I recently thought about good solutions for passwords in general. I have found one with which I was ok for a while, but more and more services get compromised. Try haveibeenpwned.com or Firefox Monitor to see if you are affected. One easy way to keep the damage small is not to re-use passwords. It is impractical to have strong passwords for every web service I use. I have to either use a password service or note things down.
A good way of creating a single strong password is diceware. Once you have this, you should create a new password for every single service and keep it in your password manager.
This article focuses on what a good password manager is. I will judge them in three categories:
- Security: Are the passwords locally encrypted strong enough? How many incidents happened so far? Does it support 2FA / MFA?
- Usability: Is it convenient to use? Is it available on Linux and Android? Can I use it outside of the browser (e.g. if the password field is not detected). Does it have an UI for generating strong random passwords when creating a new account?
- Long-Term Support: Is this backed by a (bigger) company / a team of developers? Is there vendor-locking?
Google Smart Lock
Google Smart Lock is another password manager. If you use Google Chrome, chances are high that you are already using it.
LastPass
LastPass is developed by LogMeIn since 2015. The initial release was in 2008.
Security
The wikipedia page lists four security incidents and one security breach:
- 2011: Network anomaly; unclear if anything actually happened.
- 2015: LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected.
- 2016: Detectify and Google Security found an issue in URL parsing
- 2016: Hardcoded Master Key in LastPass Password Manager (SIK-2016-022)
- 2016: Privacy, Data leakage in LastPass Browser Search (SIK-2016-023)
- 2016: Read Private Date (Stored Masterpassword) from LastPass Password Manager (SIK-2016-024)
- 2017: Tavis Ormandy (Google Security / Project Zero) found another issue in the browser extension
- 2019: Password-exposing bug purged from LastPass extensions, Tweet
KeePass
KeePass is developed by Dominik Reichl. It is free and open source.
KeePassX
KeePassX started in 2016 as a port of KeePass to Linux. The code is on Github and it has 4063 stars and 591 forks. It's mostly C++.
The last version was released in 2016, so about 3 years ago. KeePassX is not maintained.1
KeePassXC
KeePassXC is a fork of KeePassX.
Dashlane
Dashlane was initially released in 2012.
Dashlane supports secure file storage.
Security
- SIK-2016-028: Read Private Data From App Folder in Dashlane Password Manager
- SIK-2016-029: Google Search Information Leakage in Dashlane Password Manager Browser
- SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
- SIK-2016-031: Subdomain Password Leakage in Internal Dashlane Password Manager Browser
1Password
1Password was initially released in 2006 by AgileBits Inc.
Security
- SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
- SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
- SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
- SIK-2016-041: Read Private Data From App Folder in 1Password Manager
- SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
Comparison
Functionality
| LastPass | Dashlane | 1Password | KeePass | KeePassXC | |
|---|---|---|---|---|---|
| Online | ✓ | ✓ | ✓ | ✗ | ? |
| Offline | ✗ | ✓ | ✓ | ✓ | ? |
| 2FA | ✓ | ✓ | ✓ | ✓ | ✓ |
| Password Capture | ? | ? | ✓ | ✗ | |
| Password Changes | ? | ? | ✓ | ✗ | |
| Security Alerts | ✓ | ✓ | ✓ | ~ | ✗ |
| Password Generator | ? | ? | ✓ | ✓ | |
| Insecure Password warnings | ✓ | ✓ | ✓ | ✗ | |
| Import | ✓ | ✓ | ✓ | ✓ | ✓ |
| Export | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure File Storage | ✓ | ✓ |
Usability
| LastPass | Dashlane | 1Password | KeePass | KeePassXC | |
|---|---|---|---|---|---|
| Chrome Integration | 4.6 🟊, * | 3.6 🟊 | 3.5 🟊 | ✗ | 3.5 🟊 |
| Firefox Integration | ? | ? | 4.2 🟊 | ? | ? |
| Android Application | 4.4 🟊 | 4.6 🟊 | 4.1 🟊 | ? | ? |
| iOS Application | 4.4 🟊 | 4.6 🟊 | 4.3 🟊 | ✗ | ✗ |
| Windows | ✓ | ✓ | ✓ | ✓ | ✓ |
| Linux | ✓ | ✓ | ✓ | ✓ | ✓ |
| Mac | ✓ | ? | ✓ | ? | ✓ |
Long-Term Support
| LastPass | Dashlane | 1Password | KeePass | KeePassXC | |
|---|---|---|---|---|---|
| Users | 16.8 million | 11 million | millions | ? | ? |
| Companies | 58000 | ? | ? | ? | ? |
| Developer(s) | LogMeIn | Dashlane | AgileBits, Inc. | Dominik Reichl | KeePassXC |
| Employees | 2778 | 181 | 155 | 1 | 6 / 190 |
| Price | 2.67 EUR/month | 3.33 EUR/month | 2.72 EUR/month | free | free |
| Revenue | $1024M | $21M1 | $30M | - | - |
TL;DR
- Google Chromes internal password manager + Firefox Monitor + passwordsgenerator.net works quite fine.
- LastPass and 1Password look ok. A colleague used both on Mac and prefered 1Password.
- KeePass is free software, but the design doesn't look good and the integrations might make it hard to use
See also
- Keeper: Security incident
- Martin Monperrus: What's the difference between KeePass and KeePassX?, February 2017.
- Wikipedia: List of password managers
- KeeWeb
- Thomas Claburn: Security slip-ups in 1Password and other password managers 'extremely worrying', 2017.
- Mac: MacPass and Keychain
- pass
Footnotes
-
Reddit: KeePass vs KeePassX, 2017. ↩