By now, it should be apparent that you need to use a password manager. Why? Well, consider the standard steps for keeping your account secure:
- Don’t use the same password on multiple services.
- Use extended mix of uppercase, lowercase, numerical, and special characters.
- Change your passwords frequently.
Those three basic tenets mean that unless you have an incredible memory, there’s no way you can possibly hope to remember all your credentials without writing them down somewhere.
Of course, you can’t save them in Excel for security reasons, writing them using pen and paper is no good when you’re away from home, and browser password managers aren’t as safe as password managers.
However, not all password managers are born equal. Let’s take a look at the security of some of the leading providers.
LastPass is the most popular password manager. It was already widely adopted, but after becoming free to use across all devices in late 2016, it exploded to a whole new level of popularity.
Because of its popularity, it attracts more attention from hackers and cyber criminals. There have been two notable security incidents in LastPass’s history: one in 2011 and one in 2015. On both occasions, the company noticed suspicious network traffic and forced all users to change their master passwords.
The intense criminal interest in LastPass sometimes works in its favor. On numerous occasions, it’s been able to identify and fix vulnerabilities before they became a serious issue.
LastPass now has some of the most robust security features in the industry. For example, it uses a one-way salted hash using PBKDF2-SHA256 rounds on your password, thus making brute force attacks almost impossible. Your password itself is never sent to LastPass; the hash verifies who you are, and the decryption key — which never leaves your computer — provides access to your vault.
Your vault itself is encoded before heading to the LastPass server using 256-bit AES encryption. Furthermore, all data moving between your device and LastPass uses SSL.
Lastly, LastPass uses Paros to check for any risk of XSS or SQL Injection attacks and Funkload to verify security performance.
Dashlane is one of LastPass’s biggest competitors. Unlike some other password managers, which only offer locally-stored copies of your credentials, Dashlane also provides cross-device syncing.
It’s three years younger than LastPass, launching in 2011.
Interestingly, Dashlane has its own patented security system. The company submitted it to the U.S. Patent and Trademark Office in March 2012. Called “Cloud-based data backup and sync with local storage and access keys,” it’s the blueprint for how the security of Dashlane operates. It can be broadly broken down into two parts: data ciphering and user authentication.
Data ciphering explains how your passwords, payment information, and personal information is kept safe. For your master password, Dashlane derives a ciphering key using 10,000 PBKDF2 iterations. Dashlane encrypts any data on its servers using AES-256. Like LastPass, the company never stores your master password on its servers.
User authentication refers to the process of verifying a first-time login from a new device. Rather than using your master password hashes (which are frequently the target of cyber-attacks), Dashlane will send you a one-time password via email. Following the login, Dashlane sends a user device key to its servers so future logins can easily be identified.
The open-source KeePass takes an alternative approach to password management. Rather than being a multi-device, cloud-based service, KeePass keeps all your data locally saved on your device.
On the plus side, its local approach means your data is entirely safe from any cybercriminal who’s trying to hack and decrypt network traffic. On the downside, you’ll need to install the portable version of the app if you want to take your passwords with you. And even then, they won’t be available on any device without a USB port.
The standout security feature of the app is the ability to select either a master password or a key file as your primary method of authentication. For extra security, you can even opt to run both.
KeePass uses SHA-256 to compress the composite master key, Argon2 (a winner of the Password Hashing competition) to protect against dictionary and guessing attacks, and process memory protection to prevent any sensitive data being saved to your disk. Lastly, KeePass offers a secure desktop to protect against keyloggers. You need to turn it on by going to Tools > Options > Security.
The app’s biggest weak point is the presence of more than 100 plugins. Although they’re a tinker’s dream and let you do everything from sync passwords over the cloud to capture passwords automatically, there’s no easy way to verify their safety.
In my article about the best LastPass alternatives, the comments section appears to suggest that Keeper is the favorite app of many of our readers. You praised its feature set, easy-of-use, and security features.
But is the praise justified? Are you safe if you’re a Keeper user? In a word, Yes.
Firstly, Keeper uses a policy known as “zero knowledge.” In practice, it means Keeper doesn’t do any encryption or decryption on its end. It all happens on your own device. As with most other password managers, it uses 256-bit AES.
Next, each password on Keeper’s servers is individually encrypted with two unique keys: a “Data Key” and a “Record Key.” Any data that’s at rest on your device adds a third key, the “Client Key.”
Because all this encryption happens on the client side, Keeper only has a raw binary code on its servers. The code is entirely useless to hackers unless they also have your device in their possession. You’re also protected from network sniffers. Because Keeper uses 256-bit AES encryption, it would take millennia for hackers to break it.
Lastly, it offers up to 100,000 PBKDF2 iterations.
5. Sticky Password
Sticky Password has been busy developing a hard-earned reputation in the last few years. It’s now one of the leading password managers and frequently scores highly on various review sites.
Arguably its best security feature is the Wi-Fi sync. Rather than syncing your passwords between devices using cloud servers, Wi-Fi sync will keep your devices in sync but only when they are on the same network. If you choose to use cloud sync for practical purposes, you’ll need to enter both a master password and online password to gain access.
Like other apps, your master password is never saved on Sticky Password’s servers, and all data sent over a network is encrypted using 256-bit AES.
Your master password provides the basis for the encryption key. Together with cryptographic salt, the PBKDF2 derivation creates a one-directional function cryptographic hash.
Is Your Password Manager Secure?
We all know you should be using a password manager, but have you ever invested any serious time into ensuring your password manager is safe and secure? Do you know what encryption techniques your provider chooses or whether it’s been the victim of a serious breach recently? Do you know if it has any useful extra security features?
Ultimately, you’re entrusting these companies with the keys to your digital life. You need to do your due diligence before you hand over your credentials.
Which password manager do you use? What security features does it have in place? As always, you can leave all your thoughts and opinions in the comments below. And remember to share the article with like-minded readers on social media!
Image Credits: Phonlamai Photo/Shutterstock