Quick answer: The password manager with the highest usability and security score was Dashlane, but it is also the most expensive. Great and safe alternatives are LastPass and 1Password (better on Mac/iOS). For open-source (but less features such as no auto-fill), check out the newcomer BitWarden.
Table of Contents
The importance of password managers
These days it’s almost inevitable that a website or app will have a password leak or security breach. Online data is simply too valuable for hackers. What makes it worse is that the vast majority of passwords can be guessed through social engineering or dictionary attacks. The mental burden of dealing with more and more accounts and passwords causes people to reuse passwords or create simple ones. This has created an ever-growing need for password managers to create and store unique, complex passwords for each account and each website. Practicing smart security is easier with reliable tools and taking advantage of a password manager is the best and safest compromise. It may sound a bit flawed to have one location that stores all your passwords, but password managers come with multiple layers of complicated encryption and security. Writing your password on a sticky note does not. Putting faith in a password manager to help you log in both more conveniently and more securely will save you a lot of headaches and stress during the next big password leak.
The issue is that there are many password managers out there with similar layers of encryption and security. That is, most use AES encrypted databases for your passwords, PBKDF2 Master Password hashing and syncing via the cloud. But there is a widening technological and feature gap between the most popular password managers — LastPass, 1Password, Dashlane, KeePass — and the rest. The reason we recommend these four are because they have all had security audits and have strong security-oriented reputations, which we cannot say about all other password managers.1 Third-party security audits allow for independent assessment of security vulnerabilities, proper encryption, and susceptibility to outside attacks. This is is important because there are “significant differences … among password managers. Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user’s password manager without any interaction with the user.2 This is why it is extremely important to go with a password manager that undergoes regular security audits and always keeps up to date with the latest security measures and precautions.
What password managers can do
It’s extremely important to have unique, complex passwords for each account and each website. Password managers will generate and store unique passwords for each of your accounts. If there is ever a password leak on a website where you had an account, it won’t effect any of your other accounts and you can simply change the password for the one website. Its also highly recommended to use two factor authentication in your password manager so you don’t have to worry about someone gaining access to your password manager even if they somehow obtained the password. Autofill is also really useful. With most current password managers, when you visit a website or app it can autofill the login and password information for you. No need to copy and paste or type in anything.
- Secure passwords — Secure passwords are unique and much harder to guess or use dictionary attacks against. They should not have whole words or terms related to you or the account. Password managers will generate unique randomized strings of numbers, letters and symbols up to 128 characters and save them for each website or app.
- Too many passwords — Humans are naturally very bad at creating and remembering secure and unique passwords. Complex passwords are already difficult to remember, but add in dozens to hundreds of websites and apps and you’ll easily be overwhelmed and lose track of which password goes where.
- Unique passwords — You should never use the same password twice. If a website is hacked, the password should be unique to that website only so you can quickly change it. Using duplicate passwords allows hackers to access your other accounts without you knowing and results in a lot of headaches. A good password manager will alert you when a website has had a password leak and offer to quickly change it for you. Some password managers can even automatically change the password with a single click.
- Encryption — A password manager will heavily encrypt all your passwords and any other data you have stored in it (like credit cards or ids). There have been a few notable hacks where encrypted data has been stolen from a password manager, but properly encrypted data will take hundreds of years to decrypt without the keys. The way password managers work is that only you have the key/password to unlock your encrypted data. Even if the company were compelled to give up your password manager data by a three letter agency, it would be virtually impossible to decrypt the passwords and data inside.
- Latest security — Password management companies take security and their reputation extremely seriously. Their entire business model depends upon this and they are constantly taking the latest precautions, responding to new threats and vulnerabilities and improving their service.
- Auto-fill and auto-login — once you have logged into your password manager, whenever you visit a website or open an app on your phone it should popup and offer to fill in your login credentials with a single click or tap. You can even set it to automatically login for you.
- Secure sharing — You can securely share passwords between different accounts without compromising the data through an email or message.
- Cross-platform — Password managers should be universally accessible across all your devices. They should work across Windows, Mac, iOS, Android and even linux.
