Security

Best Password Managers: Top 4 Reviewed

1Password, Clipperz, LastPass, RoboForm)
What good is a secure password program if you can't get access to your data when and where you need it?

Using a password manager application to automatically log into Web sites -- and to secure and manage all of your user IDs and passwords -- is a great help in organizing your digital life. But most password managers simply save your data in an encrypted file and then leave it stranded on one computer.

That doesn't work if you have a Windows desktop at work, a Mac or Linux machine at home, an iPad in your family room and an Android phone in your jacket. You need secure access to your data from any device, at any time, whether you're online or offline. And you don't want to have to manually update several work, home and mobile password databases every time you change an account's credentials -- something I've been doing for years.

The makers of an emerging breed of password managers are striving to provide secure online access to your passwords in the cloud and give you a synchronized, local copy of your password database on every computer and mobile device, no matter what operating systems, browsers or mobile platforms you use. (Having a synchronized local copy means you don't have to worry if the password database in the cloud goes down -- or the vendor suddenly disappears.)

In Video: How to Retrieve a Lost Windows Password

For this roundup, I looked at four products in this category: Agile Web Solutions' 1Password, Clipperz from Clipperz SRL, LastPass from the company of the same name and RoboForm from Siber Systems Inc. I tested each on four different platforms: a MacBook Pro running OS X 10.5.8, laptops running Windows 7 and Windows XP, and an iPad. I also tested browser add-ons for Internet Explorer, Firefox and Chrome.

Keeping passwords secure

All four applications work by having your computer encrypt passwords and other personal data before uploading a copy to the cloud. Because the data has been encrypted locally, the vendor does not have the key to unlock the data stored in the cloud: Only you do.

You secure your password database by creating a user account name and a master password. Once you're logged in, the applications automate the process of gathering user IDs, passwords and other information as you visit each Web site. They can then automatically fill in and submit your log-in credentials each time you return to those sites.

LastPass, RoboForm and 1Password can also fill in forms using data stored in profiles. You can create "identities" that have access only to subsets of your password data (such as work-related information, personal data or data for systems shared by you and your spouse), and you can store other types of sensitive data, from locker combinations to safe deposit box numbers. The way in which Clipperz supports forms is a little more involved, requiring the use of bookmarklets and mapping fields into what Clipperz calls Direct Login links.

The local versions of these products rely on any or all of three different technologies to do the job: Native applications designed to run on each operating system, extensions and plug-ins for popular browsers, and bookmarklets that can run on any browser that supports JavaScript. Not all products support a locally cached copy of your data on every device. In some cases, a product supports a local cache on one platform but not another; others support a local copy, but it's read-only.

Support for mobile devices is more limited. On some mobile devices, such as Apple's iPhone or Android-based phones, the password management application may include a simple, stand-alone browser when it can't integrate tightly with the native browser for the device. On some platforms, some products may lack the ability to maintain a synchronized, local copy of your data.

As a category, these products are still evolving. Once you figure out the best way to work with them, however, they make securing and accessing your passwords from any device, at any time, convenient and easy.

1Password

1Password doesn't quite meet all of the criteria for anywhere, anytime, any platform access to your password data. However, it's a breeze to use and a good choice if you're in a Mac-centric household.

1Password

It will also work if you just need to synchronize passwords with a Windows machine at work and an iPhone from the road. It supports the iPhone, iPad, iPod Touch, Palm and Android phones. But if you want access from your BlackBerry or from a Linux computer, or if you want a version that runs from a USB key, look elsewhere.

To back up and synchronize your data you'll need to set up an account with storage-as-a-service vendor Dropbox. (You can get up to 2GB of storage for free, which should be plenty for password data). Dropbox creates a folder on each computer and then synchronizes among them. Configuring 1Password to work with Dropbox is easy: You simply move your 1Password database to your local Dropbox folder.

Technically you can view your password data directly on the Dropbox Web site using a browser, but it's not an obvious process. You have to go to Dropbox, log into your account, click on the "Files" tab, and click on the 1Password.agilekeychain file, which exposes the 1Password.html file. Clicking on that brings up the 1Password "Unlock" screen so you can decrypt the file and view your password data. Because you must log into Dropbox first, you can't just create a browser bookmark to go directly to your 1Password data.

The Mac version of 1Password includes a standalone application to manage your data and a browser extension that provides access to your passwords by way of either an embedded "1P" button on the navigation tool bar or controls on a 1Password toolbar. The toolbar includes a context-sensitive shortcut button that determines what site you're currently visiting and suggests the appropriate account credentials when clicked.

