Security
Headlines
HeadlinesLatestCVEs

Headline

Password manager security: Which is the right option for me?

The first guide of our two-part series helps consumers choose the best way to manage their login credentials

PortSwigger
#web#ios#android#mac#windows#apple#linux#git#auth#chrome#sap#wifi

The first guide of our two-part series helps consumers choose the best way to manage their login credentials

While we continue to wait for the long-awaited password-less future to arrive, individuals and enterprises are still stuck with the problem of how to manage their countless, proliferating login credentials.

Whether they allow browsers to save passwords, rely on Apple’s Keychain or another operating system utility, or trust a dedicated app, most people and organizations now use some form of password management utility.

A password manager creates an encrypted vault that securely stores credentials. These are protected by a master password.

Read more of the latest security news about passwords

Most consumer-focused apps can also create unique, random passwords and support safe credential sharing between friends and family members.

Some also contain extra perks such as detecting reused passwords and monitoring your accounts for possible data breaches.

Given the differences in functionality and pricing tiers, The Daily Swig is offering a comparative, two-part guide to some of the most popular password management utilities available for consumers and businesses.

This article, part one of our series, looks at consumer password manager options, while part two will showcase some of the best choices for enterprises. Stay tuned for the forthcoming second guide.

1Password

1Password offers an easy sign-up process and printable digital key for recovering your account in case you forget your master password.

The application has apps for macOS, Windows, Linux, Android, and iOS as well as a Chrome extension that enables a user to auto-fill login information on websites and store new credentials in their vault.

The tool allows you to create multiple vaults to organize your data for various purposes (personal, work, etc). In addition to login information, you can use 1Password to store credit card information, API tokens, crypto wallet recovery seeds, and other sensitive documents or data.

The password manager also allows you share to passwords with other users. You can tweak the sharing feature by setting expiry dates, maximum number of views, and specific email addresses that can access a password.

1Password’s Watchtower feature monitors your account for reused passwords, vulnerable passwords, and potentially compromised accounts.

The application also has a Travel Mode for special circumstances where your devices might fall into unwanted hands. Vaults that you mark as safe for travel will disappear from your devices when you turn on Travel Mode and reappear when you turn it off.

The password manager offers no free-of-charge plan and instead offers personal ($2.99 per month) and family ($4.99 per month) subscriptions. With the family subscription, you get five premium accounts and the ability to create shared vaults that you can use together.

  • Pros: Flexible password sharing, Watchtower feature for monitoring password reuse and website breaches, strong MFA (multi-factor authentication) support
  • Cons: No free plan, limited import options

1password offers a password vault that offers a more convenient way to manage login credentials

Bitwarden

Bitwarden offers a full range of standard features including the ability to import data from other password managers, creating multiple vaults, sharing passwords with other users, and syncing vaults across multiple devices. It has apps for all major operating systems, extensions for nine different browsers, and a command-line interface for writing scripts.

One feature that sets Bitwarden apart is its strong free-tier option, which provides features that most users typically need. The premium subscription ($10 per year) also adds security reports, stronger 2FA (two-factor authentication) options, 1GB of encrypted storage, a OTP (one-time password) generator, and emergency access to your vault by other (nominated) Bitwarden users.

Bitwarden also has a family plan ($40 per year) with six accounts, shared password collections, and shared encrypted storage.

Bitwarden is an open source program, which means you can host it on your own servers if company or industry regulations prevent you from storing your credentials in the public cloud. However, to get the full range of features, you’ll need to purchase a premium license.

  • Pros: Strong free plan, competitive price for premium and family plans, open source, self-hosting support, strong MFA support, command line interface
  • Cons: Limited storage, limited MFA on free plan

Dashlane

Dashlane is another online password manager that provides basic features to store and secure your passwords, including creating vaults, generating passwords, filling online forms, and importing data from other managers.

The tool provides a very limited free plan that only works on one device. The advanced tier ($2.75 per month) removes the device limit and adds a service that monitors the dark web for breached passwords and compromised accounts.

