Commercial Password Manager Test: 4 out of 9 recommendable - gHacks Tech News

Commercial Password Manager Test: 4 out of 9 recommendable

German testing authority Stiftung Warentest looked closely at nine commercial password managers in its most recent print issue.

The password managers that it reviewed and looked were: Dashlane Premium, McAfee True Key Premium, Keeper Security, LastPass Premium, 1Password, SafeInCloud, F-Secure Key Premium, Kaspersky Password Manager, and Enpass.

Only the first four mentioned password managers received a recommendation by the testers. All password managers were graded based on security, usability and extra features. Here is a list of things the testers put much of the focus on:

  • Master password rules, and rules for passwords that are generated and/or stored in the application, for instance the minimum and maximum length of passwords, and complexity.
  • Security features such as support for two-factor authentication, protection against third-party access, or security auditing features.
  • Documentation, and how comfortable and easy setup and daily use is.
  • Extra features such as support for saving other data, use of profiles, saving of critical data such as credit card numbers.

The testers analyzed the data sending behavior of each application furthermore by tunneling all traffic through a proxy server.

commercial password managers

The test reveals little unfortunately when it comes to the actual ratings. Only one program, F-Secure's Key Premium, received the best rating in the password requirements group, while better rated programs such as Dashlane Premium or LastPass Premium only the second best rating. It is unclear why that is the case as it is not revealed in the test.

The testers put a lot of focus on usability, as it made up 40% of the overall rating, and the application's data sending behavior was not taken into account at all.

Stiftung Warentest criticized the sending behavior of the Android application in all programs that ended on its recommendation listing. Some password managers sent data, for instance a device's ID to third parties according to Stiftung Warentest.

Keeper Security and LastPass Premium got the best overall ratings in the security group, Dashlane Premium in the usability group.

The testers looked at the password managers of web browsers as well in the test, but don't recommend using them. The two reasons given are that they don't come with password generation options, and that browsers are connected all the time to the Internet which increases the attack surface. Lastly, only some support the optional setting of a master password.

Closing Words

Only four of the nine password managing solutions received a recommendation, but those that are recommended are not necessarily the programs that are the most secure to use.

Security made up only 40% of the overall rating, with extra features making up another 20% (which could include extra security features). Usability is without doubt important, but the 40% that it contributed to a program's overall rating seems a bit high in a field where security is of utmost importance.

I would have liked a stronger focus on security features, for instance whether you may save the password databases offline only, can sync between network devices, where the data is stored, how the company reacted to security incidents in the past, whether security solutions were audited by third-parties and so on.

Last but not least, I would have liked to see a comparison to free tools like KeePass as well (which would have done well in security, not so well in usability based on test criteria).

Now You: Which password manager do you use and why? (via Deskmodder)

Summary
Commercial Password Manager Test: 4 out of 9 recommendable
Article Name
Commercial Password Manager Test: 4 out of 9 recommendable
Description
German testing authority Stiftung Warentest looked closely at nine commercial password managers in its most recent print issue.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. chesscanoe said on October 2, 2017 at 2:33 pm
    Reply

    Security is my primary requirement, and to date I have little trust in any password manager.

    1. Peter said on October 3, 2017 at 1:28 pm
      Reply

      >> I have little trust in any password manager.
      Then what is your secure alternative?

  2. Lucas S. said on October 2, 2017 at 3:07 pm
    Reply

    I’d rather use an offline password manager like PasswordSafe or Keepass and synchronize the database with self-hosted version of Seafile. I think the only way to be sure your database is actually encrypted is if you do it yourself, so even if someone gets access to your Dropbox/Seafile/ownCloud server, unless you’re a whistle blower chances are no one is gonna have access to your password and they probably won’t even try to brute force decrypt it. But I think it’s interesting to know people are more interested at how secure these online services are.

  3. someone said on October 2, 2017 at 3:51 pm
    Reply

    I use KeePass because anything-cloud is unreliable and untrustworthy.

  4. Belga said on October 2, 2017 at 4:14 pm
    Reply

    I’ll NEVER use whatever online too.
    I never had the least problem with Keepass & Roboform (desktop version).

  5. kalmly said on October 2, 2017 at 4:15 pm
    Reply

    I use KeePass exclusively and for the same reasons as Lucas S. and someone. I avoid online apps of any kind as much as possible, and I don’t find copy-paste much of an inconvenience.

    Quite a long time ago, I tried Roboform. I managed to get myself locked out of three sites. Yes, I know it was me and not the app, just the same, not a pleasant experience. Only now can I laugh about it.

  6. goldendays said on October 2, 2017 at 6:41 pm
    Reply

    “I would have liked a stronger focus on security features, for instance whether you may save the password databases offline only, can sync between network devices, where the data is stored, how the company reacted to security incidents in the past, whether security solutions were audited by third-parties and so on.

    Last but not least, I would have liked to see a comparison to free tools like KeePass as well (which would have done well in security, not so well in usability based on test criteria).”

