Review: 13 Password managers.

Updated 06 june 2021.

Copyright: European Union Public License, version 1.2 (EUPL-1.2).

One of our biggest security measures involves the management and encryption of passwords. When setting a password you want to remember that a combination of length and complexity make strong passwords. A big reason why passwords are compromised is due to short and easy to remember passwords being used. You want to make sure that the passwords you set can be accessed easily but also difficult for attackers to break. Encryption of passwords will depend on the application that you are using; the most important thing is to make sure that they are safely stored. Remember the security approach of layering when setting and managing passwords. In an interconnected world, you are vulnerable from attacks that are coming from multiple sources. That means that you have to have multiple defences to protect yourself.

By taking the initiative and protecting yourself, you are protecting the organization from threat actors. With cyberattacks becoming more common everyday, it is important to set safeguards to prevent the worst. We suggest using one of the password management tools listed below; these are safe, easy to use tools to help you protect your passwords. The goal of teaching you is to avoid and mitigate the risk of an attack. I hope that this helps you understand the work style and flow here at Ubinodes.

Our specifications sheet:

Security:

  • Resistance to state-sponsored criminals (note 1)(note 2).
  • Open-source (note 3).
  • Administration of users.
  • Access and activity logs: To know when and by whom passwords are accessed.
  • IP restrictions: To restrict access of our vaults to only pre-approved IP addresses.

Accessibility:

  • Multi-platform (note 4).
  • Intuitive: Anyone and everyone can use it from a teenager to a 70-year-old.

1Password (01/13)

1Password is a password manager for individuals, families and businesses with lots of classic features and a few unique ones.

1.1 1Password-Pros:

  • Secure password and document sharing.
  • User activity reporting.
  • Group permissions administration.
  • Personalized access url; an access url that is difficult for third parties to find.
  • Travel mode: removes sensitive information from your phone when you travel.
  • Use of secret key for user authentication.

1.2 1Password-Cons:

  • Complicated login procedure.
  • No user restricted access.
  • Price: $3 per user per month. They also offer families plan at $5 per user /month.
    Offline access which is sensitive to device theft (note 1).

1.3 1Password-Screenshots:

Bitwarden (02/13)

This product stores your network users’ passwords in an encrypted vault where they can be easily and safely managed. The Bitwarden software is available on both mobile and PC and supports the Linux, MacOS, Windows and Android operating systems. Traditionally, the software is open source and free for a single user but for larger organizations the price slightly rises to $5 a month for each user. Passwords are encrypted using AES-256 bit encryption and supports the SHA-256 hashing algorithm.

2.1 Bitwarden-Pros:

  • Password sharing.
  • Log in page encryption.
  • Cloud solution.
  • Open-source.
  • Auto-fill login credentials can be disabled.
  • Two factor autentication (2FA) and TOTP.
  • I Gb encrypted file storage.

2.2 Bitwarden-Cons:

  • No recovery in case of main password loss.
  • No activity log to monitor users.
  • No IP address restricting/whitelisting.
  • No reporting.
  • Price: $3/user/month for very basic features. They also offer personal use premium plan at $10/year, and a team’s plan at $5/user/month.

2.3 Bitwarden-Screenshots:

Dashlane (03/13)

Unlike the last product, Dashline is a subscription-based password manager. Dashline support the normal everyday operating systems such as MacOS, Windows, iOS and Android. The software performs the task of a password manager as well as a digital wallet. Its value is rooted in the encryption algorithm it uses, which is SHA-256. With 12 supported languages, two-factor authentication and utilization of a VPN this product can support the needs of any size organization.

According to the Wall Street Journal, “Neither Dashlane nor a hacker (or government agency) … could access your data without knowing your master password”. This is NOT true (note 1).

3.1 Dashlane-Pros:

  • Login Reporting.
  • Secure password sharing: 5 per free account and unlimited for business plans.
  • Auto-login and autofill can be disabled.
  • Free option is available and business plan costs $4/user/month.
  • Two factor authentication.
  • Use of 2FA to secure the connection to a new device.
  • Secure data sharing between users using asymmetric encryption.
  • User data is protected even if Dashlane servers are compromised.

3.2 Dashlane-Cons:

  • Password management must be done from locally installed app which increases the risk of unauthorized access from a stolen or lost device (note 1).
  • Manual logout is required each time.

