Password managers: 13 tested.

Updated 13 November 2017.

Recently, we took a look at some of the top password managers available to find the right one for our unique needs. Because these days, everyone needs a password for everything. And we at Love4aviation are certainly no exception. We are a marketing and import/export company with a global network that is growing to 200 agents worldwide, and we often need to securely store and share sensitive passwords.

Best password manager for security

Our specifications sheet:

Security:

  • Resistance to state-sponsored criminals (note 1)(note 2).
  • Open-source (note 3).
  • Administration of users.
  • Access and activity logs: To know when and by whom passwords are accessed.
  • IP restrictions: To restrict access of our vaults to only pre-approved IP addresses.

Accessibility:

  • Multi-platform (note 4).
  • Intuitive: Anyone and everyone can use it from a teenager to a 70-year-old.

1Password (01/13)

1Password is a password manager for individuals, families and businesses with lots of classic features and a few unique ones.

1Password-Pros:

  • Secure password and document sharing.
  • User activity reporting.
  • Group permissions administration.
  • Personalized access url; an access url that is difficult for third parties to find.
  • Travel mode: removes sensitive information from your phone when you travel.
  • Use of secret key for user authentication.

1Password-Cons:

  • Complicated login procedure.
  • No user restricted access.
  • Price: $3 per user per month. They also offer families plan at $5 per user /month.
  • Offline access which is sensitive to device theft (note 1).

1Password-Screenshots:

1Password

Bitwarden (02/13)

Bitwarden is an open source password manager that comes with limited features compared to other leading password managers.

Bitwarden-Pros:

  • Password sharing.
  • Log in page encryption.
  • Cloud solution.
  • Open-source.
  • Auto-fill login credentials can be disabled.
  • Two factor autentication (2FA) and TOTP.
  • I Gb encrypted file storage.

Bitwarden-Cons:

  • No recovery in case of main password loss.
  • No activity log to monitor users.
  • No IP address restricting/whitelisting.
  • No reporting.
  • Price: $3/user/month for very basic features. They also offer personal use premium plan at $10/year, and a team’s plan at $5/user/month.

Bitwarden-Screenshots:

Bitwarden: Password Sharing

Dashlane (03/13)

According to the Wall Street Journal, “Neither Dashlane nor a hacker (or government agency) … could access your data without knowing your master password”. This is NOT true (note 1).

Dashlane-Pros:

  • Login Reporting.
  • Secure password sharing: 5 per free account and unlimited for business plans.
  • Auto-login and autofill can be disabled.
  • Free option is available and business plan costs $4/user/month.
  • Two factore authentication.
  • Use of 2FA to secure the connection to a new device.
  • Secure data sharing between users using asymmetric encryption.
  • User data is protected even if Dashlane servers are compromised.

Dashlane-Cons:

  • Password management must be done from locally installed app which increases the risk of unauthorized access from a stolen or lost device (note 1).
  • Manual logout is required each time.

Dashlane-Screenshots:

Dashlane: Activity Logs.
Dasklane: No auto logout.

Encryptr (04/13)

Zero-knowledge, cloud-based password manager. Encryptr keeps it simple. It has three types of data it can store. Passwords, Credit Card numbers and general key/value pairs. It can easily be expanded to include other default entry types. See our article dedicated to Encryptr: Example cases where Encryptr can be used.

Encryptr-Pros:

  • End-to-end, zero-knowledge encryption (note 5).
  • Open source (note 3).
  • Encrypted access to local data.
  • Auto log off.
  • Intuitive.
  • Free.
  • Cross-platform (note 4).
  • Can share notes as well.

Encryptr-Cons:

  • No password or document sharing.
  • There is no recovery for a lost password . It is important that you backup the password you use for Encryptr in a safe place.
  • Offline access which is sensitive to device theft (note 1) as it stores data in the %APPDATA% folder.

Encryptr-Screenshots:

Encryptr: Press and hold to copy.

Keeper (05/13)

Keeper boasts “impenetrable security for passwords and digital assets”. With clients including Chase and Siemens, it’s definitely worth considering.

Keeper-Pros:

  • Encrypted access.
  • Access and activity tracking.
  • Secure password sharing.
  • Recovery account for emergency access.
  • Main password vaults are not stored locally.
  • Cloud solution.
  • Two factor authentication including Yubikey.

