1Password and KeePass lead the field in features, flexibility, browser integration, and ease-of-use
I hate passwords. I hate coming up with them. I hate remembering them. I hate mistyping them four times in a row. And I hate getting locked out of whatever I'm trying to log into in the process.
That said, I hate being hacked only slightly more, so I've done my part to use passwords that aren't "password123" or something equally foolish. The hard part is keeping them straight, which I could do by writing them down -- but isn't that a security hole all over again? Heck, I've known that since I was a kid. I saw "WarGames."
[ Also on InfoWorld: 5 very cool (but kinda creepy) mobile technologies | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following InfoWorld's Roger Grimes on Twitter. ]
Password vaults, aka password safes or password managers, help solve this problem. They give you a central place to store all your passwords, encrypted and protected by a passphrase or token that you provide. This way, you have to memorize a single password -- the one for your password vault. All the other passwords you use can be as long and complex as possible, even randomly generated, and you don't have to worry about remembering them.
If having your passwords in a single encrypted store were all you needed, then a password-protected Microsoft Word document would do the trick. There has to be an easier way. One of the reasons I looked at these password vaults -- a total of seven -- was to see how easy it was to work with them over an extended period of time. If they didn't provide much more convenience over simply copying and pasting passwords from a text file, they'd hardly be worth using.
Here's what I found. To keep the list manageable, I've focused on programs that have both a desktop and a mobile version available, with the desktop taking precedence.
KeePass and 1Password stood out as the best of the bunch for slightly different reasons. KeePass is free open source software with a large community of users and add-ons behind it. But most important, KeePass has been written with a good sense for how people need to interact with the program every single day. 1Password, priced at $49.99, is even better in that respect. It's polished, powerful, closely integrated with your browser, and easy to keep in sync with your mobile devices.
RoboForm, a longtime presence in this field, is a close contender for the top choice as well, thanks to many of its unique features, such as an intelligent form-filling function (for name/address forms) and the ability to work with other kinds of applications apart from Web browsers.
LastPass, available in a free version or a premium version that costs $12 per year, is a close runner-up, falling behind KeePass and 1Password only because using any mobile version of the product requires the paid account. That said, what it provides even in the free version is hugely useful, as long as you don't mind working directly in a browser to manage your passwords (I imagine most people won't).
The other password managers reviewed here are less compelling. Password Safe isn't bad, but it falls short in a lot of little ways compared to KeePass and especially 1Password. SplashID and Keeper are the weakest of the bunch; SplashID is only slightly more useful thanks to its Internet Explorer plug-in.
1PasswordThe big appeal of 1Password lies in its excellent browser-integration features and its ability to store more than just password data. A 1Password repository can hold wallet items (credit cards, bank accounts), software licenses, user-identity credentials (vCards), and so on. While KeePass has a vaguely similar feature that allows you to attach arbitrary string values to a given database entry, 1Password implements this sort of safe-storage function a lot more effectively out of the box.
1Password's database can be populated either by inputting entries by hand or by having 1Password's browser plug-in add them automatically whenever you log into a site. This last mechanism most closely resembles the automatic password-saving feature that already exists in Firefox and Chrome; if you're familiar with how that works, then using 1Password will be a snap.
When you want to automatically supply a username and password for a given website, you press a special global command key. It's normally Ctrl-\, but you can change that to most anything. If there's no direct match for the site in question, 1Password lets you pick an existing username/password pair or create one.
Browser plug-ins are available for Internet Explorer 7 and up, Chrome "stable" versions, Firefox 3 and up, and Safari 5.1 and up. When the plug-in's icon is clicked or when it's summoned with 1Password's master keystroke, you can automatically paste the username/password pair for the site you're browsing or perform a number of other management tasks. The plug-in for Chrome is by far the snazziest of the bunch, while the Firefox and IE versions appear to be ancillary pop-ups from 1Password's main program window. Best of all, the plug-in installation process is handled entirely from within 1Password itself; it's totally painless.
1Password has some intriguing password-generation functions. The Chrome plug-in, for instance, lets you generate pronounceable passwords if you want to make the generated passwords a little easier to memorize. (KeePass has a plug-in that provides this function.)
The only drawback to 1Password is the small number of mobile clients: iOS and Android only. If those are enough for you, the program is solid gold.
Cost: Free trial; $49.99 single user. Platforms: Windows, Mac OS X, iOS, Android.
KeePassKeePass comes in two variants: the classic edition (version 1.21) and the professional edition (version 2.18). The differences between the two mainly revolve around compatibility with different versions of Windows and the breadth of available features. You should use the 2.x branch whenever possible (I've used both and I prefer 2.x), but the 1.x branch works fine and will be kept up-to-date for the sake of cross-compatibility.
When you create a new database in KeePass, it comes preloaded with a number of possible categories for passwords: Internet, email, home banking, and more. These categories are user-editable, and you can do without them entirely if you want, but I found them useful. Aside from the master password, you can also set the number of encryption rounds to use. The more rounds you set, the more secure the encryption, but the higher the CPU cost when you unlock the database.
Each new password entry comes with a randomly generated password, and the rules for password generation are user-editable. You can either opt for that password as-is, replace it with an existing one, and even set an expiration date for it so that you're reminded to replace it periodically. The cryptographic strength of a password is indicated by a color meter, in which red means weak, green means strong. If you change a password, the previous version is kept in a backup directory (in 1.x) or in a history tab for the password entry itself (2.x).
