Is Your Password Manager Secure? 5 Services Compared

Dan Price 10-08-2017

By now, it should be apparent that you need to use a password manager You Need to Start Using a Password Manager Right Now By now, everyone should be using a password manager. In fact, not using a password manager puts you at greater risk of being hacked! Read More . Why? Well, consider the standard steps for keeping your account secure:

  • Don’t use the same password on multiple services.
  • Use extended mix of uppercase, lowercase, numerical, and special characters.
  • Change your passwords frequently.

Those three basic tenets mean that unless you have an incredible memory, there’s no way you can possibly hope to remember all your credentials without writing them down somewhere.

Of course, you can’t save them in Excel for security reasons, writing them using pen and paper is no good when you’re away from home, and browser password managers aren’t as safe as password managers.

However, not all password managers are born equal. Let’s take a look at the security of some of the leading providers How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More .

1. LastPass

LastPass is the most popular password manager The Best Password Managers for Android Compared Passwords are hard to remember, and it's insecure to only have a few passwords memorized. Let these apps keep your passwords strong and secure! Read More . It was already widely adopted, but after becoming free to use across all devices in late 2016, it exploded to a whole new level of popularity.

Because of its popularity, it attracts more attention from hackers and cyber criminals. There have been two notable security incidents in LastPass’s history: one in 2011 and one in 2015. On both occasions, the company noticed suspicious network traffic and forced all users to change their master passwords.


The intense criminal interest in LastPass sometimes works in its favor. On numerous occasions, it’s been able to identify and fix vulnerabilities before they became a serious issue.

LastPass now has some of the most robust security features in the industry. For example, it uses a one-way salted hash using PBKDF2-SHA256 rounds on your password, thus making brute force attacks almost impossible. Your password itself is never sent to LastPass; the hash verifies who you are, and the decryption key — which never leaves your computer — provides access to your vault.

Your vault itself is encoded before heading to the LastPass server using 256-bit AES encryption. Furthermore, all data moving between your device and LastPass uses SSL.

Lastly, LastPass uses Paros to check for any risk of XSS or SQL Injection attacks and Funkload to verify security performance.


2. Dashlane

Dashlane is one of LastPass’s biggest competitors. Unlike some other password managers, which only offer locally-stored copies of your credentials, Dashlane also provides cross-device syncing.

It’s three years younger than LastPass, launching in 2011.

Interestingly, Dashlane has its own patented security system. The company submitted it to the U.S. Patent and Trademark Office in March 2012. Called “Cloud-based data backup and sync with local storage and access keys,” it’s the blueprint for how the security of Dashlane operates. It can be broadly broken down into two parts: data ciphering and user authentication.

Data ciphering explains how your passwords, payment information, and personal information is kept safe. For your master password, Dashlane derives a ciphering key using 10,000 PBKDF2 iterations. Dashlane encrypts any data on its servers using AES-256. Like LastPass, the company never stores your master password on its servers.


User authentication refers to the process of verifying a first-time login from a new device. Rather than using your master password hashes (which are frequently the target of cyber-attacks), Dashlane will send you a one-time password via email. Following the login, Dashlane sends a user device key to its servers so future logins can easily be identified.

3. KeePass

The open-source KeePass takes an alternative approach to password management. Rather than being a multi-device, cloud-based service, KeePass keeps all your data locally saved on your device.

On the plus side, its local approach means your data is entirely safe from any cybercriminal who’s trying to hack and decrypt network traffic. On the downside, you’ll need to install the portable version of the app if you want to take your passwords with you. And even then, they won’t be available on any device without a USB port.

The standout security feature of the app is the ability to select either a master password or a key file as your primary method of authentication. For extra security, you can even opt to run both.


Image Credit: Tashatuvango via Shutterstock

KeePass uses SHA-256 to compress the composite master key, Argon2 (a winner of the Password Hashing competition) to protect against dictionary and guessing attacks, and process memory protection to prevent any sensitive data being saved to your disk. Lastly, KeePass offers a secure desktop to protect against keyloggers. You need to turn it on by going to Tools > Options > Security.

The app’s biggest weak point is the presence of more than 100 plugins. Although they’re a tinker’s dream and let you do everything from sync passwords over the cloud to capture passwords automatically, there’s no easy way to verify their safety.

4. Keeper

In my article about the best LastPass alternatives 5 Best LastPass Alternatives to Manage Your Passwords Many people consider LastPass to be the king of password managers; it's packed with features and boasts more users than any of its competitors -- but it's far from being the only option! Read More , the comments section appears to suggest that Keeper is the favorite app of many of our readers. You praised its feature set, easy-of-use, and security features.

But is the praise justified? Are you safe if you’re a Keeper user? In a word, Yes.