Keeper-Cons:

  • No reporting.
  • No IP address restricting/whitelisting.
  • Very basic console features.
  • Price: $30 per user per year for basic features.

Keeper-Screenshots:

Keeper: Cloud solution.

Lastpass (06/13)

Lastpass is a user friendly password manger that has free and extremely affordably price options. The company boasts strong encryption algorithms and a password manager that is accessible through all the major browsers, and on apps from all the major app stores.

Lastpass-Pros:

  • Two factor authentication available.
  • Password sharing.
  • Form filler option.
  • Note storage.
  • All options at a very affordable price. $24/user/year for premium plan while team plan is $29/user/year.
  • 1Gb encrypted file storage.

Lastpass-Cons:

  • Offline mode: Vulnerable to physical theft as passwords can be stored on devices for access in offline mode. However, this can be turned off in the settings (note 1).
  • Potentially vulnerable to brute force attacks: All data is stored in user browsers which is a vulnerability that can be capitalized on by brute force attacks from hackers.

Lastpass-Screenshots:

Lastpass: Family sharing and else.

Myki (07/13)

A relatively new password manager with lots of advanced features but some basic vulnerabilities.

Myki-Pros:

  • Very affordable for teams: $48 per 100 users per year.
  • Provisional accounts.
  • Management and restrictions of access for multiple members at once.
  • Geographical access restrictions: Draw a map to geographically restrict where your team members access their accounts.
  • IP address restricting/whitelisting.
  • Time based access control.
  • Browser Activity Monitoring (BAM) allows real time view of your users’ interaction down to their keystrokes; for detection of malicious activity.
  • Account sharing: allow access to accounts without actually sharing credentials.
  • Two factor authentication.

Myki-Cons:

  • Offers only mobile app access which makes it vulnerable to device theft.
  • Passwords are stored locally on phones; which are vulnerable to device theft.
  • Web interface is still in development.
  • UI not very polished.
  • Digital wallet auto-fill which are also vulnerable to theft.

Myki-Screenshots:

Myki: Group Management.

PassworkMe (08/13)

PassworkMe is a password manager designed specifically for teams in companies and startups. It is hosted in the Netherlands.

PassworkMe-Pros:

  • RSA Encrypted access.
  • Price: $18/user/year.
  • Flexible vaults are not stored locally.
  • Password vaults are not stored locally.
  • IP address restricting/whitelisting.
  • Secure password sharing.

PassworkMe-Cons:

  • Limited to 50 users.
  • No emergency access.
  • No user restrictions.

PassworkMe-Screenshots:

PassworkMe
PassworkMe

Roboform (09/13)

Roboform claims to be the world’s top password manager, and it was the second choice for our organization. Here’s why:

Roboform-Pros:

  • Strong user policies.
  • User friendly interfaces.
  • IP Address whitelisting.
  • A web session timeout feature.
  • A one-time password authentication option.
  • Administrators can restrict the number of password changes.
  • User log in reports.
  • End to end encryption for password sharing.
  • Import browser’s bookmarks.
  • Competitive price of $25/user/year for a business account.

Roboform-Cons:

  • Password sharing is restricted to paid accounts.
  • Most actions must be done from an installed software.
  • Data is stored locally.
  • Not easy for users to manage.

Roboform-Screenshots:

Roboform: Friendly admin console.
Data is stored locally

Safe in Cloud (10/13)

Safe in cloud is another top password manager that is simple user friendly and available on the major platforms and devices.

SafeInCloud-Pros:

  • It is free.
  • Password sharing.
  • Password generator and strength indicator.
  • Cloud synchronization.
  • Strong AES-256 encryption.
  • Fingerprint authentication.

SafeInCloud-Cons:

  • Standalone solution: it has to be installed locally in devices.
  • No access or activity tracking.
  • Automatically deletes database if wrong passwords are entered 5 times.

SafeInCloud-Screenshots:

Safe In Cloud

Sticky Password (11/13)

Sticky Password is a good password management solution for personal use. We would not recommend it for teams, especially those working in high risk countries. Sticky Password is designed for personal usage however in several months they plan to introduce a new sharing feature which will allow to share selected accounts with other Sticky Password users. This feature will make the app suitable also for working teams.

StickyPassword-Pros:

  • Strong AES-256 encryption.
  • Fingerprint authentication.
  • Two factor authentication.
  • Cloud synchronization across devices with paid package.
  • Paid version is $150 for lifetime access.
  • Device whitelisting.
  • Form filling.

