Skip to Main Content

Which Password Manager Is The Most Secure?


Dear Lifehacker,
I'm looking for a password manager, after you convinced me I really need to use truly random and unique passwords for every site. My browser is always asking if I want to save my logins. Should I just say yes and use that? Or do I need a dedicated password manager? If so, which password manager is most secure? Help!

Signed,
Too Many Logins

Dear TML,
Password managers are all designed to take the pain out of remembering hundreds of unique passwords—a necessity if you want to minimize your security risks. There are many to choose from, though, including your browser's built-in password saving feature. Let's take a look at these tools and how they stack up against each other in terms of security.

Saving Logins in Your Browser

IE, Chrome, Firefox, and other browsers can save your logins and basic information for automatic form-filling. This is convenient, because you don't have to download or set up another app, but it's not the most secure or robust option.

How they work: Browsers store your passwords in encrypted databases or registry entries stored locally on your computer. If the browser has a feature to sync your data between your computers and other devices, the information is saved in its encrypted format to an online account (e.g., Google if you're using Chrome or your Firefox Sync account on Mozilla).

Security weaknesses: The biggest problem with saving your passwords in your browser is that it's not hard for someone who gains access to your computer to also access all your passwords. In Chrome, for example, you (or anyone who hacks into your computer) can just go to the browser's settings and click on the show button in the preferences tab to reveal any saved password. Internet Explorer is more secure because it doesn't let you view saved passwords, and it also doesn't sync your data across computers. Both IE and Chrome, however, use your computer login password as the cipher for the encrypted data. Because of this, it's easy for your passwords to be revealed with tools such as Nirsoft's WebBrowserPassView. If third-party utilities like this can recover the data, malware running under your user account might also be able to access the data.

Most secure option: WebBrowserPassView can't retrieve passwords that are encrypted with a master password, though. That makes Firefox the most secure of these three browsers when it comes to password management, because you can encrypt and password-protect your logins in Firefox with one master password. If you don't set the master password in Firefox (which is not enabled by default), though, you're vulnerable to the same security issues if your computer gets into the wrong hands.

Web-Based Password Managers

Web-based password managers are a big step up from saving your logins in your browser. These webapps offer more robust features such as generating random secure passwords, auditing your passwords, and storing additional confidential information (credit cards, insurance numbers, notes, etc.).

How they work: Online password managers such as LastPass and Roboform Everywhere encrypt your password database and give you the only key—in the form of a master password that only you know. All the encryption and decryption happens locally on your computer. Because these companies don't have the encryption key, even if their servers get hacked, evildoers wouldn't be able to decrypt your data...

Security weaknesses: ...unless your master password isn't a very strong one or you use the same password on other sites (but, hey, isn't that what you're trying to avoid by using a password manager anyway?). Last year, LastPass experienced a possible security issue that may have been a breach, but told users they were protected as long as they were using strong, non-dictionary-based master passwords. Also, while LastPass (and other online password managers companies) are very forthright about security issues and the risk is minimized because you hold the encryption key, you still need to take a leap of faith when your data (even encrypted) is stored on someone else's servers.

Most secure option: LastPass is the leader of the online password managers because it's both easy to use and can be locked down pretty tightly. LastPass security options allow you to add stronger two-factor authentication, restrict logins by country and enable other features, such as a dedicated security email address and restricted mobile access.

Newcomer Dashlane is a possible contender, though. While it doesn't have all the security tweaks and options LastPass does, with Dashlane you can choose to keep your password data stored just locally or selectively sync individual features. That makes it both a web-based manager and a desktop one.

Local (Desktop) Managers

Not comfortable with your passwords stored online? The most secure managers don't store any data on the web but run off of your computer. Doing so, though, you sacrifice some convenience and usability.

How they work: Local password managers work similarly to the online ones. They have the similar password-generating, auto form-filling, and secure notes features. They just save the encrypted password database on your computer, rather than on the web. Popular ones include KeePass, 1Password, SplashID, and the desktop version of Roboform.

Security weaknesses: The biggest weakness for the desktop password managers is lack of accessibility. Without some workarounds, you don't get the convenient syncing and instant access to your logins from any device, which could be a hindrance to people actually using these password managers all the time. It could even mean you wouldn't be able to log in on other devices (since the most secure password is the one you can't remember).

For many of these, you can sync the database across computers using Dropbox, but that brings back that risk of cloud storage. On the other hand, you still have multiple layers of security: a hacker would need to first break into your Dropbox account (hard if you have two-factor authentication set up) and then also hack into your encrypted password database. The chances of this happening are probably less than losing your laptop.

Most secure option: KeyPass wins for not only being the only open source, but also for having a great array of security features and the most in-depth information about its security. The program protects against dictionary attacks against your master password, keeps your passwords encrypted while the program is running, and has security-enhanced password edit controls. You can use a key file instead of a master password for increased security or combine the key file and password methods to really lock your data down. KeePass is also portable and supports a ton of plugins.

The other programs are among the best password managers and also have strong security. You might prefer one of them for their features. SplashID is the least expensive of the bunch and can sync over Wi-Fi between desktop and mobile editions. (SplashID says they're working on a cloud syncing version that doesn't depend on third-party cloud services like Dropbox or iCloud.) 1Password is a bit pricey, but has a great interface and excellent browser integration. It's a lot less clunky and easier to use off the bat than KeePass. Roboform's desktop app is Windows-only but it has all the bells and whistles of a solid password manager, including browser auto-fill, browser integration, and random password generation.

So What Should You Use?

In short, a desktop password manager like KeePass is the most secure but least convenient option. Cloud-based options (e.g., LastPass) are definitely more convenient and secure from local password theft than the browser-based ones, but you don't have control over where the data is stored.

Here's a comparison of pricing and features for your convenience (click to see the whole chart):

Whichever one you choose to go with, most important thing is to have a really secure master password and a strong password protecting your computer account too.

Love,
Lifehacker

Have a question or suggestion for Ask Lifehacker? Send it to [email protected].