3.3 Dashlane-Screenshots:

Encryptr (04/13)

Discontinued: https://spideroak.support/hc/en-us/articles/115003945666-Encryptr-End-of-Life

Keeper (05/13)

Keeper is a great tool for storing website passwords and financial information. Keeper is considered to be a Software as a Service (SaaS). This means that Keeper is a cloud computing vendor that offers all services from its servers in the cloud. Currently, the product is available on desktop and mobile and supports the Linux, MacOS, Windows and Android operating systems. The price range is based on the needs of the customer and encompasses student, family, personal, business and enterprise necessities.

5.1 Keeper-Pros:

  • Encrypted access.
  • Access and activity tracking.
  • Secure password sharing.
  • Recovery account for emergency access.
  • Main password vaults are not stored locally.
  • Cloud solution.
  • Two factor authentication including Yubikey.

5.2 Keeper-Cons:

  • No reporting.
  • No IP address restricting/whitelisting.
  • Very basic console features.
  • Price: $30 per user per year for basic features.

5.3 Keeper-Screenshots:

Lastpass (06/13)

Lastpass is a user friendly password manger that has free and extremely affordably price options. The company boasts strong encryption algorithms and a password manager that is accessible through all the major browsers, and on apps from all the major app stores.

6.1 Lastpass-Pros:

  • Two factor authentication available.
  • Password sharing.
  • Form filler option.
  • Note storage.
  • All options at a very affordable price. $24/user/year for premium plan while team plan is $29/user/year.
  • 1Gb encrypted file storage.

6.2 Lastpass-Cons:

  • Offline mode: Vulnerable to physical theft as passwords can be stored on devices for access in offline mode. However, this can be turned off in the settings (note 1).
  • Potentially vulnerable to brute force attacks: All data is stored in user browsers which is a vulnerability that can be capitalized on by brute force attacks from hackers.

6.3 Lastpass-Screenshots:

Myki (07/13)

A relatively new password manager with lots of advanced features but some basic vulnerabilities.

7.1 Myki-Pros:

  • Very affordable for teams: $48 per 100 users per year.
  • Provisional accounts.
  • Management and restrictions of access for multiple members at once.
  • Geographical access restrictions: Draw a map to geographically restrict where your team members access their accounts.
  • IP address restricting/whitelisting.
  • Time based access control.
  • Browser Activity Monitoring (BAM) allows real time view of your users’ interaction down to their keystrokes; for detection of malicious activity.
  • Account sharing: allow access to accounts without actually sharing credentials.
  • Two factor authentication.

7.2 Myki-Cons:

  • Offers only mobile app access which makes it vulnerable to device theft.
  • Passwords are stored locally on phones; which are vulnerable to device theft.
  • Web interface is still in development.
  • UI not very polished.
  • Digital wallet auto-fill which are also vulnerable to theft.

7.3 Myki-Screenshots:

PassworkMe (08/13)

PassworkMe is a password manager designed specifically for teams in companies and startups. It is hosted in the Netherlands.

8.1 PassworkMe-Pros:

  • RSA Encrypted access.
  • Price: $18/user/year.
  • Flexible vaults are not stored locally.
  • Password vaults are not stored locally.
  • IP address restricting/whitelisting.
  • Secure password sharing.

8.2 PassworkMe-Cons:

  • Limited to 50 users.
  • No emergency access.
  • No user restrictions.

8.3 PassworkMe-Screenshots:

Roboform (09/13)

Roboform claims to be the world’s top password manager, and it was the second choice for our organization. Here’s why:

9.1 Roboform-Pros:

  • Strong user policies.
  • User friendly interfaces.
  • IP Address whitelisting.
  • A web session timeout feature.
  • A one-time password authentication option.
  • Administrators can restrict the number of password changes.
  • User log in reports.
  • End to end encryption for password sharing.
  • Import browser’s bookmarks.
  • Competitive price of $25/user/year for a business account.

9.2 Roboform-Cons:

  • Password sharing is restricted to paid accounts.
  • Most actions must be done from an installed software.
  • Data is stored locally.
  • Not easy for users to manage.

9.3 Roboform-Screenshots:

Safe in Cloud (10/13)

Safe in cloud is another top password manager that is simple user friendly and available on the major platforms and devices.

10.1 SafeInCloud-Pros:

  • It is free.
  • Password sharing.
  • Password generator and strength indicator.
  • Cloud synchronization.
  • Strong AES-256 encryption.
  • Fingerprint authentication.

10.2 SafeInCloud-Cons:

  • Standalone solution: it has to be installed locally in devices.
  • No access or activity tracking.
  • Automatically deletes database if wrong passwords are entered 5 times.

10.3 SafeInCloud-Screenshots:

Sticky Password (11/13)

Sticky Password is a good password management solution for personal use. We would not recommend it for teams, especially those working in high risk countries. Sticky Password is designed for personal usage however in several months they plan to introduce a new sharing feature which will allow to share selected accounts with other Sticky Password users. This feature will make the app suitable also for working teams.

