To be secure on the internet, whether it’s on the web, or apps on your phone, it’s super important to use strong passwords. And it’s just as important to never reuse passwords. This is why everyone needs a password manager.
What Does A Password Manager Do?
In a nutshell, a password manager stores your encrypted passwords in a vault that is protected by a master password and a private key. The passwords can only be decrypted by someone with the master password.
These passwords are accessed either through a browser extension or mobile app.
The premise of using a password manager is someone can use long, random passwords for each website or app they use, without having to remember them. They only have to remember the master password.
The LastPass Breach
I started my research on password managers because of the LastPass Breach. I have been a LastPass customer for 13 years, and because of their failure to keep locked up what I pay them to keep locked up, I am moving away from them.
As password managers are a must in today’s internet, I look at 5 of the top ones and evaluate them on security, ease of use, and cost.
The ones we’re going to look at are (in no special order):
I left out LastPass even though they are one of the largest password managers. I do not feel good about recommending them at all now. Here’s how I really feel about LastPass.
Each of these password managers offer support for all major operating systems and browsers, plus they have mobile apps. They all have the ability to create random passwords, autofill passwords, and sync among devices (KeePass can be the exception to that). None of them store your master password on their servers, although two of them store your private key on their servers, and one gives you the option of storing it and your passwords there, or not.
Dashlane has been around since 2012, making them the youngest of the 5. On the front page of their website, Dashlane touts “Patented, zero-knowledge security architecture,” “Smart Spaces that keep work & personal data separate,” and “The easiest and safest way to share business passwords.”
Now let’s look at pricing. For the purpose of this article, I’m only looking at personal plans.
Dashlane has 4 tiers: Free, Advanced ($33.00), Premium ($59.88), and Friends & Family ($89.88). Those, and all of the prices I will give here are yearly prices which Dashlane says is a 20% discount from monthly.
Free gets support for 1 device, Advanced adds unlimited devices plus dark web monitoring. Premium adds a VPN, and Friends & Family includes everything in premium for up to 10 accounts.
Ease Of Use
I didn’t install any of these myself, so I relied on some YouTube videos to walk me through the process of installing and using the service.
Dashlane appears to be very user friendly. Their interface is clear as to what each function does. Setup seems simple, and the service walks you through each step.
On their website, they say that they’ve “never been breached,” and from what I can gather, that is true. They, like all the others here say that they don’t store your master password on their servers, and your data is encrypted using AES 256-bit encryption with a 32-byte salt. That is industry standard for encryption. They and the others offer 2 factor authentication “2FA” as well. If you don’t know what 2FA is, this article will explain what it is.
A “salt” is an addition to something that is encrypted. All of these password managers salt the master password. That means when you first create it, they add additional information, like an email address to it before it is encrypted. this adds an additional layer of protection.
They do, however store your data, including passwords and the private key on a third-party server (AWS), so their security is only as good as Amazon’s.
Dashlane seems to be a good option for a password manager, and the price is pretty much in line with others. I’m not real happy with their data storage option though.
Keeper has been around since 2011, with the password manager app being created in 2009. Their front page appears to be mostly geared toward enterprise users.
Keeper has only two individual plans: Personal ($35) and Family ($75)
Personal has unlimited passwords and devices, and unlimited sharing. Family adds 5 private vaults, which I assume means 5 accounts, plus 10GB cloud storage. They do have some add-ons options that cost extra, such as dark web monitoring, secure file storage, and concierge service.
ease of use
Like Dashlane, Keeper seems very intuitive and easy to setup and use. It has many options right up front where you don’t have to dig for them.
On their website, Keeper makes no claims that I can see about never being breached. However, Wikipedia states that “In December 2017, Keeper was bundled with Windows 10 by Microsoft. Google security researcher Tavis Ormandy disclosed that the software recommended installing a browser addon which contained a vulnerability allowing any malicious website to steal any password. A nearly identical vulnerability was already previously discovered and disclosed to Keeper in 2016. Within 24 hours, the company issued a patch.”. And ZDNET reported in 2018 that an AWS server containing some of the company’s software was left exposed. Keeper said that there were “no private keys” on the server.
Like Dashlane, Keeper seems to be a good password manager, although like Dashlane, using a third party server to protect your data has it’s own risks.
1Password has been around since 2006, making it one of the oldest password managers. They say on their website that they’re “The world’s most loved password manager.”
Like Keeper, 1Password has two plans: 1Password ($35.88), and 1Password Family ($59.88).