If you assign a URL to a given password, you can have the accompanying username and password automatically filled in whenever you visit that site with a Web browser and press a customizable key combination. The exact sequences of keystrokes sent can be customized for each website -- for instance, if you're dealing with a site that has a log-in box where the Tab key doesn't take you from the username to the password field. Other keystrokes let you copy just the username or password to the clipboard as needed. You can also use a number of plug-ins to allow tighter browser integration, but the program's default behavior was more than good enough for me.
KeePass also has security features that extend outside the program. When a password is placed in the clipboard, KeePass automatically blanks the clipboard several seconds later (you can set the interval). The program can be set to accept its master password via the same secure desktop environment that Windows itself uses for UAC, which makes it harder for a third-party program to hijack input.
The best part about KeePass, apart from it being free: It's available for just about every commonly used computing platform. I keep a copy on both my desktop and Android phone, and I find it at least as useful on my phone as on my PC.
Cost: Free open source. Platforms: Windows, Mac OS X, Linux, iOS, Android, J2ME, BlackBerry, PalmOS.
Unlike 1Password, which keeps credit card info and other kinds of data, Keeper stores only username/password combos, which can be entered manually or imported from a file. Passwords can be stored in subfolders and searched for with a keyword. New passwords can be generated randomly, but you can't set the parameters for the password generator, a useful feature many other programs provide.
Browser integration with Keeper is stilted at best. On Android, you can copy and paste usernames and passwords into your website's log-in form, but it's clumsy. KeePass handles the same process much more elegantly. What's more, if you launch a URL from within a Keeper record (such as your bank's home page), it's opened only within Keeper's internal browser. You have to cut and paste to open the URL with any other browser. On Windows, there is no real integration with browsers. There also doesn't appear to be any provisions for a plug-in or add-on system, so the functionality you see is all you get.
One Keeper feature I didn't see elsewhere is the self-destruct function. If enabled, the program destroys the password vault if you enter the wrong master password five times in a row.
If you have Keeper on more than one device, you can buy a Keeper account and use that to synchronize your passwords across all your devices -- not bad, but not unique either. While Keeper costs only $10 per device per year, 1Password ($50 single-user flat fee) and KeePass (free) offer far more functionality.
Keeper strikes me as an example of a program where the mobile version was created first and the desktop edition was an afterthought. Usually it's the other way around, but with mobile apps being all the rage, I suspect we'll see a great deal more of this sort of thing.
Cost: Free; backup subscription, $9.99 per year. Platforms: Windows, Mac OS X, Linux, iOS, Android, BlackBerry, Windows Phone 7, Amazon Kindle Fire.
LastPassSome of the other programs reviewed here suffer from weak browser integration, but that's an accusation you'll never be able to levy at LastPass. The program lives almost entirely within your browser, and it supports just about every browser out there: IE, Firefox, Chrome, Safari, and Opera.
When installed, LastPass places an icon in your browser's toolbar that, when clicked, opens the program's main menu in the browser window. In addition to passwords, LastPass can store secure notes (for instance, credit card and bank account information) and synchronize the contents of the vault with LastPass's servers whenever a network connection is available. You can even set up multiple user identities, so you can keep your own clutch of passwords safe from whomever else might be using your system.
As far as in-browser password management goes, LastPass works by replacing the native password management system in the browser you're using. When first installed, LastPass will attempt to copy any passwords stored in your browser to its own vault. And when you provide a username and password on a given Web page, LastPass will prompt you to save it, in much the same way Chrome and Firefox do. LastPass not only saves you the step of having to import anything by hand, it keeps you from having to modify the way you use passwords in the browser.
LastPass's clutch of tools includes a secure password generator and a "security challenge" that analyzes your passwords and makes suggestions for improvement. There's no systemwide hotkey to launch LastPass, but there is one to go directly to the program within the browser (Ctrl-Alt-H, by default; it's editable).
The premium version of LastPass ($1 per month) adds support for mobile clients, removes ads, grants you access to paid support from the company, and allows multifactor authentication with hardware devices. Note that mobile clients cannot be used without the premium version, so bear that in mind if you plan on trying out the program with a phone. An enterprise version of the service allows you to deploy LastPass throughout an organization. That sounds like a handy way to address the annoyances of dealing with multiple passwords in the workplace, though I'd be loath to set it up without proper management protocols in place.
Cost: Free; premium version $12 per year. Platforms: Windows, Mac OS X, Linux, iOS, Android, BlackBerry, Windows Phone 7, Windows Mobile, WebOS, Symbian.
PayPal has fixed a serious vulnerability in its back-end management system that could have allowed...
Android is better than ever, but it's still not perfect. These are the things we wish were included in...
Mocked and shunned by society for wearing Google's dorky face upgrade, Google Glass fans were right all...
Going back to school? Here are some of the best laptop backpacks for every situation, whether you're...
The Zika virus outbreak in Florida -- and rising concerns it will spread north -- are worrying workers...
GopherJS 1.7-1 extends browser app dev to version 1.7 of Google's Go language
A devoted practitioner offers an eyewitness account of the rise of Linux and the open source movement,...