Review: 7 password managers for Windows, Mac OS X, iOS, and Android
1Password and KeePass lead the field in features, flexibility, browser integration, and ease-of-use
I hate passwords. I hate coming up with them. I hate remembering them. I hate mistyping them four times in a row. And I hate getting locked out of whatever I'm trying to log into in the process.
That said, I hate being hacked only slightly more, so I've done my part to use passwords that aren't "password123" or something equally foolish. The hard part is keeping them straight, which I could do by writing them down -- but isn't that a security hole all over again? Heck, I've known that since I was a kid. I saw "WarGames."
[ Also on InfoWorld: 5 very cool (but kinda creepy) mobile technologies | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following InfoWorld's Roger Grimes on Twitter. ]
Password vaults, aka password safes or password managers, help solve this problem. They give you a central place to store all your passwords, encrypted and protected by a passphrase or token that you provide. This way, you have to memorize a single password -- the one for your password vault. All the other passwords you use can be as long and complex as possible, even randomly generated, and you don't have to worry about remembering them.
If having your passwords in a single encrypted store were all you needed, then a password-protected Microsoft Word document would do the trick. There has to be an easier way. One of the reasons I looked at these password vaults -- a total of seven -- was to see how easy it was to work with them over an extended period of time. If they didn't provide much more convenience over simply copying and pasting passwords from a text file, they'd hardly be worth using.
Here's what I found. To keep the list manageable, I've focused on programs that have both a desktop and a mobile version available, with the desktop taking precedence.
KeePass and 1Password stood out as the best of the bunch for slightly different reasons. KeePass is free open source software with a large community of users and add-ons behind it. But most important, KeePass has been written with a good sense for how people need to interact with the program every single day. 1Password, priced at $49.99, is even better in that respect. It's polished, powerful, closely integrated with your browser, and easy to keep in sync with your mobile devices.
RoboForm, a longtime presence in this field, is a close contender for the top choice as well, thanks to many of its unique features, such as an intelligent form-filling function (for name/address forms) and the ability to work with other kinds of applications apart from Web browsers.
LastPass, available in a free version or a premium version that costs $12 per year, is a close runner-up, falling behind KeePass and 1Password only because using any mobile version of the product requires the paid account. That said, what it provides even in the free version is hugely useful, as long as you don't mind working directly in a browser to manage your passwords (I imagine most people won't).
The other password managers reviewed here are less compelling. Password Safe isn't bad, but it falls short in a lot of little ways compared to KeePass and especially 1Password. SplashID and Keeper are the weakest of the bunch; SplashID is only slightly more useful thanks to its Internet Explorer plug-in.
1PasswordThe big appeal of 1Password lies in its excellent browser-integration features and its ability to store more than just password data. A 1Password repository can hold wallet items (credit cards, bank accounts), software licenses, user-identity credentials (vCards), and so on. While KeePass has a vaguely similar feature that allows you to attach arbitrary string values to a given database entry, 1Password implements this sort of safe-storage function a lot more effectively out of the box.
1Password's database can be populated either by inputting entries by hand or by having 1Password's browser plug-in add them automatically whenever you log into a site. This last mechanism most closely resembles the automatic password-saving feature that already exists in Firefox and Chrome; if you're familiar with how that works, then using 1Password will be a snap.
When you want to automatically supply a username and password for a given website, you press a special global command key. It's normally Ctrl-\, but you can change that to most anything. If there's no direct match for the site in question, 1Password lets you pick an existing username/password pair or create one.
Browser plug-ins are available for Internet Explorer 7 and up, Chrome "stable" versions, Firefox 3 and up, and Safari 5.1 and up. When the plug-in's icon is clicked or when it's summoned with 1Password's master keystroke, you can automatically paste the username/password pair for the site you're browsing or perform a number of other management tasks. The plug-in for Chrome is by far the snazziest of the bunch, while the Firefox and IE versions appear to be ancillary pop-ups from 1Password's main program window. Best of all, the plug-in installation process is handled entirely from within 1Password itself; it's totally painless.
1Password has some intriguing password-generation functions. The Chrome plug-in, for instance, lets you generate pronounceable passwords if you want to make the generated passwords a little easier to memorize. (KeePass has a plug-in that provides this function.)
The only drawback to 1Password is the small number of mobile clients: iOS and Android only. If those are enough for you, the program is solid gold.