On the Mac, iPad and iPhone versions, 1Password has easily the prettiest user interface in the group, and it's simple to use as well. 1Password integrates with several popular Mac browsers.

The versions for the iPhone and iPad include an integrated browser. Both automatically fill in credentials but don't automatically submit them to the site. You can also copy and paste credentials into a Safari window.

One irritation on the iPad: Switch away from 1Password by clicking the iPad's Home button and you're logged out (RoboForm performed the same way). LastPass did preserve my sessions on the iPad until they timed out, regardless of how many times I switched away. The developer says it will support multitasking with Apple's release of iOS 4.2 in November, so you won't get logged out every time you press the home button.

The Windows version, still in beta, provides the same basic functions, although the pop-up user interface for Windows browsers (Firefox or Internet Explorer only) has a different look and feel. And unlike the Mac version, in Windows you need to use the browser add-on to log into Web sites. You click the 1P icon to bring up the dialog box, click the "Go and Fill Login" button, and then pick the site from a list. The pop-up dialog fills in credentials but doesn't automatically submit them unless you have checked the "Auto-Submit Logins" box (it is turned off by default).

Agile Software licenses 1Password by the user rather than the device, but you do need a license for each platform. The license for the Mac version costs $39.95. The Windows version currently costs $19.95 while it's in beta; on release, it will also cost $39.95. You'll pay $9.95 for the iPad, iPhone or iPod Touch -- a $14.95 Pro version lets you install 1Password on all three iOS devices.

Clipperz

Clipperz is a free, Web-based, open-source password management service that also lets you download a read-only copy of the application and your password data.

Clipperz

It works with any computer capable of running Firefox, Chrome or any other browser that supports JavaScript -- including my iPad running Safari. It also offers a version of the Clipperz Web site that's optimized for mobile phones and other devices with small screens.

Clipperz stores the offline copy of your password data as an encrypted HTML document. The local copy doesn't update automatically, so if you want to keep your offline copy up-to-date you will need to download a fresh one each time you update your database. It saves to a different date-based filename (e.g., clipperz_20100915.html) each day you use it; I purposefully overwrote the same file name each time so that I could open the file using the same Firefox bookmark.

Once you've set up an account, you can open either the online password vault or the local copy of your data using your user name and master password.

Like RoboForm and LastPass, Clipperz initially encrypts password data locally, on your computer, before uploading it to the cloud. Once you set up an account, you can import data (Clipperz supports five formats, including Excel and CSV) or enter your account credentials manually.

Setup involves creating password "cards" that contain the Web site address, log-in name, password and any other required data. Web sites can be grouped into categories.

Clipperz lets you create simple Web password cards you can use to copy user names or passwords to the clipboard and then paste into Web site log-in fields. For each site you need to create bookmarklets to have Clipperz automatically log you in. That takes a little bit of work.

You start by dragging a link from the Clipperz Web site onto your bookmarks toolbar, where it appears as a button. To add a bookmarklet for a new card, you navigate to the target site and click the "Add to Clipperz!" button. A window pops up with code in it that you copy to the clipboard. Then you go to the Clipperz Web site, log in, edit the card and paste the text into the Direct Login field. It doesn't take too long once you get the hang of it, but the process could be much easier.

After that you can automatically log into those Web sites by logging into the Clipperz.com Web site and clicking on the site you want to access from a list. Clipperz loads the Web page in a new browser tab and logs you in automatically.

Clipperz will also work with Portable Firefox or other portable browsers on a USB drive. A Compact Edition, designed to run in the Firefox bookmarks sidebar or Opera's panel, offers read-only access to your online password data. The compact version is somewhat faster because you don't need to navigate to Cipperz.com to log in. However, to change a Web site's log-in credentials or add a new card you'll need to visit the Clipperz Web site.

Clipperz is free and there's nothing to install locally, except to configure bookmarklets. The open-source code is freely available -- if you don't trust them with your data you can always host Clipperz on your own server. But setup and maintenance of your password data is a bit more involved than with LastPass or RoboForm, and locally cached, read-only copies of your data don't update automatically.

LastPass

The developers of LastPass say they built the product from the ground up to provide access to password data on any device -- and it shows.

LastPass

Once installed and configured, LastPass is a breeze to use. The application maintains a local copy of your data on any Windows, Mac or Linux machine. A single icon on your browser navigation bar gives you access to all its features.