- Bio-metric login — Allows you to use your fingerprint to unlock your account.
- Digital wallet — Store credit card data for faster online shopping.
- Security health checks — Check and rate your password strengths and identify duplicate, weak or old passwords. Some password managers will offer 1 click password changes and let you know if a website you have an account with is hacked.
- Two-factor authentication — Personally, this is mandatory for me. Its the only way to know that you’re the only person accessing your passwords. It essentially requires you to enter a code that is generated by an app like Google Authenticator when you login to the password manager. This is generally only required for new devices or every 30 days.
- Master Password — This is the key that gives you access to your encrypted data. Make sure your master password is unique, secure and something you can remember. The longer it is the better. Password manager companies do not have access to your Master Password and will not be able to decrypt your data if you forget your master password. Some offer one time emergency kits that you can print out and store in a safe place in case you forget your Master Password.
- Zero-knowledge proof — Password management companies have zero-knowledge of your key (Master Password) and cannot decrypt your information because encryption happens client-side. If a company is served with a warrant, they are required to hand over the data but it will still be encrypted and virtually impossible to crack unless they can guess your Master Password. This is no different from storing your KeePass database in the cloud and the cloud provider being served a warrant for the encrypted database.
Usability analysis
Password managers need to be secure but they also need to be easy to use. If they are too cumbersome or cause too much frustration people will not bother using them. To evaluate the usability of each password manager, five criteria described below were evaluated in a study. Participants were asked to complete specific tasks in each password manager and then filled out a questionnaire afterwards.
- Efficiency: The speed and accuracy of how quickly tasks are completed.
- Effectiveness: Whether users are able to successfully complete the task.
- Engaging: Visual design, interface interactions and how satisfying it is to use.
- Ease of learning: How easy it is for users to learn the program without deliberate effort.
- Error tolerance: How well a program reduces and recovers from errors caused by the user.
Dashlane | LastPass | 1Password | KeePass | |
---|---|---|---|---|
Efficiency | 4.93 | 4.50 | 4.50 | 4.79 |
Effectiveness | 5.00 | 4.71 | 4.50 | 4.64 |
Engaging | 5.36 | 4.93 | 5.00 | 3.21 |
Ease of learning | 5.21 | 5.07 | 4.36 | 3.07 |
Error tolerance | 4.86 | 4.36 | 4.07 | 4.64 |
Average | 5.07 | 4.71 | 4.49 | 4.07 |
Security evaluation
A security analysis was conducted based upon guidelines set by the US National Institute of Standards and Technology (NIST). Criteria was created by evaluating password manager software architecture and common security vulnerabilities.
- Security of the Master Password (SM): Must be complex enough to resist leaks and attacks. Whether there is a required minimum length and strength for the Master Password and whether it is encrypted securely.
- Security of the credentials database (SDDBB): Strength of the password database encryption algorithm and whether the password manager provides feedback regarding the uniqueness and complexity of the passwords. Also considered is the automatic generation of strong passwords, two-factor authentication and the scheduling of automatic new password creation (validity periods).
- Security of communications (SC): The strength of the syncing security between password managers, browser plugins, external cloud servers and devices.