Firstly, Keeper uses a policy known as “zero knowledge.” In practice, it means Keeper doesn’t do any encryption or decryption on its end. It all happens on your own device. As with most other password managers, it uses 256-bit AES.

Next, each password on Keeper’s servers is individually encrypted with two unique keys: a “Data Key” and a “Record Key.” Any data that’s at rest on your device adds a third key, the “Client Key.”

Because all this encryption happens on the client side, Keeper only has a raw binary code on its servers. The code is entirely useless to hackers unless they also have your device in their possession. You’re also protected from network sniffers. Because Keeper uses 256-bit AES encryption, it would take millennia for hackers to break it.

Lastly, it offers up to 100,000 PBKDF2 iterations.

5. Sticky Password

Sticky Password has been busy developing a hard-earned reputation in the last few years. It’s now one of the leading password managers and frequently scores highly on various review sites.

Arguably its best security feature is the Wi-Fi sync. Rather than syncing your passwords between devices using cloud servers, Wi-Fi sync will keep your devices in sync but only when they are on the same network. If you choose to use cloud sync for practical purposes, you’ll need to enter both a master password and online password to gain access.

sticky password

Like other apps, your master password is never saved on Sticky Password’s servers, and all data sent over a network is encrypted using 256-bit AES.

Your master password provides the basis for the encryption key. Together with cryptographic salt, the PBKDF2 derivation creates a one-directional function cryptographic hash.

Is Your Password Manager Secure?

We all know you should be using a password manager, but have you ever invested any serious time into ensuring your password manager is safe and secure 4 Reasons Password Managers Aren’t Enough to Keep Your Passwords Safe Password managers are valuable in the ongoing battle against hackers, but they don't offer sufficient protection on their own. These four reasons show why password managers aren't enough to keep your passwords safe. Read More ? Do you know what encryption techniques your provider chooses or whether it’s been the victim of a serious breach recently? Do you know if it has any useful extra security features 7 Clever Password Manager Superpowers You Have to Start Using Password managers carry a lot of great features, but did you know about these? Here are seven aspects of a password manager you should take advantage of. Read More ?

Ultimately, you’re entrusting these companies with the keys to your digital life. You need to do your due diligence before you hand over your credentials.

Which password manager do you use? What security features does it have in place? As always, you can leave all your thoughts and opinions in the comments below. And remember to share the article with like-minded readers on social media!

Image Credits: Phonlamai Photo/Shutterstock

Related topics: Encryption, Password Manager.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. J. Ashberry
    August 15, 2017 at 2:01 pm

    What about RoboForm? I've been using it for years, and it syncs between my Window 10 PC and both Android Devices, but since I got Win 10, it has become more complicated to use, especially the Win 10 app required by the built-in search engine. It requires my master login every time I want to go to a site that uses unique usernames and passwords.

    Is it secure as the other apps you mentioned in this article?

    • J.Steelman
      August 16, 2017 at 1:55 am

      I'm with J.Ashberry. I've used RoboForm for years and never had a problem. Are these others used by that many more people? how were these 5 selected?

  2. Tim Taricco
    August 10, 2017 at 7:26 pm

    I'm kinda surprised that 1Password is not part of this list.

    • Armando
      August 13, 2017 at 3:47 pm

      I was also surprised. I think it might have something to do with product placement; maybe these 5 services payed for the article??? Who knows...

  3. Tracy Dryden
    August 10, 2017 at 6:17 pm

    The limitation of KeePass' storing your password file locally can be removed if you store your password file in a DropBox (or other local/cloud storage) folder. I keep my KeePass file synced between my home computer and tablet that way and it works a treat. Used to keep my work computer synced that way too, but now I'm retired.

    • Hildy J
      August 11, 2017 at 1:41 am

      Plus, KeePass is ported to just about every OS so if your computer or tablet or phone supports Dropbox you have your passwords available and if you can't get to the cloud, you still have your local file.

      In addition to passwords, there is an encrypted notes field I use for my family's SSNs, drivers licenses, passport, etc.

      Try it, you'll like it.

  4. Jake
    August 10, 2017 at 4:41 pm

    Actually, NIST just changed their guidelines to now say you should NOT change your password frequently (only when you suspect a breach) and it is NOT necessarily recommended to force complexity requirements. Both of these situations push people to re-use passwords and create simpler, easy-to-remember and easy-to-type passwords.

    That said, the changes in guidelines further support the need for a password manager, as what is truly secure is a long (as long as the site/application will allow), completely random string of characters. If there's no rhyme or reason to the password, then there's no shortcut, algorithm, or dictionary a program can use to crack it.

    Also be sure to add on multi-factor authentication whenever possible.

  5. Alex
    August 10, 2017 at 3:03 pm

    Any thoughts on bitwarden? I've heard good things about it's open source nature and developing abilities.