The premium plan ($4.99 per month) adds VPN support, and the family plan ($7.49 per month) provides 10 premium accounts plus a dashboard to manage accounts and shared resources.

Unlike other password managers, Dashlane doesn’t have a desktop application – PC users must do everything through the web portal and browser extensions. But it does have mobile apps for Android and iOS.

Dashlane allows you to share passwords with other Dashlane users and set limits to what kind of access they will have to your credentials.

Dashlane’s emergency access feature also allows you to specify a contact who can assume ownership of your account in case you lose access, and you can specify a waiting period to accept or reject the user’s request to access your vault.

  • Pros: Password history, VPN support, dark web monitoring, no desktop application, strong emergency access options

  • Cons: Free plan limited to one device, expensive premium plan

LastPass

LastPass offers a variety of 2FA options

LastPass had by far the biggest market share as of 2022, but a recent breach that exposed users’ encrypted data has degraded confidence in its password manager service.

It is nonetheless worth knowing what the company has to offer, considering that it could apply the lessons from its security incident to harden its product.

Like Bitwarden, LastPass offers a very limited free plan that is restricted to one device. It includes standard features such as password strength evaluation, auto-filling and password generation, basic MFA, and one-on-one password sharing.

The premium plan ($36 per year) adds advanced MFA, emergency access, and more granular password sharing, 1GB of encrypted storage, and dark web monitoring for account and password breaches.

The family plan ($48 per year) bundles six premium accounts and a dashboard to manage accounts and shared resources.

Aside from its web portal, LastPass has apps for Mac, Windows, Linux, Android, and iOS alongside extensions for all major browsers. Password-less authentication through a separate LastPass Authenticator app is another notable feature.

  • Pros: Passwordless login support, dark web monitoring, password strength report
  • Cons: History of poor security practices, limited free plan

READ Bitwarden responds to encryption design flaw criticism

KeePass

For users who don’t trust online services with their passwords – a legitimate concern after the LastPass debacle – KeePass is a convenient alternative.

KeePass is a standalone application that provides many of the functions you would expect from a professional password manager, but with some notable exceptions. Absent features include the ability to auto-capture new passwords, syncing across multiple devices, password sharing, and scanning the web for breached accounts.

KeePass also fails to offer a web interface, browser extensions, or support for multiple platforms. The package comes as a Windows application, although being an open-source project means developers have ported it to other platforms. You’ll find links to these software packages on the KeePass website.

In KeePass, you can create password databases to store passwords, notes, and documents. These password databases can be copied to other devices, but you’ll have to sync them manually.

KeePass lacks support for many types of data, such as credit card info and API tokens, by default, but you can customize the utility to support different data types. Instead of autofill, KeePass has an auto-type feature that emulates typing your credentials on the keyboard, a feature than can require a bit of getting used to.

While this is not the most convenient password manager, it is a decent option for advanced users who want full control of their data and the ability to tinker with the software.

  • Pros: Free, open source, full control of your data, highly customizable
  • Cons: No automatic password capture, inconvenient auto-fill feature, clunky multi-platform support

Operating system password managers

Alternatively, you can use a tool that comes bundled with your operating system. Most popular among them is Apple’s Keychain, which encrypts and stores your passwords in a secure vault on your device.

The main advantage of Keychain is its deep integration with the Apple ecosystem. It automatically detects and fills passwords for websites, applications, WiFi networks, and more. It can also be synced to your iCloud account and made available across all your Apple devices, including Mac, iPhone, iPad, and Apple Watch.

So Keychain is convenient if you only use Apple devices. But if you have other operating systems in the mix (Android, Windows, Linux), then you’ll need a separate password manager. You also won’t be able to use it if you want to log into one of your accounts from a friend’s device or a public computer.

  • Pros: Free, easy to use, deep integration with operating system
  • Cons: No cross-platform support

Stay tuned for part two of this series showcasing the features of enterprise-focused password manager utilities.

YOU MAY ALSO LIKE Popular password managers auto-filled credentials on untrusted websites

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig