Best Password Manager?

Hey all…

Looking for a password manager. Essentially all I want is something secure, that allows me to store website account information, credit card info, bank account info, etc. The ability to sync from Mac to iPhone would also be ideal.

I've done some quick minor research…and my thoughts are that 1password looks way too expensive to get Mac and iOS, KeePass looks quite confusing, especially as a Mac user, and I don't know much about LastPass. Dashlane looks good, but still $30 a month for syncing I believe?

Let me know what you use, why you use it, and why you recommend it. Some info on it would be ideal as well, I.e. what you pay for it, and what you use it for.

Cheers!

MOD: Add poll & "Take Suggestions from Commenters"

Poll Options

Comments

  • Suggested 1Password

    I know you've said 1Password is too expensive when separate iOS and Mac OS X licences come into the equation and can't disagree. I've got a Mac OS X licence only and have been very happy with it over the years, but never found the need to shell out for the iOS app too.

    Depending on what you mean by "sync" it might be an option still. If you mean two way transfer you're out of luck unless you shell out for the app. If you merely mean read access to passwords while on the go, you should check out the 1PasswordAnywhere feature that the desktop version comes with. It essentially stores all of the passwords in a secure HTML file that you can open and unlock in a modern browser. I find its sufficient for the occasions I need to get a password on the go, even though typing my lengthy master password on a phone is a real pain.

    • I should also add that 1Password's Mac OS X client is well designed, good at what it does and apparently well received from a security perspective. I use it to store randomly generated single-use passwords for a range of sites, to store product licences, and to keep secure notes that I used to entrust to keychain manager.

      I've only ever dealt with their customer support once to sort a licence for a pre-Mac App Store machine and they were very helpful in securing a complementary legacy license. A downside is that the Android app is read-only, but you've said you are iOS and as my point above notes, I've never needed two-way sync on Android or iOS.

      • +1

        I should also add that 1Password's Mac OS X client is well designed

        I bought 1Password because it looks good, but both it and Lastpass get great reviews. I wouldn't buy it again especially since you have to buy it for each platform.

    • I agree with tplen1. 1Password is an excellent product made by people who seem to really give a damn about its quality AND (as you'd hope) really know a thing or two about strong security. There are frequent updates, and its support channels and community are active and responsive in my experience. However, I also appreciate it is not the cheapest, so IF you are able to wait, agilebits (the company) puts it on 50% sale probably 2-3 times a year. In my experience it always goes on sale every American Thanksgiving. Most recently it had a 50% off Heartbleed sale. I have not experienced LastPass, it may well be a good product also, but going with what I know, 1Password is an excellent, well-backed product.

      • I should have added that I bought it during a 50% off sale from the Mac App Store. They then gave me a complimentary license for a machine that was pre-AppStore.

    • As everyone else said, I'm using it and it's great.

  • +2
    Suggested LastPass

    I've been using LastPass for the last few years after a major security breach that I actually had an account with occurred.
    Works extremely well, never had any login issues and it's cross platform (Mac, Windows, Linux, Android, iOS, Windows Phone, Blackberry, Symbian) so works on pretty much everything.

    The free standard version is great but it's only $12/year to
    a) support the ongoing development and maintenance of an excellent service
    b) get mobile OS support.

    • LastPass also offers hardware 2FA with a Yubikey, which is something I'd like for 1Password but the developers have indicated won't occur.

      • +1

        Not just YubiKey, there's a few 2FA options.

      • +1

        Yes I'm using Google Authenticator with my LastPass account.

  • +11

    Personally I recommend LastPass.

    • You can try it out for free. Yes some features are not included (most importantly mobile device sync), but a lot of people use LastPass free edition on their browsers as it does most what they need.

    • If you are a uni student, you can try LastPass Premium for free for 6 months. Use the referral link there so someone (and you) will get extra month of premium.

    • Functionality wise it has almost everything I needed as a password manager. Sync across different browsers (IE, Chrome, Firefox), different computers (Windows, Mac, Linux), different devices (Android, iOS, Windows Phone). Secure notes. Everything encrypted locally using your password (and optional 2-factor authentication) and LastPass.com only gets encrypted blob. Actually they've added so many features that I've not yet checked (been using LastPass Premium for almost 5 years now).

    I'm fine paying USD$12/year for something that I use multiple times a day on multiple devices. YMMV.

    Edit: Argh someone already made that suggestion when I typed up my reasons.

    • +9

      You had me at "personally", Scotty.

      • Simply because since switching to LastPass 5-6 years ago I haven't tried anything else :) Yes it's quite good, but unfortunately I cannot give comparison with other products.

      • +3

        Make sure you remember your email password though, don't use Lastpass for that.