StickyPassword-Cons:

  • Standalone solution: it has to be installed locally in devices.
  • Offline data synchronization which can make it vulnerable to data theft.
  • No password sharing.
  • No access or activity tracking.
  • Vulnerable to access from hacked emails.
  • No recovery if main password is lost.
  • Application doesn’t request master password when closed and opened.

StickyPassword-Screenshots:

Sticky Password: No sharing.
Sticky Password: No auto Log out.

SuperGenPass (12/13)

SuperGenPass is a different kind of password solution. Instead of storing your passwords locally or online — where they are vulnerable to theft and data loss — SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit.

SuperGenPass-Pros:

  • It’s free.
  • Passwords are not stored online or offline.

SuperGenPass-Cons:

  • No password sharing.
  • No access or activity tracking.
  • No reporting.
  • No IP address restricting/whitelisting.
  • Very basic console feature.
  • For personal use only.

SuperGenPass-Screenshots:

SuperGenPass

ZOHO (13/13)

ZOHO is a website that offers a variety of services that cater to the online needs of businesses. But we haven’t tried all their services. What we did try is their password manager, and it was ultimately the one we chose; one of the key reasons being that the ZOHO Vault does not store passwords locally on devices or browsers. Which makes passwords stored on ZOHO’s password manager invulnerable to theft as well to brute force attacks.

Zoho-Pros:

  • Web encrypted access.
  • Tracks password access and activities.
  • Secure password sharing.
  • Passwords are not stored locally on devices (note 6).
  • Access can be restricted to specific IP addresses.
  • Strong users access restriction policies.
  • Detailed reporting on every user activity including password sharing.
  • Break glass account for emergency access.
  • Also, a free option is available; but without certain features.
  • Transfer/Acquire ownership of passwords.
  • One-click auto logon.
  • Two factore authentication.

Zoho-Cons:

  • Price of the professional package: €4/user/month.

Zoho-Screenshots:

Web encrypted access
Extra features
Efficient Admin features

Notes

(1) There are specific software designed to crack these password managers, for example Elcomsoft: https://blog.elcomsoft.com/2017/08/one-password-to-rule-them-all-breaking-into-1password-keepass-lastpass-and-dashlane/ From there only the following providers are secured: Bitwarden, Keeper, PassworkMe, Supergenpass, Zoho.

(2) Police, prosecutors etc. Their crimes are “legal” since they’ve corrupted state institutions. They are the most dangerous sort of criminals, to an individual or to a country. If they’ve done something illegal, they can cover it up any ways they like. They can steal your devices under false suspicion charges. They can have access to your SMS, emails, meaning a recovery option is often an easy attack possibility for them. That’s why you should always use encryption software, encrypt your devices, and buy hardware outside the country you operate.

(3) Open source doesn’t guarantee someone has actually taken the time to audit the code for backdoors or weaknesses, but it shows a will to be transparent.

(4) Access to passwords on a variety of devices, and provisions to allow the sharing of specific passwords with agents irrespective of their locations. Must be accessible from iOS, Android, Windows, Linux and Mac desktops. We don’t do Windows phones or Blackberry because it would restrict so much the list, it’s almost impossible to find a solution.

(5) Zero knowledge encryption means key must be stored on the user’s device otherwise it’s not protected against state-sponsored criminals. Of course, this doesn’t mean they couldn’t give the government plain text messages — just that it would require them to actively attack the user in order steal the required password.

(6) When you login to Zoho Vault extension all the secrets will be temporarily stored in an encrypted format within the browser extension itself. When you click on the secret to view the secret details, edit the secret and click the “Show” button to view passwords the secret details will be decrypted using the extension’s passphrase and are revealed in plain text. The temporarily stored secrets (encrypted secret data) in the extension will be cleared when you logout from the Zoho Vault and when the passphrase is cleared after timeout. Zoho Vault browser extension also has the offline access feature, which also uses the passphrase to decrypt. In the offline mode the data will not be deleted even when the passphrase is cleared. This is because, there won’t be two-way connection between Zoho Vault servers during offline mode to fetch the secrets. The offline mode can be managed by the administrator in the fine-grained control.

All these products were tested and reviewed by Florjan Llapi, Certified Ethical Hacker and System administrator.