Cost: Free trial; $49.99 single user. Platforms: Windows, Mac OS X, iOS, Android.
The excellent 1Password stores more than just passwords. It has prebuilt templates for keeping other kinds of sensitive information as well.
KeePassKeePass comes in two variants: the classic edition (version 1.21) and the professional edition (version 2.18). The differences between the two mainly revolve around compatibility with different versions of Windows and the breadth of available features. You should use the 2.x branch whenever possible (I've used both and I prefer 2.x), but the 1.x branch works fine and will be kept up-to-date for the sake of cross-compatibility.
When you create a new database in KeePass, it comes preloaded with a number of possible categories for passwords: Internet, email, home banking, and more. These categories are user-editable, and you can do without them entirely if you want, but I found them useful. Aside from the master password, you can also set the number of encryption rounds to use. The more rounds you set, the more secure the encryption, but the higher the CPU cost when you unlock the database.
Each new password entry comes with a randomly generated password, and the rules for password generation are user-editable. You can either opt for that password as-is, replace it with an existing one, and even set an expiration date for it so that you're reminded to replace it periodically. The cryptographic strength of a password is indicated by a color meter, in which red means weak, green means strong. If you change a password, the previous version is kept in a backup directory (in 1.x) or in a history tab for the password entry itself (2.x).
If you assign a URL to a given password, you can have the accompanying username and password automatically filled in whenever you visit that site with a Web browser and press a customizable key combination. The exact sequences of keystrokes sent can be customized for each website -- for instance, if you're dealing with a site that has a log-in box where the Tab key doesn't take you from the username to the password field. Other keystrokes let you copy just the username or password to the clipboard as needed. You can also use a number of plug-ins to allow tighter browser integration, but the program's default behavior was more than good enough for me.
KeePass also has security features that extend outside the program. When a password is placed in the clipboard, KeePass automatically blanks the clipboard several seconds later (you can set the interval). The program can be set to accept its master password via the same secure desktop environment that Windows itself uses for UAC, which makes it harder for a third-party program to hijack input.
The best part about KeePass, apart from it being free: It's available for just about every commonly used computing platform. I keep a copy on both my desktop and Android phone, and I find it at least as useful on my phone as on my PC.
Cost: Free open source. Platforms: Windows, Mac OS X, Linux, iOS, Android, J2ME, BlackBerry, PalmOS.
KeePass is a free open source password vault with a great collection of add-ons. It stores most everything you would want to keep protected.
KeeperA few years ago, Keeper would've been great. Now it feels dated and clunky, with a few good ideas that don't justify the whole package.
Unlike 1Password, which keeps credit card info and other kinds of data, Keeper stores only username/password combos, which can be entered manually or imported from a file. Passwords can be stored in subfolders and searched for with a keyword. New passwords can be generated randomly, but you can't set the parameters for the password generator, a useful feature many other programs provide.
Browser integration with Keeper is stilted at best. On Android, you can copy and paste usernames and passwords into your website's log-in form, but it's clumsy. KeePass handles the same process much more elegantly. What's more, if you launch a URL from within a Keeper record (such as your bank's home page), it's opened only within Keeper's internal browser. You have to cut and paste to open the URL with any other browser. On Windows, there is no real integration with browsers. There also doesn't appear to be any provisions for a plug-in or add-on system, so the functionality you see is all you get.
One Keeper feature I didn't see elsewhere is the self-destruct function. If enabled, the program destroys the password vault if you enter the wrong master password five times in a row.
If you have Keeper on more than one device, you can buy a Keeper account and use that to synchronize your passwords across all your devices -- not bad, but not unique either. While Keeper costs only $10 per device per year, 1Password ($50 single-user flat fee) and KeePass (free) offer far more functionality.
Keeper strikes me as an example of a program where the mobile version was created first and the desktop edition was an afterthought. Usually it's the other way around, but with mobile apps being all the rage, I suspect we'll see a great deal more of this sort of thing.
Cost: Free; backup subscription, $9.99 per year. Platforms: Windows, Mac OS X, Linux, iOS, Android, BlackBerry, Windows Phone 7, Amazon Kindle Fire.
Keeper stores a limited range of information in each entry and doesn't have much in the way of systemwide integration.
LastPassSome of the other programs reviewed here suffer from weak browser integration, but that's an accusation you'll never be able to levy at LastPass. The program lives almost entirely within your browser, and it supports just about every browser out there: IE, Firefox, Chrome, Safari, and Opera.