        I think it was a year or two ago Lastpass wanted everyone to reset their password and sent everyone emails. Problem was a lot of people use Lastpass to store their email password.

        If you can't access Lastpass, you can't access your email. If you can't access your email, you can't access Lastpass.

        They also can't restore your data for you either. If you lose your password and can't access a PC you signed into previously all your usernames/passwords are gone. That's another reason why it's a good idea to manually remember your email password, that way you can do password resets.

        • Lastpass passwords are stored locally in each machine that it is installed. If you want to know any password managed by lastpass, you just have to login locally and retrieve the password.
          No need to store email passwords separately.

    • I'm fine paying USD$12/year

      Just did that thru my Telstra linked play account the other day

      (was one of the $10 sims i had stocked up on :)

      edit: came to 13.77 aud

      • Wow, didn't know you could do that! Nice tip.

        Might have to get lastpass a try.

    • How are you paying $12/year? when I click Go Premium it shows 'Just $2 /month, billed annually.'

  • I guess I was also looking for something that I could store bank account info, etc. in as well for reference on phone calls and customer service. Last Pass does not incorporate this, does it?

    • Not sure if it's you're after, but Lastpass has a Secure Notes feature

    • Try "Identities" in the LastPass Vault feature.

    • There is a notes section under each site stored where you can enter whatever you want in relation to that site.
      It is what I do.

  • +9
    Suggested KeePass

    I use Keepass with the kdb file stored on my dropbox. Version of the program available for pretty much any OS, open source and free.
    Not sure what about it you think is confusing, I found it only took a few minutes to set up.

  • I've been using DataVault Password Manager for 5-6 years (only one-off fee but need licence for each OS)
    http://www.ascendo.co/DataVault.html

  • I use LastPass and pay for premium option across all my devices. Quite happy with the results so far and trying to get the wife to switch to make her passwords more unique.

  • I think you'll find the Dashlane pricing is USD$30 a year, not a month. I use that now, although I used to use LastPass as well. Reason I stopped using lastpass was due to some annoying bugs I was getting with the autofilling function. Haven't gone back for a while so those bugs may be gone now.

    I find both Dashlane and LP to be pretty much on par in terms of service offerings - multi browsers, sync with devices (premium), secure notes, etc.
    One gripe I have with Dashlane is that it has no linux support (there's supposedly a way to get it to work in browsers but I haven't bothered looking into it). Also, Dashlane runs as a stand-alone program outside the browser so there might be a bit more computer resources used, but I've never noticed any effect on my laptop.

    You might be able to get dashlane at a discount by trialling a premium account. I'm pretty sure they offered me a discount via the app when I got toward the end of the 30 day trial.

  • +1

    I would recommend you to watch for a sale of 1Password via appshopper or a similar website. 1Password is overpriced, but it is still a very good software.

  • I use the android app called Pocket, which syncs with dropbox.

    I find I have my phone wherever I go so don't worry about multiplatform.

    • Much nicer to just have the password autofill though than have to copy it from your phone screen!

    • I also love that app. Simple to use and data is saved on phone not on cloud. There is desktop version also.
      Wish there was similar iOS app also.

  • I've tried them all but keep coming back to Roboform.

    They've never been hacked either.

    • Famous last words?

    • Been using Roboform for years but started to get problems about a year ago in that it wont let me log onto one of the banks I use nor Centrelink.
      When I save the password it saves a changed password so it doesnt work.
      I emailed the bank and asked them if they had changed something to cause it but they hadnt so I'm confused why Roboform has problems with these 2 (higher security) websites

  • +1
    Suggested mSecure

    I know 1password is expensive but it's worth every cent. I've tried a lot of different apps but none really compare. The browser plugins are especially handy.
    I should also add that mSecure is a close second and well worth a look

  • +1

    1Password is worth every penny.

    Buy both Mac OSX and iOS versions - occasionally on special or part of bundles.

    Sync via Dropbox, iCloud or local.
    Windows version if you're stuck using that OS at work or wherever.
    Identities and auto-complete for online shopping sites.
    And they keep developing it.

    (Posted from within the 1Password browser on my iPad!)

    RB

  • I have a mate who writes them all down and hides the paper 'carefully'. He changes them frequently and does not duplicate. He says if they can hack everything else in the world they can hack a p/w manger. Please discuss ….

    • Yep.. he's right
      But you lose all the convenience of autofill and true random generation..
      And what happens when he loses the piece of paper?

    • +1

      Most "manager" is there for convenience, without sacrifice too much on security. The real paranoid would not trust a proprietary software solution, but most people are happy with a good enough solution.

      @grovesy15 - if your last name happens to be Snowden or intend to do something similar, maybe none of the suggestions here would satisfy you.

    • That's really, really inconvenient aka a waste of time - why does he not just use Keepass? He's probably more insecure doing it that way owing to the possibility of keyloggers.

