Password Managers: What Are the Benefits, Drawbacks and Best Options Available?
There is no doubt that a long, unique and randomly created password is far superior to a single word or phrase shared between multiple accounts. The problem with these strong passwords is that they are nearly impossible to remember, especially if you use different passwords for each accounts (which you should).
If you fear you’ll forget these passwords, you might be tempted to write them down somewhere conveniently accessible, list them in a text file or save them to less secure browser software; thus, your efforts to better secure yourself potentially leaves your accounts more vulnerable.
Password management software, such as KeePass, LastPass and 1Password, addresses this issue. In everyday situations, password management software itself doesn’t directly improve security as much as they support good security practices. These practices ultimately protect your accounts.
Because these management programs can store a virtually unlimited number of passwords and automatically log you in to accounts, you never again have to remember or physically type account passwords. This convenience avails you to maximize the length and complexity of each account’s password. This means you could potentially have 128 characters with mixed capitalization, numbers and symbols, provided the account supports such.
Furthermore, you need not manually create these passwords, because each management solution contains a password generator with user-configurable criteria, including length and inclusion of capitalization, numbers and symbols. These generators ensure your passwords are truly random and impossible for a hacker to guess.
Each of the password management solutions protects your passwords behind a single master password, so you only need to remember the one. That means you can devote your mental faculties to create and retain a single, memorable and complex password that can foil would-be thieves. If you use local management software without employing cloud-based syncing, the password database resides only on your computer, so a thief would need physical access to your computer to even attempt brute-forcing the database.
For added security, you could solely or additionally employ key files with the master password. Doing so makes the password impossible to guess, because no password alone would grant access to the database. The downside to key files is you need to keep the files with you anytime you require account access.
The single master password approach, however, has one potential flaw. If that password is breached, a thief has access to all your passwords and their respective account URLs. You can minimize this risk using cloud-based syncing only when necessary, choosing a long and complex password and employing key files for an additional layer of authentication. Some software, such as KeePass, optionally locks to a Windows account, so only the creating account can access the database, even with the correct password and key files. All three of the big password management utilities offer protection against brute-force attacks, such as by limiting the number of attempts that can be made per second.
The previously mentioned solutions all offer some type of sync support, which means you don’t need to configure the software manually on all your computers or mobile devices. If you configure one and have it set to sync, the data automatically appears in other devices linked to the account. Aside from convenience, this automation means your passwords are not exposed during transfer between computers.
How the programs sync, however, differs. KeePass and 1Password maintain a local database, which many prefer to prevent their passwords residing “in the cloud,” but they both optionally sync through third-party accounts, such as Dropbox. LastPass, however, requires an online account that houses your password database; this makes syncing easier to configure, but the database is always in the cloud, which makes some people uneasy even though the database remains encrypted.
Secure Password Transfer
Without some kind of management solution, you need to manually type in your account credentials. This potentially exposes your passwords to keyloggers that intercept keyboard entries and submits them to third parties. All three solutions avoid this scenario by securely copying login details manually or automatically to a login form. Furthermore, the optional portability of KeePass and LastPass lets you enter passwords without typing on any computer, including public computers that are at higher risk of keyloggers. That said, you should ideally never log in to an important account on a risky computer, but when traveling, you sometimes have little choice.
Each solution employs 256-bit encryption on the local or online database, which means your passwords are impossible to decipher without the appropriate credentials. However, 1Password leaves some information, such as account names or URLs, unencrypted, which might provide a thief more information that you like. Conversely, KeePass keeps all data encrypted, including individual notes entered for an account.
Only KeePass is open-source, which means people are freely allowed to view the source code. Although some skeptics fear this accessibility allow hackers to discover weaknesses, it’s exactly that possibility that makes the program strong and reliable, i.e., holes are quickly discovered and subsequently closed. In contrast, the closed-source nature of LastPass and 1Password means you have to trust that the company has taken sufficient steps to find and close any potential exploits.
The last qualifier is hardly a security concern, but it is nice to know you don’t have to shell out a lot of hard-earned money for password management. KeePass’ open-source nature means it’s entirely free, including a wealth of feature-adding plugins that are available online. LastPass is also freely available for the computer, but if you want to sync to mobile apps, you will need to pay to see that happen. 1Password, however, requires a one-time payment for computer use and an additional payment for mobile extensions.