When installed, LastPass places an icon in your browser's toolbar that, when clicked, opens the program's main menu in the browser window. In addition to passwords, LastPass can store secure notes (for instance, credit card and bank account information) and synchronize the contents of the vault with LastPass's servers whenever a network connection is available. You can even set up multiple user identities, so you can keep your own clutch of passwords safe from whomever else might be using your system.
As far as in-browser password management goes, LastPass works by replacing the native password management system in the browser you're using. When first installed, LastPass will attempt to copy any passwords stored in your browser to its own vault. And when you provide a username and password on a given Web page, LastPass will prompt you to save it, in much the same way Chrome and Firefox do. LastPass not only saves you the step of having to import anything by hand, it keeps you from having to modify the way you use passwords in the browser.
LastPass's clutch of tools includes a secure password generator and a "security challenge" that analyzes your passwords and makes suggestions for improvement. There's no systemwide hotkey to launch LastPass, but there is one to go directly to the program within the browser (Ctrl-Alt-H, by default; it's editable).
The premium version of LastPass ($1 per month) adds support for mobile clients, removes ads, grants you access to paid support from the company, and allows multifactor authentication with hardware devices. Note that mobile clients cannot be used without the premium version, so bear that in mind if you plan on trying out the program with a phone. An enterprise version of the service allows you to deploy LastPass throughout an organization. That sounds like a handy way to address the annoyances of dealing with multiple passwords in the workplace, though I'd be loath to set it up without proper management protocols in place.
Cost: Free; premium version $12 per year. Platforms: Windows, Mac OS X, Linux, iOS, Android, BlackBerry, Windows Phone 7, Windows Mobile, WebOS, Symbian.
LastPass works entirely in your browser, syncing your passwords to a cloud-based service. Note that the paid version is required to use the LastPass mobile apps.
Password SafeAn open source program that feels like a stripped-down KeePass, Password Safe has many of the same functions but they don't feel as complete. Working with Password Safe requires a bit more manual effort to get the same results.
Password Safe's core feature set should be familiar by now. Passwords are stored in an encrypted, password-protected file, and they can be arranged in categories and searched for by keyword. A selected password entry can have its username and password autotyped into another window by pressing a user-defined hotkey. The import function is designed to accept files exported from KeePass, but I was only able to get files exported from the 1.x version of KeePass to import properly.
Drag-and-drop is also supported, in an intriguing way. Drag and drop one of a set of icons (username, password, URL) into a target window, and the text for the selected entry will be pasted to the target. This is a handy way to deal with Web pages where autotype doesn't work correctly. You can also create custom rule handlers for specific Web pages. (KeePass has a similar feature.)
Password Safe has an assignable global hotkey system, but it falls a little short of its counterpart in KeePass and 1Password. With those programs, a single master hotkey activates those programs and performs autotype for a password for the current domain. With Password Safe, you can define a global hotkey to bring up the main program menu (it's not assigned by default), but from there you have to select the appropriate entry and perform autotype yourself.
It's a minor drawback, but it becomes annoying after a while. To use autotype reliably with this feature, you need to store the log-in URL with the username/password entry, and not just the general domain name as you can with KeePass.
Cost: Free open source. Platforms: Windows, Linux, Java.
Password Safe is reminiscent of KeePass, but doesn't integrate as tightly with the rest of your system as KeePass does.
RoboFormRoboForm has been around since 1999, growing from a general Web-form-filling program to a full-blown password and credential manager. It stores not just log-ins, but also browser bookmarks, user identities, personal contacts, and sundry notes and comments. It's broadly useful outside of just browser log-ins.
RoboForm comes with plug-ins for close integration with most common Web browsers -- Firefox, Chrome, Opera, and IE -- which you have the option to install when you first set up the program. You can always change which plug-ins you use, should you happen to switch browsers later.
Once set up, browsers that use RoboForm integration sport a toolbar. Passwords and other form information you submit to a website are automatically captured by RoboForm and saved into the program's database. You can also add arbitrary fields to each record, such as another password field or a comments line. RoboForm integrates with regular Windows applications, not just Web browsers, but if you're leery of doing that, you can always resort to copy and paste to get data out of RoboForm.