But as with RoboForm, some setup and configuration details can be a bit involved if you're supporting more than one platform or browser, or want to add two-factor authentication. For example, when I accessed the "download" screen on LastPass.com, the site recommended a download for Firefox -- the browser I was using at the time. But there are separate downloads for each additional browser you want to use with LastPass -- and a total nine different variations of the program you can download for the Mac.

LastPass runs on the iPad and any Windows, Mac or Linux computer via a browser extension for Chrome, Firefox, Internet Explorer and Safari browsers. You click the red LastPass icon on the browser navigation bar to access the account log-in screen and a drop-down list of key features. Once logged in, you can access your database on the LastPass Web site, set up profiles, log into sites, create and access secure notes, or configure some very detailed security settings.

LastPass uses your e-mail address as your user name. Since your user ID is easily guessed, that makes it doubly important that you choose a strong password.

When you visit a Web site that LastPass recognizes, you can configure it to automatically fill in the account credentials and log you in without prompting. There are no buttons to push. Of all of the products reviewed here, LastPass had the most seamless process for automating the log-in process.

Each machine that you use LastPass on has its own encrypted, local copy of the password database, which synchronizes with a master database hosted at the LastPass.com Web site. You can also log into the site directly and view your data from anywhere, without using any browser extensions.

LastPass for the iPad keeps a synchronized copy of your password data. Because it can't integrate with the Safari browser on iOS devices (iPad, iPhone, iPod Touch), the app includes a simple, embedded browser of its own. A list of your passwords appears in one tab. Press on a site name and LastPass launches a new tab, loads the site and logs you in.

Other features include the ability to analyze your existing passwords for weaknesses and an option to automatically delete the passwords stored by your browsers (which are not very secure).

The basic version is free, but if you want to use LastPass with any mobile devices other than the iPad, you'll need LastPass Premium. The $12 annual subscription fee adds support for a variety of popular smartphone operating systems, including iOS, Android, BlackBerry, Windows Mobile, Palm WebOS and Symbian S60. It also includes access from USB keys that can run portable versions of Chrome, Firefox or Internet Explorer and upgraded support (basic support is via e-mail only).

The portable browser/LastPass combination on a USB key for Windows, Mac OS X or Linux supports a local, synchronized copy of your password data. Using a USB key is good for accessing LastPass data from untrusted machines because you don't need to install LastPass locally and nothing is left behind on the machine when you finish using it. To help thwart key loggers, LastPass lets you create and use one-time passwords; you can use your mouse to click on a virtual "screen keyboard" and enter your master password that way.

The for-pay version also offers two-factor authentication using either a one-time password-generating program called Sesame or a hardware key called YubiKey. If you don't want to spend the 12 bucks, the free version of LastPass comes with a basic two-factor authentication scheme called Grid. I strongly recommend using the two-factor authentication feature on any device that travels outside of your office or home.

RoboForm

Siber Systems created RoboForm more than a decade ago to automate the process of filling out forms online -- until the CEO decided that he wanted to use it to automatically fill in user account names and passwords as well. The feature, which started as "a utility, a hobby for the CEO," is now the primary reason why people buy the product, says Bill Carey, vice president of marketing. The company claims to have more than 3 million users worldwide.

Roboform

Although RoboForm supports a wide range of operating systems, browsers and mobile devices, only the native Windows version of the program offers the complete range of features. RoboForm sells two Windows versions: RoboForm for Windows and RoboForm2Go, a Windows-based application that can run from a USB key when inserted into any Windows computer. A native application for Linux is not yet available. Siber Systems plans to release a native version for Mac OS X later this year.

RoboForm runs from the Windows task bar or from a browser toolbar extension (the application automatically installs extensions for Firefox or Internet Explorer; the Chrome extension has to be downloaded and installed manually). You have to use a bookmarklet to use it with Safari, Opera and other browsers. The Firefox toolbar also can be installed into Firefox Portable Edition for use on a USB drive.

After you install RoboForm and set up a master password, the program begins asking if it may collect user names and passwords as you enter them into Web sites. (It can also import data from some sources, such as browsers.)

A pop-up window appears when you visit a site for the first time and prompts you to save the log-in credentials into a newly named passcard. Thereafter, whenever you visit that site, you can click the Login button and choose the appropriate passcard, or navigate to the site and click on a context-sensitive shortcut button in your toolbar to log in.

For example, if you're already on the log-in page for, say, Facebook, you just have to click on the button (which will say "Facebook") on the toolbar to log in. (Make sure the correct account credentials are selected -- if you have multiple accounts it presents them all.)

On each Windows computer you use, RoboForm stores an encrypted copy of your password data locally and keeps everything in sync by way of a master copy stored on its cloud-based service, RoboForm Online.

