Skip over navigation

Password managers

Guide for selecting effective password management software

Good passwords make your information safer.   However, even the best passwords can be broken through no fault of your own.   Sometimes, a site you visit may be compromised, exposing the password you use for that site.   By using the same password across sites, or only varying them slightly and in obvious ways from site to site, you enable the attacker, who exposed the password for that one site, to break into many of the other sites that you visit.   This is why security experts strongly recommend that you use a different password for each service you use.   Unfortunately, as the number of passwords you use grows, the difficulty of remembering them grows as well.   Here is where password management software or “password managers” can help.  

A password manager is an application that stores your passwords for all the sites you access in an encrypted file that you secure with a single master password that you create.   Typically, for each site you access, a password manager either allows you to create your own password or it generates one for you.   Since the password manager logs in for you, you do not even need to know your passwords for various sites.   Thus, your passwords can be very complex and difficult to crack.

There are many password managers that are available on the Internet. Some are free and others involve a charge.   Each has its own set of features and of devices the software supports.   Because of the variety of devices one may use and desired feature preferences differ among users and groups, we have chosen not to recommend one password manager for all University users, but to provide a set of questions to consider when looking for a password manager that will work for you, along with a list of three products that we consider effective and their features.

Questions to consider

Will it work on all my devices?   While many password managers work on all the popular platforms (Windows, MacOS X, Linux, iOS, and Android), you should ensure that the one you choose will work across all of your devices before purchasing or committing time to it.    

Is it secure?   Any password manager that you intend to use should store your data with a strong encryption mechanism.   AES 256-bit encryption is the most common encryption method in use today.   If a password manager does not use encryption, or uses a non-standard or weak encryption method, it should be avoided.    

Where is my password data stored and how are passwords synchronized across multiple devices?   If you have multiple devices across which you wish to share your passwords, you should consider how the password file will be synchronized between them.   There are essentially three models: 1) the password manager will use its own servers to synchronize your encrypted data, 2) it will provide a method for you to use a third party service (such as Dropbox and iCloud) to synchronize your data, or 3) it will require you to manually transfer your password file from one device to another.   Some p roducts, such as Keepass and Password Safe, fall in between the latter two categories, storing your passwords locally by default but giving you the option to synchronize passwords through Dropbox for iOS and Android devices.

If the password manager uses a cloud service to store my password file, who can see my data?   Most password managers encrypt your passwords on your device and simply store the encrypted information on their servers or third parties.   However, if the password manager you are evaluating can reset your master password, it is a strong indication that the vendor can also see your password information, and you should avoid that product.

Will it help me pick good passwords?   Password managers can generate passwords for you, easing your ability to use different passwords for each service you access.   By having the password manager pick your passwords, you ensure that they are random and complex.  

Can it do more than just save passwords?   Many password managers include the ability to type information into web forms, store credit card information, notes, etc.   Some allow you to share passwords with friends, family, or co-workers in a secure way.   These extra features may be what lead you to prefer one password manager to another.  

Does it support multi-factor authentication?   Multi-factor authentication (or two-factor authentication) is a feature that takes your security to the next level.   By utilizing multi-factor authentication you are going from just having to enter your password (something you know), to (for example) having to enter your password and getting a text message (something you know and something you have).   Another common example of multi-factor authentication is typing your password and having a USB drive that must be plugged in (again, something you know and something you have).   Whichever form it takes multi-factor authentication greatly improves security and should be considered.

Suggested products as of July 3, 2014

 

KeePass

PasswordSafe

LastPass

Cost

Free

Free

$12 per user per year with unlimited devices per user

Platform

Windows,   Mac OS X, Linux, iOS, Android, windows phone, blackberry

Windows,   Mac OS X, Linux, iOS, Android, windows phone, blackberry

Windows,   Mac OS X, Linux, iOS, Android, windows phone, blackberry

Encryption

256-bit AES

128-256-bit Twofish

256-bit AES

Synchronization

Manual 3rd party sync (Dropbox, iCloud, etc.)

Manual 3rd party sync (Dropbox, iCloud, etc.)

LastPass Cloud

Password Generator?

X

X

X

Multi-factor authentication?

X

X

X

Who can see passwords?

User Only

User Only

User Only

URL

http://sourceforge. net/projects/keepass/

http://passwordsafe. sourceforge.net/

https://lastpass.com/