  • Suggested Norton ID SAFE

    I have been using Norton ID SAFE for over 6 months now. Been using it on my iphone, windows 7 and android tablet and it works flawlessly. It's free and has online and offline access for tablet and iphone. Worth a try to see if it works for you. No ads either.

  • www.passpack.com is my personal preference.

  • +2

    I use Lastpass. For me it strikes the right balance between security and convenience particuarly on mobile devices.

    Storing passwords remotely is theoretically less secure than a purely local solution like Keepass but just like music quality for a lot of people convenience trumps going the extra distance for marginal gains. Provided you use Lastpass correctly it is leaps and bounds ahead of not using a password manager both in time and security gained.

    I do however not use it for anything that may lead to me losing money eg PayPal, credit card numbers and banking. There is nothing to indicate that Lastpass has ever been compromised thus far however … I'm still cautious.

  • -8

    Use your memory? You can remember things with a little bit of work.

    I remember my bank login account number, credit card details, all of my passwords and PINs (around about 5 - 6 in total) and which sites I use…etc.

    It's not that hard.

    • Do you have unique and truly random passwords with Symbols, Digits, Upper and Lower Case and at least 16 characters for each site, or do you reuse passwords or have a "system"?

      • For things that matter, yes, I have unique passwords.

        For things that don't, i.e. for things such as OzBargain, other forums…etc. where there isn't any risk if my account is compromised, then no, I don't have unique passwords for them.

        But why waste the effort and time.

        I just find it ridiculous. Imagine if the password manager you use goes under or their database goes corrupt, you'll be left clueless as to what your passwords are.

        • Lastpass caches locally so you can export if necessary.

        • Firstly, I'd rather not compromise everything with the compromising of one password. With the system I have, you find one of my passwords, fine, I'll change that one. None of my passwords will give you access to anything else that's of importance.

          These systems are like having a number of keys for your house, but storing them in a safe with one master key, when that key's loose, guess what…you're done for.

          If you're using one password to keep all your other passwords secure, what happens when that password is compromised?

          What if it's an emergency and you really need access to a single password immediately?

          What if you're at a friend's place and you want to log on somewhere and you're using their computer?

          When we get technology to "remember" things for us, we're way too reliant on technology.

          It's sad how many people can't even remember their own phone number, nor the numbers of the top 3 people they call.

          Ridiculous.

        • +1

          I similarly don't use a Password Manager for directly financial related stuff for that exact reason.

          "If you're using one password to keep all your other passwords secure, what happens when that password is compromised?"
          Ask yourself that question? You're actually the one who is more vulnerable to this situation cause you use the same password for everything you deem "unimportant". The problem is the information that can be compiled from those unimportant sites could well provide sufficient info to "backdoor" one of your important sites.
          With 2FA on Lastpass, having my password compromised is only half of the required key.

          If I'm at a friends place/emergency, I can pull out my USB key and load up Portable Firefox (with Lastpass) or get out my phone and hand type the stored password.

    • 5-6 passwords? Try 49 passwords(complex variations of characters with length of 18+ Chars) not to mention the ability to store private notes securely.

  • +2

    Call me paranoid, but with all the confirmations about the NSA making vendors put back doors into their security products, I am very wary of closed-source and online-based products. Then there's the seemingly weekly reports of site hackings and issues like the Heartbleed Bug that can let evil-doers bypass all that lovely security.

    So for me, it's KeePass.

    • +1

      Lastpass uses your password locally to encrypt your DB file before sending it to them. They do not have your password and therefore can't access your data.

      That's also the reason why Heartbleed didn't really matter to Lastpass. Yes people could've accessed Lastpass' data, but because it's encrypted with a key only you know, the data would've been worthless.

      • Well Heartbleed is still an issue…
        Just cause the password is encrypted before sending to Lastpass doesn't mean it isn't retrieveable from the memory of your Heartbleed vulnerable Service provider.
        But no matter what password system you use, Hearbleed was an issue for everyone!

        • I don't use Lastpass nor am I trying to defend them but if I understand correctly, your DB is encrypted locally and then sent to LP's servers, your password has no opportunity to be compromised on LP's servers and thus isn't affected by heartbleed.

      • They do not have your password and therefore can't access your data

        If you could guarantee that was true now and into the future, then I'd happily use LastPass, but as I said, there are just too many examples of where the NSA and the like have backdoors.

        http://www.google.com/search?q=nsa+backdoor

        But if you're going to use LastPass, make sure you have a damn strong master password. Unfortunately, most people are ignorant of what is a good password. As Ars Technica showed, 90% of passwords can be cracked in a few hours.

        https://www.schneier.com/blog/archives/2013/06/a_really_good…

        Granted, the average LastPass user is probably more knowledgeable, but I wouldn't be surprised if the majority of user's DB passwords could still be cracked.

