The picture for this article is from 1Password, an excellent piece of software from an excellent company. My endorsement is not paid; “I paint what I see”.
You need a password manager – if you don’t already have one, you need one. If you keep a spreadsheet on the home computer that meets your needs that’s great, but if you have a smartphone, laptop, work and home computer, or who are in line at the ATM and need their four digit PIN before the guy in front is done so you don’t hold up the line… then you need something else.
Password managers have three distinct abilities, each with benefits and drawbacks, and it is from that point of view I will present them in this article. I’ve tested 18 different password managers and here I’ll present the top four – 1Password, Dashlane, LastPass and PasswordSafe.
The three key features are:
- Synchronizing your data to multiple computers instantly,
- Autofilling web forms, and
- Multifactor and other not-just-passwords features, such as opening your password database with your fingerprint.
- Synchronization to other computers requires your password database being copied to “the cloud” (their servers), then copied back down to your multiple devices. Update a password on your iPhone and by the time your coffee creamer is stirred in it’s on your desktop/laptop computer too. Very convenient.
- Autofil for webforms means a LOT less typing and going back because of syntax errors or forgetting a field. Firstname, Lastname, Middle Initial, Last four of your social security number, address, phone number… done as soon as you hit the webpage.
- One program can provide multifactor, generating the code you might need to log into Evernote, or it can store for you not just a word but a whole file you need to secure, such as an Amazon Web Services public key certificate. Opening the password manager with a fingerprint is COOL and very fast.
- Synchronization to someone else’s device isn’t as secure. Even if it’s encrypted, even if their servers are certified and cross checked and only special people with special background checks can access the file, it doesn’t matter. If it leaves your computer, by definition, it’s not as secure as if it had never left. You’re trusting the password management software to have implemented encryption correctly – one flaw and it’s game over, you’re changing your password for every single site you know right now, which will take a lot of time.
- The most egregious flaws found in all password management software is in its autofill capability. Even at best, it’ll autofill a phisher’s fake website just as easily as the real one.
- If your multifactor is all in one place, if anything happens to that credentials database you’re out of luck in every factor. Law enforcement can’t take your passwords from your head, but they can wrestle you to the floor and put your fingerprint on your smartphone, unlocking it and / or all your passwords. This is deplorable and yet perfectly legal in the US.
- Do I have multiple devices? If yes, if my passwords aren’t for Top Secret projects and I trust the companies to sync my data more than I trust myself to do it by hand and not mess something up, it might be worth it. Trust me – manual sync CAN be a real PITA.
- How much typing will webform autofill save me? Do I do it every day or only once every couple weeks? If the former, I just need to be careful and apply every patch as they become available, if the latter then don’t bother and be that much more secure.
- Am I adept at multifactor / MFA, is this even an issue? MFA is here to stay, it’s a great technology and everyone should be using it. Is what I’m already using compatible or will this make my life easier? What about other people, will my wife put my finger on my phone while I’m sleeping to get my email account password? (this has happened)
- If “cloud” sync is good, I recommend 1Password, Dashlane or Lastpass. If you want to keep your database local, nothing beats Bruce Schenier’s PasswordSafe. 1Password can also be made to work both local and “cloud” modes and can manually sync between desktop and smartphone.
- If autofill is important for you, Lastpass and Dashlane do that very well. If autofill isn’t that much of an issue, 1Password.
- 1Password and Dashlane are excellent with securing files as well as just passwords. 1Password, Dashlane and LastPass can all be accessed via fingerprint, a feature you can readily disable.