Commercial Password Manager Test: 4 out of 9 recommendable
German testing authority Stiftung Warentest looked closely at nine commercial password managers in its most recent print issue.
The password managers that it reviewed and looked were: Dashlane Premium, McAfee True Key Premium, Keeper Security, LastPass Premium, 1Password, SafeInCloud, F-Secure Key Premium, Kaspersky Password Manager, and Enpass.
Only the first four mentioned password managers received a recommendation by the testers. All password managers were graded based on security, usability and extra features. Here is a list of things the testers put much of the focus on:
- Master password rules, and rules for passwords that are generated and/or stored in the application, for instance the minimum and maximum length of passwords, and complexity.
- Security features such as support for two-factor authentication, protection against third-party access, or security auditing features.
- Documentation, and how comfortable and easy setup and daily use is.
- Extra features such as support for saving other data, use of profiles, saving of critical data such as credit card numbers.
The testers analyzed the data sending behavior of each application furthermore by tunneling all traffic through a proxy server.
The test reveals little unfortunately when it comes to the actual ratings. Only one program, F-Secure's Key Premium, received the best rating in the password requirements group, while better rated programs such as Dashlane Premium or LastPass Premium only the second best rating. It is unclear why that is the case as it is not revealed in the test.
The testers put a lot of focus on usability, as it made up 40% of the overall rating, and the application's data sending behavior was not taken into account at all.
Stiftung Warentest criticized the sending behavior of the Android application in all programs that ended on its recommendation listing. Some password managers sent data, for instance a device's ID to third parties according to Stiftung Warentest.
Keeper Security and LastPass Premium got the best overall ratings in the security group, Dashlane Premium in the usability group.
The testers looked at the password managers of web browsers as well in the test, but don't recommend using them. The two reasons given are that they don't come with password generation options, and that browsers are connected all the time to the Internet which increases the attack surface. Lastly, only some support the optional setting of a master password.
Only four of the nine password managing solutions received a recommendation, but those that are recommended are not necessarily the programs that are the most secure to use.
Security made up only 40% of the overall rating, with extra features making up another 20% (which could include extra security features). Usability is without doubt important, but the 40% that it contributed to a program's overall rating seems a bit high in a field where security is of utmost importance.
I would have liked a stronger focus on security features, for instance whether you may save the password databases offline only, can sync between network devices, where the data is stored, how the company reacted to security incidents in the past, whether security solutions were audited by third-parties and so on.
Last but not least, I would have liked to see a comparison to free tools like KeePass as well (which would have done well in security, not so well in usability based on test criteria).
Now You: Which password manager do you use and why? (via Deskmodder)
Security is my primary requirement, and to date I have little trust in any password manager.
>> I have little trust in any password manager.
Then what is your secure alternative?
I’d rather use an offline password manager like PasswordSafe or Keepass and synchronize the database with self-hosted version of Seafile. I think the only way to be sure your database is actually encrypted is if you do it yourself, so even if someone gets access to your Dropbox/Seafile/ownCloud server, unless you’re a whistle blower chances are no one is gonna have access to your password and they probably won’t even try to brute force decrypt it. But I think it’s interesting to know people are more interested at how secure these online services are.
I use KeePass because anything-cloud is unreliable and untrustworthy.
I’ll NEVER use whatever online too.
I never had the least problem with Keepass & Roboform (desktop version).
I use KeePass exclusively and for the same reasons as Lucas S. and someone. I avoid online apps of any kind as much as possible, and I don’t find copy-paste much of an inconvenience.
Quite a long time ago, I tried Roboform. I managed to get myself locked out of three sites. Yes, I know it was me and not the app, just the same, not a pleasant experience. Only now can I laugh about it.
“I would have liked a stronger focus on security features, for instance whether you may save the password databases offline only, can sync between network devices, where the data is stored, how the company reacted to security incidents in the past, whether security solutions were audited by third-parties and so on.
Last but not least, I would have liked to see a comparison to free tools like KeePass as well (which would have done well in security, not so well in usability based on test criteria).”
Then, why don’t you do your own research and testing, Martin? Rather than complain about a mode of testing, create one to your own liking that covers the coveted features.
Don’t even go there if you don’t have something better to offer.
That’s called freedom of speech and criticism. It’s not only a right, it’s a need for us readers.
Saying you don’t have the right to criticise it because you wouldn’t be able to build it is stupid, offensive and disingenuous. I do realise it’s a cookie-cutter trolling put-down that’s quite commonplace nowadays. It doesn’t mean it’s legitimate.
Wouldn’t that logic mean no one can criticise this article who doesn’t run a site reporting on technology news? Can’t see that line of reasoning getting us anywhere useful.
And I’m sure a quick search of this site will offer you something better. I started using Keepass2Android after reading about it here for example.
what about “password safe” from bruce schneier?
discovered it 2 months ago. Best of both worlds.
I wont say anything else
Robert, thanks for your suggestion. Didn’t know of myki.
Looks interesting, but maybe I don’t understand it, but it seems that having your pw database on your phone leaves you in the lurch when it has no power, let alone lose/misplace your phone.
Not sure that it is (“net net” of all security exposures) “more” secure than other solutions.
With all pw tools it seems it is a matter of picking your exposure / vulnerability.
Ease of use is an important factor (40% in this report), and that looks to be one of myki’s strengths.
Like Martin, would like to see greater analysis on the security side, as that is the bottom line for these tools.
Unfortunately, I read that:
“On iOS Myki can log you into websites in Safari via the Myki safari extension.”
So, no Chrome, FireFox or Edge. Looks like a serious drawback to me.
There are other browser extensions as well. I’m experimenting with the Chrome one..
I pinged the devs of Myki.
Firefox and Opera will be added next week.
Safari within the next month.
I like their customer service. Extremely responsive.
Password Safe is up to version 3.43.
I have used Password Safe for more years than I can remember. I first starting using it back when PC Magazine was giving away all their software free. Back when they had a magazine and were first on the internet.
In all of these years I still trust and use it. I tried a few others, but always went back to it.
LAST PASS FREE
I don’t see any mention of Sticky Password. I’ve noticed they have Lifetime License sales periodically. You can keep all your data offline and sync only among your devices.
I must admit that their interface on the desktop and Android could do with some work though.
I used to use Dashlane but I’ve recently been trying this one: https://www.passwordstore.org/
It’s been recommended by lots of peope so I figured, why not give it a go!
I use Dashlane Premium. Their encryption is very good and you have the ability to import/export the database easily for offline backup. Syncing across multiple devices is quick and painless. They are also very quick to respond to any issues/bugs that come up.
I use BLUR which suits my preferences: It is offered as a privacy tool and appears to do a fairly decent job. I started with the free version and eventually went with the paid version [about $50 /yr.] because it will sync between my apple and my windows hardware. I especially like that its data is kept encrypted and can be exported and imported between external storage and your computer/phone hardware. I have my backup software that loads from a linux usb drive for backing up and restoring my win7 pc for full disk images with verification both after creation and before restoration. It takes a bit of time to do this but seems to be consistently reliable. The only exception is when signing into sites that ask varying personal questions [that vary between logins], it doesn’t handle that as well as it could — but I am too lazy to try and modify it just to keep track of the questions and answers [that I expect could be done]. Still, the inclusion of masked emails and several others features [including really good support] makes it a winner for me.
Lastpass free user for a very long time.. Will have to test dashlane
Why is that?
Because usability is more important than security for a password manager?
I wish they had looked at Roboform, they have been around for many years.