Popular password managers at a glance
Creating secure credentials is relatively simple. A password that is as long as possible with special characters and umlauts and is only used once requires a bit of brainpower but is still relatively easy to find. It becomes more problematic when more and more accounts are added and you have to remember more and more passwords.
This is where password managers come into play. In simple terms, these programs are databases that store all access data in encrypted form. When a password is requested, the password safe is decrypted and the access data can be copied or even pasted automatically.
Most managers even automatically generate secure passwords if desired, and the password length is usually unlimited. Since the passwords are saved automatically, the user does not have to remember the access data at all. He only needs to remember a master password or (depending on the software) have a key file to decrypt the digital safe.
For special management requirements of companies, there are also business and enterprise versions of many of the password managers presented here (and from other manufacturers).
Locally installed solutions
If you use only a few devices but want to manage a large number of credentials, you should look at a locally installed solution. Most browsers today already include password management, but then you are tied to that browser.
Locally installed password managers, on the other hand, are independent of the browser and can also store access data for other programs, such as SSH or FTP clients. The well-known clients include:
The open-source solution is one of the best-known password managers for desktops. The software is actively developed further and can be expanded almost at will via plug-ins. In addition to the official Windows version, there are ports for almost all operating systems. KeePass is free of charge.
Originally developed by crypto luminary Bruce Schneier, he has handed the program over to the community. In addition to Windows, there is also a direct Linux port. Password Safe is also free of charge.
Intel Security brings its own password management with TrueKey. In addition to the standard functions, TrueKey shines especially when it comes to multi-factor. The data can be unlocked via face, fingerprint, or confirmation on a second device – even direct integration with Windows Hello from Windows 10 is available.
The solution works on Windows, Mac OS, iOS, and Android and integrates the most popular browsers directly. 15 passwords can be stored in the system for free, after which TrueKey costs 19.95 euros per year.
An alternative to 1Password on Mac and iOS comes from Secrets. The application uses iCloud Sync to keep credentials in sync between different systems. It offers auto-fill, two-factor authentication, and Touch ID support. Ten records can be used for free, after which Secrets costs $9.99 on iOS and $19.99 on Mac.
Cloud-based password managers
Cloud-based password management solutions offer the major advantage of synchronization over their locally installed alternatives. Whether multiple PCs, a combination of desktop and notebook, or in conjunction with mobile devices, passwords are available on all devices and synchronize across a wide variety of systems.
Critics like to criticize the cloud approach. Above all, the security of the systems is always up for debate, because vulnerabilities seem to be incomparably more dangerous here. Well-known representatives in the cloud are:
A particularly popular password management system is LastPass. The solution relies on a plug-in system and integrates into almost every current browser. There are also app versions for mobile operating systems. LastPass can be used free of charge, alternatively, there is a paid Pro version.
Mac users in particular are familiar with the password manager, which has now switched to a monthly subscription model for financing. In return, it has evolved from a pure client application to a cloud-based system that also integrates entire families if desired.
The software uses the network of the Swiss provider SpiderOaks to synchronize access data. The philosophy behind this is zero-knowledge synchronization, i.e., not even the provider knows what data runs over the network.
The data is synchronized via the Crypton network, a secure framework that SpiderOaks develops itself. In addition to desktop systems, free password management also supports mobile systems.
Dashlane is reminiscent of the rival product Lastpass, not only in terms of its functions but also its layout. However, the application is anything but a tired copy; it has all the important functions that a password manager has to have nowadays.
Dashlane can be used on Windows, Mac, iOS, and Android and is free of charge in its basic function. Those who want to use the premium version with more features have to pay just under $40 per year. For companies, there is also a corporate version called Dashlane Business.
Regenerating passwords instead of storing them
Regardless of whether they are cloud-based or installed locally, password managers have one disadvantage: anyone who cracks them receives the access data in plain text. Three new solutions aim to tackle this problem in an innovative way: They do not store passwords but generate them when they are needed. This sounds like magic at first, but it is a very tempting alternative to classic password management systems.
In very simplified terms, the solutions use the metadata for an account (such as the access name) together with a unique, constant key (the master password) to generate a password once.
This is then stored on the respective account. If you need the password again, you just have to follow the same procedure and the password manager will generate the same password again.
Forgiva uses the user’s master key, a certificate, the metadata of the respective page, and a visual pattern to create a unique password and regenerate it. The pattern is primarily intended to protect against malware by requiring a keyboard and monitor in addition to command-line-only access. Forgiva creates passwords in three levels of complexity and provides an overview of passwords that need to be renewed regularly. The software works on Windows, Mac OS, and Linux and costs just under $30. Alternatively, there is an open-source version on GitHub.
The name is similar to LastPass, but that is where the similarities end. LessPass does not use synchronization or cloud storage. The application generates the password from the website address, username, and master password. LessPass can be run as a Google Chrome plugin or Firefox extension, as well as on the command line or self-hosted as a Docker instance. The solution is free of charge. Again, the source code can be found on Github.
The third password manager without passwords is completely at home on the command line. Visionary is a pure Python application (supporting both Python2 and Python3). During installation, a string is created that can be used to set up Visionary on other systems under the same conditions. Visionary generates three different passwords from the master password and a keyword (such as the name of the site): a “Normal”, a “Complex” and a “Readable”. The respective selection is automatically copied to the clipboard if desired and can be pasted on the website. Visionary is free and available as an open-source program on Github.
Decision support for the selection
Anyone deciding on a password manager should consider various points when making their selection:
- Who is behind the offering and how trustworthy is the company or developer? The software has complete access to the most important digital assets, so the creators must be correspondingly trustworthy.
- Is the product actively maintained? The best software has vulnerabilities – it is important that the provider reacts quickly and transparently to newly discovered vulnerabilities, closes them, and rolls out the new program version.
- Has the offering been checked by third parties? Ideally, external specialists should check the program code for vulnerabilities. This does not have to be done publicly, but the provider must respond to problems and fix them.
- Does the program use proven technology? When it comes to encryption, in particular, new doesn’t always have to be better. A tried-and-tested approach that has been examined for vulnerabilities over a long period of time and has proven itself against attackers can offer significantly higher security than a new, untested algorithm.
Anyone who wants to remember more than three passwords – and that is probably the majority of IT professionals – should definitely get a password manager. After a short familiarization phase, you usually don’t want to do without the applications; password management programs integrate too conveniently into everyday life.
Especially the new passwordless managers are an interesting alternative to the existing solutions. However, they are still at an early stage and are partly less tested than other programs.
However, it is important to follow the news around the chosen solution. If a password manager is cracked or if a password manager has a critical security hole, the access data is at risk.