The less expensive plan has unlimited passwords and devices, and 1GB document storage. Family adds 5 accounts ($1/month for each additional over 5).
ease of use
1Password also walks you through the setup procedure. During setup they require you to fill out a pdf form that includes your private key. They then instruct you to print it out and store it somewhere safe like a safe deposit box. You will not be able to install 1Password on any device without that key. 1Password does not store your private key on their servers.
In addition, 1Password can intercept some 2FA codes and enter them for you. I’m not sure if this is for mobile only or desktop as well. Though I’m not so sure if that’s a service I would use on a desktop, it seems to defeat the “something you know and something you have” purpose of 2FA.
1Password does not say anything that I can see about not being breached, and I cannot find any report of any security incidences. Their “security white paper” states that data for team accounts are stored on AWS, but makes no mention of individual or their other enterprise plans, but I assume they are stored there as well. They use the same AES 256-bit encryption with a 32-bit salt.
They state that even with the master password, no one can gain access to your vault without the private key, which they had you print out and store securely. They do not have access to the private key.
In 2020, researchers from the University of York released a study where they were able to demonstrate how a malicious website could trick both 1Password and LastPass into revealing a password. That vulnerability was patched quickly.
1Password is one of the most experienced password managers around, and their history of no breaches is pretty impressive.
KeePass is a bit different than the previous 3 password managers, as it is open source. This means the source code is open for anybody to view and check for vulnerabilities like back doors. They’ve been around since 2003, making them the oldest of the five I am reviewing. Their website looks like it was built in 1992, but I’m not judging.
Not only is KeePass open source, it is completely free, managed and updated by volunteers.
ease of use
KeePass is primarily a Windows application, but it does support MacOS, Linux, Android, and iOS. Setup is not as easy as the others, so this is best for experienced users.
Like all of the password managers I am reviewing, KeePass uses AES 256-bit encryption with a salt. They don’t disclose how long the salt is, though.
The big difference between KeePass and other password managers, is they do not store your passwords on their servers, nor do they store them on any third-party servers. They are all stored on your device. You can, however, choose to store them on any cloud server such as Google drive or Dropbox so they can be synced between devices. Your private key is also stored locally.
Having local storage means that you are solely responsible for keeping your passwords locked up safe.
KeePass does disclose some issues on their website. Most are pertaining to the software running on an unsecure device. They state that “KeePass nor any other password manager can magically run securely in a spyware-infected, insecure environment.”
KeePass has the advantages of being FOSS (Free Open Source Software), plus one doesn’t have to rely on the company for security, as the user holds everything locally. Software, keys, and data.
The disadvantage is that if someone wants to sync across different devices, they have to either manually copy and paste the data, or store it on a cloud server where they have no control over security.
Like KeePass, Bitwarden is an open source password manager. The big difference between them and KeePass is they are able to store your passwords in the cloud so you can sync between devices, but you are also able to host them yourself if you wish.
Bitwarden is the 2nd cheapest of the 5 password managers I am reviewing next to KeePass. They have 3 tiers: Free, Premium ($10), and Family ($40). Yes, those are yearly prices.
Free has unlimited passwords, and unlimited devices. The premium plan adds support for 2FA, emergency access, and security reports. The family plan allows up to 6 premium accounts, and unlimited sharing.
Ease of use
Installing Bitwarden isn’t as simple as the others. They have a lot of options during setup and the novice might not understand all of them. The auto-fill function on a browser seems a bit wonky, but I assume it works.
With Bitwarden, you have the option of storing your passwords on their servers (they use Microsoft Azure instead of AWS), or hosting the passwords on your own private server. This would mean that someone would need extensive knowledge of setting up a server, so this option is not for the faint of heart.
As an open-source platform, Bitwarden was audited in 2018 and posts the results of that audit on their website. From what I see, the auditors did not find any issues with their security.
Bitwarden does (if they are hosting your passwords) store your private key in the cloud.
Bitwarden looks to be a good choice for a password manager if you are an experienced user. For someone new, I would not recommend attempting this.
Password manager bottom line
While no password manager is perfect, and although none of the above have ever been breached, that’s not to say that they never will be. Overall, a password manager service is only as good as their employees, and if you have a weak master password, your passwords might be exposed if the data is ever accessed by bad guys.
Don’t rely on just a strong master password. Back that up with 2-Factor Authentication, so if your master password gets compromised, you can still be assured that the thieves cannot access your sensitive services without your permission. However, 2FA doesn’t matter if the crooks gain access to the data vault on the services servers, as is what happened with LastPass.
In this article I talk about a hack that can protect your passwords even if your password manager gets breached.
As always, if you have a question about this or any other post, please leave a comment below, or you can email me at email@example.com.