RoboForm for Windows sells for $29.95 for the first machine and $9.95 for each additional computer. RoboForm2Go sells for $39.95 per USB drive, or $19.95 if you also buy RoboForm for Windows. Software applications required to use RoboForm with mobile devices are free.

RoboForm Online is also free -- you can log into the Web site and use it without buying any other RoboForm products. You can copy/paste user names and passwords from the RoboForm Online Web site into a Web site you're trying to log into, but the process goes faster if you install a RoboForm JavaScript bookmarklet into your browser. (The bookmarklet works with virtually any browser that supports JavaScript, including those for Mac OS X and Linux systems.)

Siber Systems also offers apps for a variety of mobile phone platforms, including iPhone/iOS, Android, BlackBerry, Windows Mobile (up to version 6; they are no doubt working on Windows Phone 7), Palm and Symbian. These allow access to the online copy of your password data but do not include local backup copies or offline access to your data.

I tested the free RoboForm app for the iPhone on an iPad. To access your data you enter a four-digit pin instead of your master password.

Because Apple doesn't allow add-ons to Safari on the iPhone, the RoboForm app includes its own bare-bones browser window. You select the target Web site from RoboForm's list of sites and the app opens a second tab through which you log into and view that Web site. It's not the same as using your native browser, but it's workable.

I had no trouble logging into most sites but could not log into a Gmail account. Resynchronizing the data did not help. According to support manager Andrew Steed, Google treats the HTTP request I saved when accessing the Google log-in screen from a desktop differently when it's coming from an iPhone or iPad -- presumably because it normally would redirect you from Google.com to a log-in page tailored for your mobile device. To get around this, I manually entered the generic address www.google.com into the passcard's URL field, which then redirected the iPad to the appropriate log-in screen. I was able to log in just fine.

Such are the idiosyncrasies that can crop up when you're sharing a common password database across devices.

RoboForm works just fine once you're up and running, but getting all of the pieces and parts downloaded, set up and synchronized can lead to some head-scratching moments -- a point that Siber Systems acknowledges. A spokesperson says this will be addressed when a version 7 (now in beta) is released later this year.

Bottom line

1Password is a great solution for Macs -- the browser toolbar makes password entry a two-click affair, and the Mac application itself makes it easy to create and maintain passwords, identities, secure notes and other data.

Illustration: Brad Yeo
However, the browser pop-up in the Windows version, which is still in beta, isn't quite as easy to use as the toolbar in the Mac version, and the 1Password application for Windows didn't let me automatically log into Web sites by double-clicking on a site, as I could with the Mac version. 1Password lacks key features for anytime, anywhere access. It's not compatible with the BlackBerry; accessing your data on the Dropbox Web site is a clunky, multistep affair; it does not offer the ability to run from a USB key; and you can't create one-time use passwords for logging into your password database.

RoboForm is a solid product for Windows, and although there's no native application for Linux or Mac OS X and no ability to store and synchronize a local copy of your password data on those systems, the browser toolbar add-in for the Mac is quick and easy to use. As with 1Password, you pay a license fee per Windows PC or USB device, which can add up if you want to use the product on several different platforms.

Clipperz is a free, but much more limited, password manager. It's Web-based, so you can access it from anywhere, so long as you're online. It allows you to store a local backup copy of your data, and it can run from a USB key.

However, the local copy doesn't automatically keep in sync, and the process of using bookmarklets to create direct log-ins for Web sites by copying and pasting HTML code between the Web site and the Clipperz Web site is a less-than-polished approach that should be automated. Clipperz does the job, but when compared to other products in this category it looks unfinished.

I consider LastPass to be the overall winner. Security products should be easy to set up and use, and as unobtrusive as possible, or people just won't use them. LastPass does well on all counts while working on Windows, Mac, Linux and most smartphone platforms.

It was the only product to automatically populate and submit my credentials to a Web site as soon as I surfed to a Web site -- no button-clicking required. It has a few nice features, such as an analysis of your existing passwords for weaknesses and an option to automatically delete passwords stored insecurely by your browsers. It can store a local copy of your data on all mobile and personal computing platforms, and it offers the added protection of two-factor authentication.

I didn't like the fact that LastPass requires your user account ID to be your e-mail address -- something that's easily guessed. Because of that, a strong master password is a must. But the price, free or $12 per year for the LastPass Premium subscription, is very reasonable.

For comprehensive coverage of the Android ecosystem, visit Greenbot.com.

Subscribe to the Security Watch Newsletter

Comments