To use the captured form information -- for instance, to log into a given site -- you either click the appropriate button on the toolbar or use a keystroke combination to perform an autofill action. I wasn't crazy about the look of the toolbar, and the in-browser hotkeys for RoboForm work even without it. Thus, I hid it without disabling it and was none the worse for the action.
One of RoboForm's major selling points is the ability to rapidly fill out forms that require a name, address, phone number, and so on. Once you've entered this information into RoboForm via an "identity" entry, it can be automatically filled into any Web form that asks for it. The program's heuristics for figuring out what information to put into which fields is very good; I rarely had to make changes by hand. Another nice feature is a way to automatically log into multiple websites at once -- for instance, as a first-thing-in-the-morning routine.
If you've been using another program to store passwords, RoboForm can probably tap into it. RoboForm imports data from LastPass, KeePass, 1Password, SplashID, Firefox's own password store, and a number of other formats. I ran into a little issue importing data from KeePass, however. KeePass saves previous versions of changed entries, and RoboForm tried to import the old versions of those entries along with the new -- but considered them to be dupes. Fortunately, the importer let me change the names of each duplicated entry to work around this problem.
RoboForm sports a number of professional-grade features I wasn't expecting to see. It works with Windows Biometrics and UPEK-compliant fingerprint readers (like the one in my Toshiba notebook), and it has a dual-password mode to allow employees and supervisors to share credentials without sharing usernames and passwords, although the latter is available only if you use AES, Blowfish, or RC6 encryption on the password database, as opposed to DES or 3DES. You can switch encryption modes easily.
RoboForm comes in a few different editions. RoboForm2Go runs from a flash drive or other portable device. RoboForm Lite for Chrome or Firefox works solely as a browser extension, offering no integration with other Windows apps. The for-pay and professional versions of the program add features like the ability to autofill multiline fields or allow secure credential deployment throughout an organization. There's also the RoboForm Everywhere service, which allows syncing between all installations of RoboForm for $9.95 a year. RoboForm used to have an unlimited lifetime-upgrade policy, but sadly this was phased out after version 7 was introduced.
The biggest reason to choose RoboForm over one of the other password managers listed here, aside from the smart form-filling technology for names and addresses, is if you find yourself submitting a lot of form information into Windows applications other than Web browsers.
Cost: Free version; RoboForm Everywhere, $9.95; RoboForm Desktop for Windows or Mac, $29.95; RoboForm2Go, $39.95. Platforms: Windows, Mac OS X, iOS, Android, BlackBerry, PalmOS, Symbian.
The RoboForm toolbar (here, for Chrome) lets you perform form fills and other RoboForm actions with one click.
Fire up SplashID and the first thing you're likely to notice is the similarity to Microsoft Office 2007. SplashID has the same look, complete with the ribbon and the orb. Records in the database consist of up to nine customizable fields and a free-form notes area, so you aren't limited to mere username/password pairs. Databases come prepopulated with some sample data, including the likes of credit cards and software serial numbers, so you can see for yourself what all the fields are intended to hold. The database can be locked with either a password or a drawn pattern.
The biggest drawback with SplashID is how it focuses more on storing and managing this data than anything else. First problem: the lack of integration with any browser but Internet Explorer. No other browsers are currently supported for direct integration by the program, which seems bizarre given that IE has become an also-ran next to Firefox and Chrome.
Second problem: no global hotkey. There's no way to get the program to autotype a given password entry into anything except Internet Explorer. If you want to use it with any other program -- browser or not -- you have to copy and paste from the program. SplashID does have an option to automatically clear the clipboard after a given number of minutes, but it's not enabled by default.
As with Keeper, the main selling point of SplashID is the synchronization features provided by the vendor. SplashData offers a startling range of mobile clients -- Android, iOS, BlackBerry, WebOS, Palm, Windows, and more -- which is handy if you're using a phone of a rarer make. (The desktop edition of the program syncs natively with BlackBerry phones.) But if you have a mobile device supported by one of the other, better password managers described here, there's little reason to use SplashID.
Cost: $19.95; no trial version available. Platforms: Windows, Mac OS X, iOS, Android, BlackBerry, Windows Mobile, PalmOS.
Snazzy Microsoft Office-style interface aside, SplashID's feature set just isn't that impressive.
This story, "Review: 7 password managers for Windows, Mac OS X, iOS, and Android," was originally published at InfoWorld.com. Keep up on the latest developments in mobile technology and security at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.
Read more about security in InfoWorld's Security Channel.