Security goal | Criterion | Dashlane | LastPass | 1Password | KeePass |
---|---|---|---|---|---|
Security of the Master Password (SM) | SM#1: minimum mandatory length | Yes | No | No | No |
SM#2: user must apply policy for strong Master Password | Yes | No | No | No | |
SM#3: Master Password securely stored | Yes | Yes | Yes | Yes | |
Security of the credentials database (SDDBB) | SBBDD#1: algorithm used for database encryption | AeS-256 | AeS-256 | AeS-256 | AeS/Twofish, 256-bit key |
SBBDD#2: the PM gives feedback on the security level of the stored passwords | Yes | Yes | Yes | Yes | |
SBBDD#3: automatic generation of strong passwords on the users’ behalf | Yes | Yes | Yes | Yes | |
SBBDD#4: two-factor authentication | Yes | Yes | Yes (only Mac and iOS) | Yes | |
SBBDD#5: can schedule password validity periods and generate new passwords upon expiration | No | Yes | No | Yes | |
Security of communications (SC) | SC#1: security of the communication algorithm between the PM and external servers | HTTPS with Transport Layer Security (TLS) v1.2, AeS-128, and ephemeral Diffie-Hellman | HTTPS with TLS v1.2, AeS-128, and ephemeral Diffie Hellman | Not applicable | Not applicable |
SC#2: security of the communication algorithm between the PM and the browser plugin | AeS-256 | Not applicable | Not applicable | Not applicable | |
SM | 1.00 | 0.33 | 0.33 | 0.33 | |
SDDBB | 0.80 | 1.00 | 0.80 | 1.00 | |
Security score (SM + SDDBB) | 1.80 | 1.33 | 1.13 | 1.33 |
Best password manager
The conclusions drawn from both the usability analysis and security evaluation prove that Dashlane is currently the best and most secure password manager. Full disclosure — I have also personally been using Dashlane for about two months and I love it. I used LastPass for over three years and 1Password for one year. The issue with comparing them is that the most popular password managers all have excellent security architecture and are very comparable in terms of features. For example, they all support two-factor authentication, auto-fill, digital wallets, cross-platform, browser integration and so on. Therefore, the best conclusions that can be drawn are based upon usability and security.
Regarding the security level of the credentials database, all the password managers provide comparable solutions, supporting the Advanced Encryption Standard (AES) with a 256-bit key as the cipher which are the algorithm and key size currently recommended for the highest security.3
For the purposes of this review, I copied my password database to each service and tested them each again for one week. Of all the password managers, Dashlane is the best looking and incredibly seamless. The program runs silently and minimally in the background and we have found it the easiest to use which is why we consider it the best password manager. Another important note is that Dashlane is the only password manager to provide public documentation regarding their AES-256 communication between the browser plugin and software.
There is a free version of Dashlane, but the premium allows for cloud backup and syncing across devices. It is $39.99 USD a year.
Our runner-up is terms of security and usability is LastPass which you can get 1 free month of premium by clicking that link for our referral. Try it out, and if you like it you can purchase the premium version for only $12 USD per year. The price is more reasonable than Dashlane but we found the vault interface a bit slow and cumbersome at times. The browser and app integration works similar to Dashlane. It is also important to point out that LastPass is the most popular of all the password managers but it is also the most heavily targeted for hackers. LastPass has had two security breaches and a few incidents where vulnerabilities have been discovered4, but they have always been honest and transparent about everything. On July 27th 20165 they posted about two vulnerabilities that were discovered and patched and in 20156. However, because the databases are encrypted, even though there was a data breach, hackers would not be able to decrypt your data as long as your Master Password was strong. There has also been a security audit here.7
Like other password managers, LastPass offers a useful Security Challenge rated on a scale of 100 and will alert you when one of the websites or apps you have an account with has been compromised.
https://youtu.be/VUBRgJ4-zgM
1Password
Creating a Master Password
The weakest point of security in a password manager is the Master Password. With it, a hacker can gain access to all your passwords and all your accounts. It is extremely important to never reuse your Master Password on any other websites and that it is unique and complex.
This is the key that gives you access to your encrypted data. Make sure your master password is unique, secure and something you can remember. The longer it is the better. Password manager companies do not have access to your Master Password and will not be able to decrypt your data if you forget your master password. Some offer one time emergency kits that you can print out and store in a safe place in case you forget your Master Password.
The importance of the Master Password and the layers of security involved, best explained by the LastPass team:8
“Am I at risk if I have a weak master password?
An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and this hashed value is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address. We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.
Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.”
- The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers
- Password Managers: Attacks and Defenses
- Comparing Password Management Software: Toward Usable and Secure Enterprise Authentication
- https://en.wikipedia.org/wiki/LastPass#Security_issues
- https://blog.lastpass.com/2016/07/lastpass-security-updates.html
- https://blog.lastpass.com/2015/06/lastpass-security-notice.html
- http://tinisles.blogspot.co.id/2010/01/should-you-trust-lastpasscom.html
- https://blog.lastpass.com/2015/06/lastpass-security-notice.html