I recently thought about good solutions for passwords in general. I have found one with which I was ok for a while, but more and more services get compromised. Try haveibeenpwned.com or Firefox Monitor to see if you are affected. One easy way to keep the damage small is not to re-use passwords. It is impractical to have strong passwords for every web service I use. I have to either use a password service or note things down.
A good way of creating a single strong password is diceware. Once you have this, you should create a new password for every single service and keep it in your password manager.
This article focuses on what a good password manager is. I will judge them in three categories:
- Security: Are the passwords locally encrypted strong enough? How many incidents happened so far? Does it support 2FA / MFA?
- Usability: Is it convenient to use? Is it available on Linux and Android? Can I use it outside of the browser (e.g. if the password field is not detected). Does it have an UI for generating strong random passwords when creating a new account?
- Long-Term Support: Is this backed by a (bigger) company / a team of developers? Is there vendor-locking?
Google Smart Lock ¶
Google Smart Lock is another password manager. If you use Google Chrome, chances are high that you are already using it.
LastPass ¶
LastPass is developed by LogMeIn since 2015. The initial release was in 2008.
Security ¶
The wikipedia page lists four security incidents and one security breach:
- 2011: Network anomaly; unclear if anything actually happened.
- 2015: LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected.
- 2016: Detectify and Google Security found an issue in URL parsing
- 2016: Hardcoded Master Key in LastPass Password Manager (SIK-2016-022)
- 2016: Privacy, Data leakage in LastPass Browser Search (SIK-2016-023)
- 2016: Read Private Date (Stored Masterpassword) from LastPass Password Manager (SIK-2016-024)
- 2017: Tavis Ormandy (Google Security / Project Zero) found another issue in the browser extension
- 2019: Password-exposing bug purged from LastPass extensions, Tweet
KeePass ¶
KeePass is developed by Dominik Reichl. It is free and open source.

KeePassX ¶
KeePassX started in 2016 as a port of KeePass to Linux. The code is on Github and it has 4063 stars and 591 forks. It's mostly C++.
The last version was released in 2016, so about 3 years ago. KeePassX is not maintained.1
KeePassXC ¶
KeePassXC is a fork of KeePassX.
Dashlane ¶
Dashlane was initially released in 2012.
Dashlane supports secure file storage.
Security ¶
- SIK-2016-028: Read Private Data From App Folder in Dashlane Password Manager
- SIK-2016-029: Google Search Information Leakage in Dashlane Password Manager Browser
- SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
- SIK-2016-031: Subdomain Password Leakage in Internal Dashlane Password Manager Browser
1Password ¶
1Password was initially released in 2006 by AgileBits Inc.
Security ¶
- SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
- SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
- SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
- SIK-2016-041: Read Private Data From App Folder in 1Password Manager
- SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
Comparison ¶
Functionality ¶
LastPass | Dashlane | 1Password | KeePass | KeePassXC | |
---|---|---|---|---|---|
Online | ✓ | ✓ | ✓ | ✗ | ? |
Offline | ✗ | ✓ | ✓ | ✓ | ? |
2FA | ✓ | ✓ | ✓ | ✓ | ✓ |
Password Capture | ? | ? | ✓ | ✗ | |
Password Changes | ? | ? | ✓ | ✗ | |
Security Alerts | ✓ | ✓ | ✓ | ~ | ✗ |
Password Generator | ? | ? | ✓ | ✓ | |
Insecure Password warnings | ✓ | ✓ | ✓ | ✗ | |
Import | ✓ | ✓ | ✓ | ✓ | ✓ |
Export | ✓ | ✓ | ✓ | ✓ | ✓ |
Secure File Storage | ✓ | ✓ |
Usability ¶
LastPass | Dashlane | 1Password | KeePass | KeePassXC | |
---|---|---|---|---|---|
Chrome Integration | 4.6 🟊, * | 3.6 🟊 | 3.5 🟊 | ✗ | 3.5 🟊 |
Firefox Integration | ? | ? | 4.2 🟊 | ? | ? |
Android Application | 4.4 🟊 | 4.6 🟊 | 4.1 🟊 | ? | ? |
iOS Application | 4.4 🟊 | 4.6 🟊 | 4.3 🟊 | ✗ | ✗ |
Windows | ✓ | ✓ | ✓ | ✓ | ✓ |
Linux | ✓ | ✓ | ✓ | ✓ | ✓ |
Mac | ✓ | ? | ✓ | ? | ✓ |
Long-Term Support ¶
LastPass | Dashlane | 1Password | KeePass | KeePassXC | |
---|---|---|---|---|---|
Users | 16.8 million | 11 million | millions | ? | ? |
Companies | 58000 | ? | ? | ? | ? |
Developer(s) | LogMeIn | Dashlane | AgileBits, Inc. | Dominik Reichl | KeePassXC |
Employees | 2778 | 181 | 155 | 1 | 6 / 190 |
Price | 2.67 EUR/month | 3.33 EUR/month | 2.72 EUR/month | free | free |
Revenue | $1024M | $21M1 | $30M | - | - |
TL;DR ¶
- Google Chromes internal password manager + Firefox Monitor + passwordsgenerator.net works quite fine.
- LastPass and 1Password look ok. A colleague used both on Mac and prefered 1Password.
- KeePass is free software, but the design doesn't look good and the integrations might make it hard to use
See also ¶
- Keeper: Security incident
- Martin Monperrus: What's the difference between KeePass and KeePassX?, February 2017.
- Wikipedia: List of password managers
- KeeWeb
- Thomas Claburn: Security slip-ups in 1Password and other password managers 'extremely worrying', 2017.
- Mac: MacPass and Keychain
- pass
Footnotes ¶
-
Reddit: KeePass vs KeePassX, 2017. ↩