    Then, why don’t you do your own research and testing, Martin? Rather than complain about a mode of testing, create one to your own liking that covers the coveted features.

    Don’t even go there if you don’t have something better to offer.

    1. Clairvaux said on October 2, 2017 at 7:29 pm
      Reply

      That’s called freedom of speech and criticism. It’s not only a right, it’s a need for us readers.

      Saying you don’t have the right to criticise it because you wouldn’t be able to build it is stupid, offensive and disingenuous. I do realise it’s a cookie-cutter trolling put-down that’s quite commonplace nowadays. It doesn’t mean it’s legitimate.

    2. Rob said on October 2, 2017 at 8:08 pm
      Reply

      Wouldn’t that logic mean no one can criticise this article who doesn’t run a site reporting on technology news? Can’t see that line of reasoning getting us anywhere useful.

      And I’m sure a quick search of this site will offer you something better. I started using Keepass2Android after reading about it here for example.

  7. Rune Rebellion said on October 2, 2017 at 7:12 pm
    Reply

    what about “password safe” from bruce schneier?

  8. Robert Fierce said on October 2, 2017 at 8:27 pm
    Reply

    https://myki.co

    discovered it 2 months ago. Best of both worlds.

    I wont say anything else

    1. BM said on October 2, 2017 at 11:38 pm
      Reply

      Robert, thanks for your suggestion. Didn’t know of myki.

      Looks interesting, but maybe I don’t understand it, but it seems that having your pw database on your phone leaves you in the lurch when it has no power, let alone lose/misplace your phone.

      Not sure that it is (“net net” of all security exposures) “more” secure than other solutions.

      With all pw tools it seems it is a matter of picking your exposure / vulnerability.

      Ease of use is an important factor (40% in this report), and that looks to be one of myki’s strengths.

      Like Martin, would like to see greater analysis on the security side, as that is the bottom line for these tools.

    2. Peter said on October 3, 2017 at 1:34 pm
      Reply

      Unfortunately, I read that:
      “On iOS Myki can log you into websites in Safari via the Myki safari extension.”
      So, no Chrome, FireFox or Edge. Looks like a serious drawback to me.

      1. Jeroen said on October 4, 2017 at 4:06 pm
        Reply

        There are other browser extensions as well. I’m experimenting with the Chrome one..

      2. FrankPinF said on October 6, 2017 at 5:06 pm
        Reply

        I pinged the devs of Myki.
        Firefox and Opera will be added next week.
        Safari within the next month.

        I like their customer service. Extremely responsive.

  9. GiddyUpGo said on October 2, 2017 at 11:32 pm
    Reply

    Password Safe is up to version 3.43.
    I have used Password Safe for more years than I can remember. I first starting using it back when PC Magazine was giving away all their software free. Back when they had a magazine and were first on the internet.
    In all of these years I still trust and use it. I tried a few others, but always went back to it.

  10. Anonymous said on October 3, 2017 at 10:22 am
    Reply

    LAST PASS FREE

  11. Bob said on October 3, 2017 at 2:37 pm
    Reply

    I don’t see any mention of Sticky Password. I’ve noticed they have Lifetime License sales periodically. You can keep all your data offline and sync only among your devices.

    I must admit that their interface on the desktop and Android could do with some work though.

  12. Jilano said on October 3, 2017 at 3:33 pm
    Reply

    I used to use Dashlane but I’ve recently been trying this one: https://www.passwordstore.org/
    It’s been recommended by lots of peope so I figured, why not give it a go!

  13. SilverDragonSys said on October 3, 2017 at 6:14 pm
    Reply

    I use Dashlane Premium. Their encryption is very good and you have the ability to import/export the database easily for offline backup. Syncing across multiple devices is quick and painless. They are also very quick to respond to any issues/bugs that come up.

  14. JKWill said on October 4, 2017 at 1:57 am
    Reply

    I use BLUR which suits my preferences: It is offered as a privacy tool and appears to do a fairly decent job. I started with the free version and eventually went with the paid version [about $50 /yr.] because it will sync between my apple and my windows hardware. I especially like that its data is kept encrypted and can be exported and imported between external storage and your computer/phone hardware. I have my backup software that loads from a linux usb drive for backing up and restoring my win7 pc for full disk images with verification both after creation and before restoration. It takes a bit of time to do this but seems to be consistently reliable. The only exception is when signing into sites that ask varying personal questions [that vary between logins], it doesn’t handle that as well as it could — but I am too lazy to try and modify it just to keep track of the questions and answers [that I expect could be done]. Still, the inclusion of masked emails and several others features [including really good support] makes it a winner for me.

  15. unyk said on October 5, 2017 at 7:01 pm
    Reply

    Lastpass free user for a very long time.. Will have to test dashlane

    1. Peter said on October 9, 2017 at 1:24 pm
      Reply

      Why is that?
      Because usability is more important than security for a password manager?

  16. jordi said on October 8, 2017 at 6:25 am
    Reply

    I wish they had looked at Roboform, they have been around for many years.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.