11.1 StickyPassword-Pros:

  • Strong AES-256 encryption.
  • Fingerprint authentication.
  • Two factor authentication.
  • Cloud synchronization across devices with paid package.
  • Paid version is $150 for lifetime access.
  • Device whitelisting.
  • Form filling.

11.2 StickyPassword-Cons:

  • Standalone solution: it has to be installed locally in devices.
  • Offline data synchronization which can make it vulnerable to data theft.
  • No password sharing.
  • No access or activity tracking.
  • Vulnerable to access from hacked emails.
  • No recovery if main password is lost.
  • Application doesn’t request master password when closed and opened.

11.3 StickyPassword-Screenshots:

SuperGenPass (12/13)

SuperGenPass is a different kind of password solution. Instead of storing your passwords locally or online — where they are vulnerable to theft and data loss — SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit.

12.1 SuperGenPass-Pros:

  • It’s free.
  • Passwords are not stored online or offline.

12.2 SuperGenPass-Cons:

  • No password sharing.
  • No access or activity tracking.
  • No reporting.
  • No IP address restricting/whitelisting.
  • Very basic console feature.
  • For personal use only.

12.3 SuperGenPass-Screenshots:

ZOHO (13/13)

ZOHO is a website that offers a variety of services that cater to the online needs of businesses. But we haven’t tried all their services. What we did try is their password manager, and it was ultimately the one we chose; one of the key reasons being that the ZOHO Vault does not store passwords locally on devices or browsers. Which makes passwords stored on ZOHO’s password manager invulnerable to theft as well to brute force attacks.

13.1 Zoho-Pros:

  • Web encrypted access.
  • Tracks password access and activities.
  • Secure password sharing.
  • Passwords are not stored locally on devices (note 6).
  • Access can be restricted to specific IP addresses.
  • Strong users access restriction policies.
  • Detailed reporting on every user activity including password sharing.
  • Break glass account for emergency access.
  • Also, a free option is available; but without certain features.
  • Transfer/Acquire ownership of passwords.
  • One-click auto logon.
  • Two factor authentication.

13.2 Zoho-Cons:

  • Price of the professional package: €4/user/month.

13.3 Zoho-Screenshots:

14. Notes

(1) There are specific software designed to crack these password managers, for example Elcomsoft: https://blog.elcomsoft.com/2017/08/one-password-to-rule-them-all-breaking-into-1password-keepass-lastpass-and-dashlane/ From there only the following providers are secured: Bitwarden, Keeper, PassworkMe, Supergenpass, Zoho.

(2) Police, prosecutors etc. Their crimes are “legal” since they’ve corrupted state institutions. They are the most dangerous sort of criminals, to an individual or to a country. If they’ve done something illegal, they can cover it up any ways they like. They can steal your devices under false suspicion charges. They can have access to your SMS, emails, meaning a recovery option is often an easy attack possibility for them. That’s why you should always use encryption software, encrypt your devices, and buy hardware outside the country you operate.

(3) Open source doesn’t guarantee someone has actually taken the time to audit the code for backdoors or weaknesses, but it shows a will to be transparent.

(4) Access to passwords on a variety of devices, and provisions to allow the sharing of specific passwords with agents irrespective of their locations. Must be accessible from iOS, Android, Windows, Linux and Mac desktops. We don’t do Windows phones or Blackberry because it would restrict so much the list, it’s almost impossible to find a solution.

(5) Zero knowledge encryption means key must be stored on the user’s device otherwise it’s not protected against state-sponsored criminals. Of course, this doesn’t mean they couldn’t give the government plain text messages — just that it would require them to actively attack the user in order steal the required password.

(6) When you login to Zoho Vault extension all the secrets will be temporarily stored in an encrypted format within the browser extension itself. When you click on the secret to view the secret details, edit the secret and click the “Show” button to view passwords the secret details will be decrypted using the extension’s passphrase and are revealed in plain text. The temporarily stored secrets (encrypted secret data) in the extension will be cleared when you logout from the Zoho Vault and when the passphrase is cleared after timeout. Zoho Vault browser extension also has the offline access feature, which also uses the passphrase to decrypt. In the offline mode the data will not be deleted even when the passphrase is cleared. This is because, there won’t be two-way connection between Zoho Vault servers during offline mode to fetch the secrets. The offline mode can be managed by the administrator in the fine-grained control.
All these products were tested and reviewed by Florjan Llapi, Certified Ethical Hacker and System administrator.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s