want to be hacked," he said.

PasswordBox 

Recently acquired by Intel, the PasswordBox premium version is temporarily free for all customers.

Plus, the service plans to roll out something they call "True Key" functionality later on this year, which will replace the master password with biometrics such as facial recognition.

Most password managers rely on a master password -- a single password which unlocks access to the entire vault. The idea is that it's easier to remember one password, and make it a super-long, super-secure passphrase, than to try to memorize dozens, or hundreds, of individual passwords.

But a super-long passphrase is also inconvenient to type in, especially if you have your password manager set up to lock you out whenever you step away from your computer or shut down your mobile device. Which, of course, you should.

Plus, any application that relies solely on a user name and password combination is vulnerable to keystroke loggers. This is where biometrics and other multifactor authentication methods come in.

"Multifactor support is critical," said Andre Boysen, chief identity officer at North York, ON-based SecureKey Technologies Inc. "Password managers are a target because of the honeypot of access credentials."

PasswordBox claims to be the most trusted password manager, with more than 14 million downloads. By comparison, LastPass claims to have about 6 million individual users.

PasswordBox also offers the option to name an emergency contact who is allowed to use the app if something happens to you, and to securely share logins with co-workers or family members.

RoboForm 

The oldest of all the password managers on this list, RoboForm was first released at the end of 1999.

One unique feature is that it allows users to log into several sites at once -- useful for people who log into the same set of services every day. It also has a portable version, called RoboForm2Go, that you can install on a USB key.

Like other password managers, it supports all major browsers and devices and offers a choice of cloud storage for syncing across all devices, or desktop mode for storing all data locally on a single computer. But, again, you give up the convenience of being able to access your password on mobile devices and other computers.

It made this list because it has an enterprise version, with group policies, active directory integration, master password recovery, shared logins with multiple users, automatically created credentials for user or groups, and the ability to create limited-time logins.

StickyPassword

StickyPassword's unique feature is that you can avoid the cloud, yet still sync across all your devices, by using your local Wi-Fi network to keep everything up to date.

It also works from a portable USB device, supports biometrics, fills in forms, and works on all major platforms, browsers, and devices.

The premium version is the one that supports Wi-Fi sync, is just $20 a year, making this one of the less expensive commercial products on this list.

The company currently claims to have 2 million users. In addition, StickyPassword is the technology behind VIPRE Password Vault from ThreatTrack Security and powers the Kaspersky Password Manager.

The lack of an enterprise version might make it less suitable for business use.

"If a company is going to use a password manager they need to make sure they have the level of remote manageability that is appropriate for their environment," said Randy Abrams, research director at Austin, Texas-based NSS Labs, Inc.

Tags GartnerAccess control and authenticationIdentity & Accesspassword managersDashlane

Show Comments