        Most people are also ignorant of just how fast their password can be brute forced. If in doubt, test it here:

        https://howsecureismypassword.net/

        And even if you have a strong master password now, they've got your DB. And all that lovely faster computing power and things like quantum computing coming in the future is another concern - albeit for another day.

        As for vulnerabilities like Heartbleed, SQL injections, phishing, etc., yes they won't decrypt your DB, but as you say they're the sort of thing that will help get access to your raw DB file in the first place.

        In the end, it's an issue of control versus risk. For me, putting my DB in someone else's hands is just a higher level of risk than I'm willing to take at the moment, but as I said, I'm cautiously paranoid ;)

  • -3

    Your brain.

  • Has anyone used last pass and msecure? I have been using msecure but would like to know if I am missing something. I read last pass do auto fill on chrome / android which could be nice.

  • Personally, I'd rely on none of them.

    Use either your brain/memory or some personal form of cryptography in a list. Also all passwords to be non-dictionary, so that it can withstand bruteforce attacks.

  • "Use your memory? You can remember things with a little bit of work."

    I'm simply not interested in doing "a little bit of work" to remember hundreds of logins of which a majority are 64 random characters. I'm not even interested in doing that for passwords that are six random characters which are an easy target for an attacker. Not too mention that I'll simply forget many of them leading to tedious password resetting.

    I also recommend generating another password and using that as the security question answer where applicable given that some are susceptible to brute forcing methods (as well as the more determined attacker that may use social media to discover information) such as names or cities for example.

  • +1

    Keepass, because its open source, and thus security issues tend to be exposed and patched more quickly.

    • I appreciate the sentiment, and I tend to agree in principle. However, we recently saw a dramatic anti-demonstration of this: veteran encryption software TrueCrypt — I'm a long-time, once-happy user, now not so sure. http://steve.grc.com/2014/05/28/whither-truecrypt/

      • +1

        OMG - I didn't know that. That is so depressing :(

  • Dashlane for me…I pay nothing, so not sure why people are saying it is $$.

    • When did you start using it? Are you still in the premium trial?

  • I don't really understand how all the different encryption systems work or how they can be hacked, so could someone tell me which one is the most secure? Convenience is not a top priority for me.

  • I am trying out dashlane at the moment, i tried last pass but its just not cutting it for me.

    Shameless plug: Get 6months free premium dashlane using this referral (disclaimer: i get 6months free as well)
    https://www.dashlane.com/en/cs/3bb8c77c

    Premium gets you syncing between devices, the annual fee of $30 is a bit much, and the ram usage is a little high, but so far its my favorite.

    • Have you tried 1password?

      • Yep, got it on my iphone (bought v3 then v4 like a month later) but i just don't like it, they are too mac centric as well.

    • I did notice though the fees via In App Purchases on iOS are 30% higher than on their website, when only 10% can be attributed to currency exchange.

  • Suggested Safe in Cloud

    I've found Safe In Cloud to be a great companion for me. Nice GUI and works for Android, iOS, Windows and MAC (beta at this stage). The good thing I liked about it is that you store your credentials database to your favorite cloud service (eg. dropbox, google drive, skydrive), so you don't have worry about your data being stored on the developers servers.

    • Its got potential but from the screenshot its chrome addin design isn't as nice as dashlane or last pass.

      No recurring fees and potentially no dependence on one potential fly by night host is a positive though.

  • Lastpass with two factor authentication.

  • +1

    I use Lastpass. Probably the best password manager out there, I highly recommend it!

  • Suggested Dashlane

    Recommend Dashlane. You don't need to pay to sync between devices. You can store all your details such as your passport number, credit card number, drivers license number and of course passwords are synced and stored in one place. You can install the "helper" app on safari, chrome and firefox on mac and windows which will automatically fill in and remember passwords for you.

    • How do you sync without paying?

      • I am not paying and mine syncs fine….

    • Here's the difference between free and premium (premium being USD$29.99/year). Free accounts don't have:

      • No backup to the cloud
      • No sync across devices
      • No web access
      • No priority support

      Yeah would like to know how you can sync without paying. Do you need to put your password file on another cloud storage like Dropbox?

      • My guess is he either constantly refers people to get 6months free access (like my shameless attempt above), or he doesn't actually sync.

  • +1

    For me it's 1password as I can sync to my own local network (via local file sync feature) and am not forced to use any NSA-approved cloud services. I also love Safe in Cloud and would stick with that if it wasn't forced to use a 3rd party cloud service.

  • Has anyone tried STRIP?

  • Dashlane for me. Somehow I have free syncing…must have been on a trial or something.

Login or Join to leave a comment