Testing Password Managers

LastPass messed up. Badly.

So badly in fact that nearly every security researcher has jumped ship. "Move on" is the almost universal drum beat.

If you missed this huge security story, check my high-level summary of the event or for a more technical dive, see Jeremi Gosney's analysis.

But, if you are ready to move on, what should you move on to? What are the options?

Because the worst thing you could do is to swear off all password managers for good because of one bad actor. Using a password manager to generate a unique password for each of your accounts is still one of the best ways to protect your identity online.

There are of course non-cloud based options, such as KeePass or even a password notebook, but it is difficult to compete with the convenience of cloud options that allow you to take your passwords with you on whatever device you may be using.

So, to encourage people to still use password managers, I tried four of the leading names myself:

• 1Password
• Dashlane
• Keeper
• Bitwarden

I then graded them based on two things: security and ease of use.

Please note that this isn't scientific in any way and I was not endorsed for this analysis (although it wasn't from lack of trying). This is personal analysis after trying each service for a few hours.

First up, 1Password.

I analyzed 1Password first because this is the one that I personally use. In terms of security, 1Password is one of the best. They have a dedicated security page that is easy to find right on their website with a high level overview for anyone to read and understand while still providing useful links for the adventurous to learn more. They also participate in Bugcrowd's bug bounty program and currently offer a $1 million reward if somebody finds a serious vulnerability in their system (to date they have paid $103,000 to researchers with an average of $900 per reward). They also publish all of their previous security assessments for public review. My only complaints are that the bug bounty program and previous security assessments aren't linked directly on their main security page and it isn't obvious how to contact 1Password for security concerns outside of the bug bounty program.

In terms of usage, 1Password relies on a master password and a random unique key to access your vaults. You need both values to successfully decrypt your vault and the unique key is more complex than any master password you will ever come up with. However, while it is more secure than the master password alone, it does mean you must keep this key handy if you ever migrate devices or want to access your passwords from a new place (and without access to your vault, it means you are manually typing the key in). Otherwise, both the browser extensions and mobile apps are very easy to use and automatically populate input and login fields on the sites you visit. That being said, I have used 1Password long enough though that there have been websites here and there that broke the extension, for various reasons.

Security Grade: A

Ease of Use Grade: B+

Price: $4.99/month for family plan (up to 5 users); $2.99/month for one user

Next, Dashlane.

I have never used Dashlane so I downloaded it to give it a whirl. One very nice thing about Dashlane is there is a free plan. So, if you don't need any fancy bells or whistles and just want better personal password management, Dashlane may be your best bet. They are probably well aware of this fact, by the way, as their website currently holds a big banner talking about how easy it is to migrate from LastPass.

For security, Dashlane's main security page is hard to find (I had to find the "security" link in the page footer and what average user actually looks in page footers?). Once you find it, though, you will see great, high level details with various "learn more" options. Moreover, Dashlane also participates in a bug bounty program (HackerOne) and provides detailed instructions to alert them about a security issue (send an email to [email protected]). According to HackerOne, Dashlane has gotten 258 reported issues and paid an average of $200 per issue. However, Dashlane accounts are only protected by your chosen master password, so better make that extra strong.

For ease of use, Dashlane gets very high marks. When I first signed up and installed the browser extension, I got a very nice little walk-through for adding my first set of credentials. Dashlane also auto-fills and even auto-submits login forms by default (not the most secure option, but definitely the most convenient). I also appreciate how the browser extension feels like the whole service instead of making me go back and forth between the application itself and the extension.

Dashlane's premium plans also includes a VPN, which is a nice bonus as well.

Security Grade: B+

Ease of Use Grade: A

Price: Free for single account on one device; $2.75/month for multiple devices and one account

Next, Keeper.

First of all, huge points to Keeper for customer response. After my initial draft of this article where I discussed issues I had registering for a free account, the CTO and co-founder at Keeper himself, Craig Lurey , reached out to help me troubleshoot and resolve my issue.

With that issue resolved, I was finally able to try Keeper out.

First, security. Keeper has an excellent dive into their security controls at a dedicated security page. While the page is fairly technical and would likely be too much for the average user, it was a very interesting read for me at least. Also, Keeper has a bug bounty program (maximum reward of $10,000 with 182 rewards given to date) and a [email protected] email address for security questions or issues. If you are looking for even more details on their security controls, though, Keeper also maintains a very impressive collection of documentation at docs.keeper.io, which goes into more details than I saw with other vendors in this article. Finally, Keeper also provides a detailed list of user login activity under the Account page that I didn't see in other vendors. This is a great feature for you to personally review where and when your account is being accessed. Nevertheless, like Dashlane, Keeper's security for user password vaults is focused on just the master password (unless the user enables two factor authentication).

I must note though the amusing footer in the main application that indicates encryption is on - so, that made me feel a lot better.

In terms of usability, Keeper also has an interactive walk-through when you sign in for the first time. Their settings page is also extremely intuitive and provides great pop-up help for some of the more complicated settings. Nevertheless, they clearly put in some effort to make settings as close to an On/Off decision as possible. In addition, Keeper allows you to organize your passwords and vault items into folders and they auto-complete website URLs for known applications when you create a login entry.

Security: A-

Ease of Use: A

Price: $6.25/month family plan (up to 5 vaults); $2.92/month personal plan

Finally, Bitwarden.

Several people highly recommended bitwarden so I was excited to try it out. I did note that their security details were under their compliance page instead of a dedicated security page. That being said, bitwarden is an open source software and you can actually review the source code yourself on their github page if you are into that sort of thing.

In terms of their website itself, bitwarden doesn't have much in terms of high level overviews of their security. Instead you have to dig a bit. However, bitwarden does also participate in a bug bounty program at HackerOne. According to HackerOne, bitwarden has resolved 42 reports since 2017.

For security, bitwarden also relies solely on a master password, and even offers an optional master password hint field. They do secure the hint value at least, though, by emailing it upon request instead of simply displaying it to any public user. In addition, because bitwarden is open source, you can actually avoid using the cloud service (and the risks of that) and host the software yourself, either locally on your workstation or on an internal network.

In terms of ease of use, bitwarden is straight forward. The software doesn't try to be flashy or throw tons of features at you. So, it is easy to use in its simplicity. However, you also don't get a nice demo to show you around or get any help in finding browser extensions or mobile apps. You have to go look for those yourself.

Security: B+

Ease of Use: B

Price: Free plan; Premium account is $10/yr for one user; Family plan is $3.33/month for up to 6 users

Do you have a favorite password manager that I didn't review or a story about trying to use any of the ones that I listed? Let me know in the comments!